From 7d57442327ac3fd321dded7888fd32e4e47c4419 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 18 Aug 2023 09:51:27 +0800 Subject: [PATCH 1/9] upgrade istio dependencies to 1.18.1 Signed-off-by: huabing zhao --- .../workflows/e2e-metaprotocol-gateway.yaml | 2 +- .github/workflows/e2e-metaprotocol.yaml | 2 +- .github/workflows/e2e-redis.yaml | 2 +- Makefile | 1 - demo/metaprotocol-brpc/brpc-sample.yaml | 6 +- .../dubbo-sample.yaml | 8 +- demo/metaprotocol-dubbo/dubbo-sample.yaml | 8 +- .../outlier-detection/outlier-detection.yaml | 2 +- demo/metaprotocol-thrift/thrift-sample.yaml | 6 +- docker/Dockerfile | 4 + go.mod | 207 ++-- go.sum | 1046 ++++++----------- internal/bootstrap/server.go | 5 +- internal/ca/istio_ca.go | 4 +- internal/controller/istio/controller.go | 42 +- internal/controller/kube/dubbo.go | 2 +- internal/controller/kube/metaprotocol.go | 2 +- internal/controller/kube/metarouter.go | 2 +- internal/controller/kube/namesapce.go | 2 +- internal/controller/kube/redis.go | 4 +- internal/controller/kube/serviceentry.go | 2 +- internal/envoyfilter/controller.go | 27 +- internal/envoyfilter/network_filter.go | 8 +- internal/plugin/metaprotocol/generator.go | 4 +- .../plugin/metaprotocol/metaprotocolproxy.go | 4 +- internal/plugin/metaprotocol/route.go | 2 +- internal/plugin/redis/generator.go | 4 +- internal/plugin/redis/outbound.go | 2 +- .../webhook/validation/scheme/collections.go | 70 +- internal/webhook/validation/server/server.go | 4 +- internal/xds/cache_mgr.go | 35 +- .../testdata/metaprotocol-sample.yaml | 8 +- .../testdata/ingress-gateway.yaml | 2 +- test/e2e/scripts/istio.sh | 2 +- test/e2e/scripts/uninstall-istio.sh | 2 +- 35 files changed, 593 insertions(+), 940 deletions(-) diff --git a/.github/workflows/e2e-metaprotocol-gateway.yaml b/.github/workflows/e2e-metaprotocol-gateway.yaml index 807c84aae..c7d4c910c 100644 --- a/.github/workflows/e2e-metaprotocol-gateway.yaml +++ b/.github/workflows/e2e-metaprotocol-gateway.yaml @@ -18,7 +18,7 @@ on: - "**/*.md" env: - ISTIO_VERSION: 1.18.2 + ISTIO_VERSION: 1.18.1 ISTIO_NAMESPACE: istio-system SCRIPTS_DIR: test/e2e/scripts COMMON_DIR: test/e2e/common diff --git a/.github/workflows/e2e-metaprotocol.yaml b/.github/workflows/e2e-metaprotocol.yaml index 46da86d39..792d61706 100644 --- a/.github/workflows/e2e-metaprotocol.yaml +++ b/.github/workflows/e2e-metaprotocol.yaml @@ -18,7 +18,7 @@ on: - "**/*.md" env: - ISTIO_VERSION: 1.18.2 + ISTIO_VERSION: 1.18.1 ISTIO_NAMESPACE: istio-system SCRIPTS_DIR: test/e2e/scripts COMMON_DIR: test/e2e/common diff --git a/.github/workflows/e2e-redis.yaml b/.github/workflows/e2e-redis.yaml index 4fefe12d8..04941397d 100644 --- a/.github/workflows/e2e-redis.yaml +++ b/.github/workflows/e2e-redis.yaml @@ -18,7 +18,7 @@ on: - "**/*.md" env: - ISTIO_VERSION: 1.18.2 + ISTIO_VERSION: 1.18.1 ISTIO_NAMESPACE: istio-system SCRIPTS_DIR: test/e2e/scripts COMMON_DIR: test/e2e/common diff --git a/Makefile b/Makefile index 5bd803c15..04ae4e3a9 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,6 @@ demo-brpc: uninstall-demo-brpc: bash demo/uninstall-demo.sh brpc test: style-check - $(GOMOD) tidy $(GOTEST) -race `go list ./internal/... | grep -v e2e` build: test CGO_ENABLED=0 GOOS=$(IMAGE_OS) GOARCH=$(IMAGE_ARCH) $(GOBUILD) -o $(OUT)/$(IMAGE_ARCH)/$(IMAGE_OS)/$(IMAGE_NAME) $(MAIN_PATH) diff --git a/demo/metaprotocol-brpc/brpc-sample.yaml b/demo/metaprotocol-brpc/brpc-sample.yaml index e6b5ec9fb..ceb1386e7 100644 --- a/demo/metaprotocol-brpc/brpc-sample.yaml +++ b/demo/metaprotocol-brpc/brpc-sample.yaml @@ -28,7 +28,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: brpc-echo-server version: v1 @@ -57,7 +57,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: brpc-echo-server version: v2 @@ -86,7 +86,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: brpc-echo-client spec: diff --git a/demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml b/demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml index 8f53122d1..05eb43751 100644 --- a/demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml +++ b/demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml @@ -40,7 +40,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-provider version: v1 @@ -76,7 +76,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-provider version: v2 @@ -112,7 +112,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-second-provider version: v2 @@ -139,7 +139,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-consumer spec: diff --git a/demo/metaprotocol-dubbo/dubbo-sample.yaml b/demo/metaprotocol-dubbo/dubbo-sample.yaml index 5151a0d0f..db69e208c 100644 --- a/demo/metaprotocol-dubbo/dubbo-sample.yaml +++ b/demo/metaprotocol-dubbo/dubbo-sample.yaml @@ -40,7 +40,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-provider version: v1 @@ -76,7 +76,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-provider version: v2 @@ -112,7 +112,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-second-provider version: v2 @@ -139,7 +139,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-consumer spec: diff --git a/demo/metaprotocol-thrift/outlier-detection/outlier-detection.yaml b/demo/metaprotocol-thrift/outlier-detection/outlier-detection.yaml index 3de84c124..dde92cb21 100644 --- a/demo/metaprotocol-thrift/outlier-detection/outlier-detection.yaml +++ b/demo/metaprotocol-thrift/outlier-detection/outlier-detection.yaml @@ -29,7 +29,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 sidecar.istio.io/rewriteAppHTTPProbers: "false" labels: app: thrift-sample-server diff --git a/demo/metaprotocol-thrift/thrift-sample.yaml b/demo/metaprotocol-thrift/thrift-sample.yaml index 3656bfaf5..b27d542f4 100644 --- a/demo/metaprotocol-thrift/thrift-sample.yaml +++ b/demo/metaprotocol-thrift/thrift-sample.yaml @@ -28,7 +28,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 sidecar.istio.io/rewriteAppHTTPProbers: "false" labels: app: thrift-sample-server @@ -55,7 +55,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 sidecar.istio.io/rewriteAppHTTPProbers: "false" labels: app: thrift-sample-server @@ -82,7 +82,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 sidecar.istio.io/rewriteAppHTTPProbers: "false" labels: app: thrift-sample-client diff --git a/docker/Dockerfile b/docker/Dockerfile index c19906a53..addf47314 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -14,6 +14,10 @@ FROM alpine:3.17 +LABEL org.opencontainers.image.source="https://github.com/aeraki-mesh/aeraki" +LABEL org.opencontainers.image.authors="zhaohuabing@gmail.com" +LABEL org.opencontainers.image.documentation="https://aeraki.net" + ARG AERAKI_ROOT_BIN_DIR ARG ARCH ARG OS diff --git a/go.mod b/go.mod index 36bf6ea3d..c5068744d 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/aeraki-mesh/aeraki -go 1.19 +go 1.20 // https://github.com/containerd/containerd/issues/5781 exclude k8s.io/kubernetes v1.13.0 @@ -8,42 +8,28 @@ exclude k8s.io/kubernetes v1.13.0 // Client-go does not handle different versions of mergo due to some breaking changes - use the matching version replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5 -// Istio 1.16.5 modules -replace github.com/envoyproxy/go-control-plane => github.com/envoyproxy/go-control-plane v0.10.3-0.20220908185826-2b9739221838 - -replace istio.io/api => istio.io/api v0.0.0-20230518153929-d0aebaa77ab8 - -replace istio.io/client-go => istio.io/client-go v1.16.5 - -replace istio.io/istio => istio.io/istio v0.0.0-20230519000352-ae8d5164776c - -replace istio.io/pkg => istio.io/pkg v0.0.0-20221107183613-574f8d141535 - -replace k8s.io/api => k8s.io/api v0.25.2 - -replace k8s.io/apimachinery => k8s.io/apimachinery v0.25.2 - -replace k8s.io/client-go => k8s.io/client-go v0.25.2 - -replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.25.2 - -replace k8s.io/kubectl => k8s.io/kubectl v0.25.2 - -replace sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.12.1 - -replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea - -replace github.com/prometheus/common => github.com/prometheus/common v0.37.0 - -replace sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.9 +replace ( + github.com/prometheus/common => github.com/prometheus/common v0.42.0 + istio.io/api => istio.io/api v0.0.0-20230713061407-06047cce866f + istio.io/client-go => istio.io/client-go v1.18.1-0.20230713061908-17d95fabac25 + istio.io/istio => istio.io/istio v0.0.0-20230713183549-b39cf4080772 + istio.io/pkg => istio.io/pkg v0.0.0-20230524020242-1015535057be + k8s.io/api => k8s.io/api v0.27.0 + k8s.io/apimachinery => k8s.io/apimachinery v0.28.0 + k8s.io/client-go => k8s.io/client-go v0.27.0 + k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20230327201221-f5883ff37f0c + sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.15.1 + sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v0.6.2 + sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.13.2 +) require ( - github.com/aeraki-mesh/api v1.3.0 - github.com/aeraki-mesh/client-go v1.3.0 - github.com/aeraki-mesh/meta-protocol-control-plane-api v0.0.0-20230205134842-bc2993738de0 + github.com/aeraki-mesh/api v1.4.1 + github.com/aeraki-mesh/client-go v1.4.1 + github.com/aeraki-mesh/meta-protocol-control-plane-api v1.4.1 github.com/apache/thrift v0.18.1 - github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b - github.com/envoyproxy/go-control-plane v0.10.3 + github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 + github.com/envoyproxy/go-control-plane v0.11.2-0.20230811160418-a0dbac19f027 github.com/gogo/protobuf v1.3.2 github.com/golang/protobuf v1.5.3 github.com/google/go-cmp v0.5.9 @@ -52,99 +38,97 @@ require ( github.com/hashicorp/go-multierror v1.1.1 github.com/pkg/errors v0.9.1 github.com/zhaohuabing/debounce v1.0.0 - go.uber.org/atomic v1.10.0 - golang.org/x/net v0.12.0 + go.uber.org/atomic v1.11.0 + golang.org/x/net v0.13.0 golang.org/x/sync v0.3.0 - google.golang.org/grpc v1.54.0 - google.golang.org/protobuf v1.30.0 - istio.io/api v1.19.0-alpha.1 - istio.io/client-go v1.18.1 + google.golang.org/grpc v1.57.0 + google.golang.org/protobuf v1.31.0 + istio.io/api v1.19.0-alpha.1.0.20230810203008-3cdd517bf131 + istio.io/client-go v1.19.0-alpha.1.0.20230810203904-45e85278e0fc istio.io/gogo-genproto v0.0.0-20230705213215-8f59b5a7ddde - istio.io/istio v0.0.0-00010101000000-000000000000 - istio.io/pkg v0.0.0-20221107183613-574f8d141535 - k8s.io/api v0.28.0-beta.0 - k8s.io/apimachinery v0.28.0-beta.0 + istio.io/istio v0.0.0-20230817160302-031c6b290e0b + istio.io/pkg v0.0.0-20230524020242-1015535057be + k8s.io/api v0.28.0 + k8s.io/apimachinery v0.28.0 k8s.io/client-go v0.28.0-beta.0 - sigs.k8s.io/controller-runtime v0.13.0 + sigs.k8s.io/controller-runtime v0.15.1 ) require ( - cloud.google.com/go v0.110.0 // indirect - cloud.google.com/go/compute v1.19.0 // indirect + cloud.google.com/go v0.110.4 // indirect + cloud.google.com/go/compute v1.20.1 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/logging v1.7.0 // indirect - cloud.google.com/go/longrunning v0.4.1 // indirect + cloud.google.com/go/longrunning v0.5.1 // indirect contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.28 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/BurntSushi/toml v1.1.0 // indirect + github.com/BurntSushi/toml v1.2.1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect - github.com/Masterminds/semver/v3 v3.1.1 // indirect - github.com/Masterminds/sprig/v3 v3.2.2 // indirect + github.com/Masterminds/semver/v3 v3.2.1 // indirect + github.com/Masterminds/sprig/v3 v3.2.3 // indirect github.com/alecholmes/xfccparser v0.1.0 // indirect github.com/alecthomas/participle v0.4.1 // indirect - github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect + github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect - github.com/coreos/go-oidc/v3 v3.4.0 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect + github.com/coreos/go-oidc/v3 v3.6.0 // indirect github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect - github.com/docker/cli v20.10.18+incompatible // indirect + github.com/docker/cli v24.0.4+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect - github.com/docker/docker v20.10.17+incompatible // indirect - github.com/docker/docker-credential-helpers v0.6.4 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect - github.com/envoyproxy/protoc-gen-validate v0.9.1 // indirect + github.com/docker/docker v24.0.2+incompatible // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect + github.com/emicklei/go-restful/v3 v3.10.1 // indirect + github.com/envoyproxy/protoc-gen-validate v1.0.1 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/fatih/camelcase v1.0.0 // indirect + github.com/frankban/quicktest v1.14.5 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/fvbommel/sortorder v1.1.0 // indirect + github.com/fvbommel/sortorder v1.0.2 // indirect github.com/go-errors/errors v1.4.2 // indirect + github.com/go-jose/go-jose/v3 v3.0.0 // indirect github.com/go-kit/log v0.2.1 // indirect - github.com/go-logfmt/logfmt v0.5.1 // indirect + github.com/go-logfmt/logfmt v0.6.0 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/goccy/go-json v0.10.2 // indirect - github.com/golang-jwt/jwt/v4 v4.4.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/btree v1.0.1 // indirect - github.com/google/cel-go v0.12.6 // indirect - github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-containerregistry v0.11.0 // indirect + github.com/google/btree v1.1.2 // indirect + github.com/google/cel-go v0.16.0 // indirect + github.com/google/gnostic v0.6.9 // indirect + github.com/google/go-containerregistry v0.15.2 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect + github.com/google/s2a-go v0.1.4 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect - github.com/googleapis/gax-go/v2 v2.7.1 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect + github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/gorilla/mux v1.8.0 // indirect - github.com/grafana/regexp v0.0.0-20220304095617-2e8d9baf4ac2 // indirect + github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect - github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect + github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-version v1.6.0 // indirect - github.com/hashicorp/golang-lru v0.5.4 // indirect - github.com/huandu/xstrings v1.3.2 // indirect - github.com/imdario/mergo v0.3.12 // indirect + github.com/hashicorp/golang-lru/v2 v2.0.4 // indirect + github.com/huandu/xstrings v1.4.0 // indirect + github.com/imdario/mergo v0.3.13 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/jonboulle/clockwork v0.2.2 // indirect + github.com/jonboulle/clockwork v0.3.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.16.5 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect github.com/lestrrat-go/blackmagic v1.0.1 // indirect @@ -155,7 +139,7 @@ require ( github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect - github.com/miekg/dns v1.1.50 // indirect + github.com/miekg/dns v1.1.55 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect @@ -166,71 +150,74 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/natefinch/lumberjack v2.0.0+incompatible // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect - github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd // indirect + github.com/opencontainers/image-spec v1.1.0-rc3 // indirect + github.com/openshift/api v0.0.0-20230720094506-afcbe27aec7c // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.16.0 // indirect github.com/prometheus/client_model v0.4.0 // indirect github.com/prometheus/common v0.44.0 // indirect github.com/prometheus/procfs v0.10.1 // indirect - github.com/prometheus/prom2json v1.3.1 // indirect - github.com/prometheus/prometheus v0.36.2 // indirect - github.com/prometheus/statsd_exporter v0.22.7 // indirect - github.com/russross/blackfriday v1.6.0 // indirect + github.com/prometheus/prom2json v1.3.2 // indirect + github.com/prometheus/prometheus v0.45.0 // indirect + github.com/prometheus/statsd_exporter v0.23.0 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect - github.com/shopspring/decimal v1.2.0 // indirect + github.com/shopspring/decimal v1.3.1 // indirect github.com/sirupsen/logrus v1.9.0 // indirect github.com/spaolacci/murmur3 v1.1.0 // indirect - github.com/spf13/cast v1.5.0 // indirect + github.com/spf13/cast v1.5.1 // indirect github.com/spf13/cobra v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stoewer/go-strcase v1.2.0 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect + github.com/stretchr/testify v1.8.4 // indirect + github.com/vbatts/tar-split v0.11.3 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect - github.com/xlab/treeprint v1.2.0 // indirect + github.com/xlab/treeprint v1.1.0 // indirect github.com/yl2chen/cidranger v1.0.2 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/proto/otlp v0.19.0 // indirect - go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect + go.opentelemetry.io/proto/otlp v1.0.0 // indirect + go.starlark.net v0.0.0-20211013185944-b0039bd2cfe3 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.24.0 // indirect golang.org/x/crypto v0.11.0 // indirect - golang.org/x/exp v0.0.0-20220921164117-439092de6870 // indirect - golang.org/x/mod v0.12.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect + golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 // indirect + golang.org/x/mod v0.11.0 // indirect + golang.org/x/oauth2 v0.10.0 // indirect golang.org/x/sys v0.10.0 // indirect golang.org/x/term v0.10.0 // indirect golang.org/x/text v0.11.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.11.0 // indirect + golang.org/x/tools v0.9.3 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect gomodules.xyz/jsonpatch/v3 v3.0.1 // indirect gomodules.xyz/orderedmap v0.1.0 // indirect - google.golang.org/api v0.114.0 // indirect + google.golang.org/api v0.132.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect + google.golang.org/genproto v0.0.0-20230720185612-659f7aaaa771 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230720185612-659f7aaaa771 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - helm.sh/helm/v3 v3.10.3 // indirect - k8s.io/apiextensions-apiserver v0.27.2 // indirect - k8s.io/apiserver v0.27.2 // indirect - k8s.io/cli-runtime v0.28.0-beta.0 // indirect + helm.sh/helm/v3 v3.11.2 // indirect + k8s.io/apiextensions-apiserver v0.28.0-beta.0 // indirect + k8s.io/apiserver v0.28.0-beta.0 // indirect + k8s.io/cli-runtime v0.27.0 // indirect k8s.io/component-base v0.28.0-beta.0 // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect - k8s.io/kubectl v0.25.2 // indirect - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect - sigs.k8s.io/gateway-api v0.5.1-0.20220921185115-ee7a83814203 // indirect + k8s.io/kubectl v0.27.0 // indirect + k8s.io/utils v0.0.0-20230711102312-30195339c3c7 // indirect + sigs.k8s.io/gateway-api v0.6.2 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect - sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect + sigs.k8s.io/kustomize/api v0.13.2 // indirect + sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect sigs.k8s.io/mcs-api v0.1.0 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index db962b9a7..d6d0607fd 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,3 @@ -4d63.com/gochecknoglobals v0.1.0/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo= -bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -13,7 +11,6 @@ cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.60.0/go.mod h1:yw2G51M9IfRboUH61Us8GqCeF1PzPblB823Mn2q2eAU= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= @@ -28,114 +25,74 @@ cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aD cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= -cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= -cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= -cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= -cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys= -cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= +cloud.google.com/go v0.110.4 h1:1JYyxKMN9hd5dR2MYTPWkGUgcoxVVhg0LKNKEo0qvmk= +cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= -cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= -cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= -cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= -cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= -cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= -cloud.google.com/go/compute v1.19.0 h1:+9zda3WGgW1ZSTlVppLCYFIr48Pa35q1uG2N1itbCEQ= -cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU= +cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg= +cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= -cloud.google.com/go/firestore v1.6.0/go.mod h1:afJwI0vaXwAG54kI7A//lP/lSPDkQORQuMkv56TxEPU= -cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= -cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k= +cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= cloud.google.com/go/logging v1.7.0 h1:CJYxlNNNNAMkHp9em/YEXcfJg+rPDg7YfwoRpMU+t5I= cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M= -cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM= -cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo= +cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI= +cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/pubsub v1.5.0/go.mod h1:ZEwJccE3z93Z2HWvstpri00jOg7oO4UZDtKhwDwqF0w= -cloud.google.com/go/security v1.13.0 h1:PYvDxopRQBfYAXKAuDpFCKBvDOWPWzp9k/H5nB3ud3o= -cloud.google.com/go/spanner v1.7.0/go.mod h1:sd3K2gZ9Fd0vMPLXzeCrF6fq4i63Q7aTLW/lBIfBkIk= +cloud.google.com/go/security v1.15.1 h1:jR3itwycg/TgGA0uIgTItcVhA55hKWiNJxaNNpQJaZE= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= contrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxaWJs2/OwXtiWwew3oAg= contrib.go.opencensus.io/exporter/prometheus v0.4.2/go.mod h1:dvEHbiKmgvbr5pjaF9fpw1KeYcjrnC1J8B+JKjsZyRQ= -contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/AdaLogics/go-fuzz-headers v0.0.0-20220903154154-e8044f6e4c72 h1:1sCHCT0xRr7UArrI1WJxsl9S8QeYdf0fmuGIl2xb7YI= -github.com/Antonboom/errname v0.1.5/go.mod h1:DugbBstvPFQbv/5uLcRRzfrNqKE9tVdVCqWCLp6Cifo= -github.com/Antonboom/nilnil v0.1.0/go.mod h1:PhHLvRPSghY5Y7mX4TW+BHZQYo1A8flE5H20D3IPZBo= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= -github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM= -github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.21 h1:jjQnVFXPfekaqb8vIsv2G1lxshoW+oGv4MDlhRtnYZk= -github.com/Azure/go-autorest/autorest/adal v0.9.21/go.mod h1:zua7mBUaCc5YnSLKYgGJR/w5ePdMDA6H56upLsHzA9U= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= -github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I= -github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= -github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= -github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= -github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= -github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc= -github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= -github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= -github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= -github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8= -github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= +github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= +github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= +github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8= -github.com/aeraki-mesh/api v1.3.0 h1:U+gk+UhaUgV7gR2V2l0fm2jQ/mKNlCCCx2rhEJgg+bw= -github.com/aeraki-mesh/api v1.3.0/go.mod h1:iLlWjOzNnXvKGIDOQ1jFrjjdrJ57xkW972qcyevzE9A= -github.com/aeraki-mesh/client-go v1.3.0 h1:yGqRhG34qxW2+rsD29BT37T/gJd6sk6nqhsKxce7hoo= -github.com/aeraki-mesh/client-go v1.3.0/go.mod h1:VQrMWhOgLhpsNpFT8sqsIPtYMNjkAV4xe6RE5/gQL2g= -github.com/aeraki-mesh/meta-protocol-control-plane-api v0.0.0-20230205134842-bc2993738de0 h1:aguh+vDGVlu057w7mBrr+OrDK/5dTMpMddXWhWnp1qY= -github.com/aeraki-mesh/meta-protocol-control-plane-api v0.0.0-20230205134842-bc2993738de0/go.mod h1:kBlB/k9X2I3yO6mZyS1tcdUfJy3cz4u+z97kmpo8qD4= +github.com/aeraki-mesh/api v1.4.1 h1:WHBlQC0usbs+q0ykHPNJk5KlbuSj+EfziLEo0BtYlE4= +github.com/aeraki-mesh/api v1.4.1/go.mod h1:I6spp8OeaySa96ecXPfBmvNlQYdJ+uiIsWp2staFYMU= +github.com/aeraki-mesh/client-go v1.4.1 h1:f1vp9ityWC+88ajQfcQwPUwrFZE+owSOiQjC6yAzj/8= +github.com/aeraki-mesh/client-go v1.4.1/go.mod h1:xNoYAfk5LgGVdyrIZjzJdDiaJIM5E401QP3386Pu1RM= +github.com/aeraki-mesh/meta-protocol-control-plane-api v1.4.1 h1:0RPmrzh73Q1oLRw1KVnE0C9IP1ExuMjzAk5GC+zwwfo= +github.com/aeraki-mesh/meta-protocol-control-plane-api v1.4.1/go.mod h1:2/5+HEmKKPZ+4K3ox4eYfeUV9RmZad12M+0dBt8edIs= github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= github.com/alecholmes/xfccparser v0.1.0 h1:/PBnzDBxfHJ66AinLNglzZH4oWLrc1/QTKlSoNNnei8= github.com/alecholmes/xfccparser v0.1.0/go.mod h1:c1S35dudNR5aZ4Vf9zKCrEwC8iqwF4TcDAbU+RXQ5yY= github.com/alecthomas/go-thrift v0.0.0-20170109061633-7914173639b2/go.mod h1:CxCgO+NdpMdi9SsTlGbc0W+/UNxO3I0AabOEJZ3w61w= +github.com/alecthomas/kingpin/v2 v2.3.1/go.mod h1:oYL5vtsvEHZGHxU7DMp32Dvx+qL+ptGn6lWaot2vCNE= github.com/alecthomas/kong v0.2.1/go.mod h1:+inYUSluD+p4L8KdviBSgzcqEjUQOfC5fQDRFuc36lI= github.com/alecthomas/participle v0.4.1 h1:P2PJWzwrSpuCWXKnzqvw0b0phSfH1kJo4p2HvLynVsI= github.com/alecthomas/participle v0.4.1/go.mod h1:T8u4bQOSMwrkTWOSyt8/jSFPEnRtd0FKFMjVfYBlqPs= @@ -146,53 +103,45 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE= github.com/alessio/shellescape v1.2.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= -github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= -github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= -github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= -github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves= +github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= -github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= github.com/apache/thrift v0.18.1 h1:lNhK/1nqjbwbiOPDBPFJVKxgDEGSepKuTh6OLiXW8kg= github.com/apache/thrift v0.18.1/go.mod h1:rdQn/dCcDKEWjjylUeueum4vQEjG2v8v2PqriUnbr+I= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= -github.com/ashanbrown/forbidigo v1.2.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBFg8t0sG2FIxmI= -github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde/go.mod h1:oG9Dnez7/ESBqc4EdrdNlryeo7d0KcW1ftXHm7nU/UU= -github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= -github.com/bkielbasa/cyclop v1.2.0/go.mod h1:qOI0yy6A7dYC4Zgsa72Ppm9kONl0RoIlPbzot9mhmeI= +github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17OJKJXD2Cfs= github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= -github.com/blizzy78/varnamelen v0.3.0/go.mod h1:hbwRdBvoBqxk34XyQ6HA0UH3G0/1TKuv5AC4eaBT0Ec= -github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc= -github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso= -github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= +github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= +github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= +github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -200,8 +149,6 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= -github.com/charithe/durationcheck v0.0.9/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg= -github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af/go.mod h1:Qjyv4H3//PWVzTeCezG2b9IRn6myJxJSr4TD/xo6ojU= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -211,78 +158,87 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe h1:QQ3GSy+MqSHxm/d8nCtnAiZdYFd45cYZPs8vOOIYKfk= +github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b h1:ACGZRIr7HsgBKHsueQ1yM4WaVaXh21ynwqsF8M8tXhA= -github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= -github.com/containerd/stargz-snapshotter/estargz v0.12.0 h1:idtwRTLjk2erqiYhPWy2L844By8NRFYEwYHcXhoIWPM= +github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= +github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= +github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= +github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= +github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-oidc/v3 v3.4.0 h1:xz7elHb/LDwm/ERpwHd+5nb7wFHL32rsr6bBOgaeu6g= -github.com/coreos/go-oidc/v3 v3.4.0/go.mod h1:eHUXhZtXPQLgEaDrOVTgwbgmz1xGOkJNye6h3zkD2Pw= +github.com/coreos/go-oidc/v3 v3.6.0 h1:AKVxfYw1Gmkn/w96z0DbT/B/xFnzTd3MkZvWLjF4n/o= +github.com/coreos/go-oidc/v3 v3.6.0/go.mod h1:ZpHUsHBucTUj6WOkrP4E20UPynbLZzhTQ1XKCXkxyPc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= -github.com/daixiang0/gci v0.2.9/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc= -github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= -github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= -github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/docker/cli v20.10.18+incompatible h1:f/GQLsVpo10VvToRay2IraVA1wHz9KktZyjev3SIVDU= -github.com/docker/cli v20.10.18+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v24.0.4+incompatible h1:Y3bYF9ekNTm2VFz5U/0BlMdJy73D+Y1iAAZ8l63Ydzw= +github.com/docker/cli v24.0.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v20.10.17+incompatible h1:JYCuMrWaVNophQTOrMMoSwudOVEfcegoZZrleKc1xwE= -github.com/docker/docker v20.10.17+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o= -github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= +github.com/docker/docker v24.0.2+incompatible h1:eATx+oLz9WdNVkQrr0qjQ8HvRJ4bOOxfzEo8R+dA3cg= +github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= -github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.10.3-0.20220908185826-2b9739221838 h1:qrlLuIuw/m4K7PWg1NqMQ0J2Fb1QZf1UiuqgHz6Je8Y= -github.com/envoyproxy/go-control-plane v0.10.3-0.20220908185826-2b9739221838/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34= -github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= +github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= +github.com/envoyproxy/go-control-plane v0.11.2-0.20230811160418-a0dbac19f027 h1:ZL2Sdt1xCalG7ORiHNzCgbKpvqCJ3yLfVgQOT9g2F6g= +github.com/envoyproxy/go-control-plane v0.11.2-0.20230811160418-a0dbac19f027/go.mod h1:zV+ml0OfGpQxGvM1qlmhvZzE9ShvBO7CPWzGb3q5cog= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= -github.com/envoyproxy/protoc-gen-validate v0.9.1 h1:PS7VIOgmSVhWUEeZwTe7z7zouA22Cr590PzXKbZHOVY= -github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w= -github.com/esimonov/ifshort v1.0.3/go.mod h1:yZqNJUrNn20K8Q9n2CrjTKYyVEmX209Hgu+M1LBpeZE= -github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY= +github.com/envoyproxy/protoc-gen-validate v1.0.1 h1:kt9FtLiooDc0vbwTLhdg3dyNX1K9Qwa1EK9LcD4jVUQ= +github.com/envoyproxy/protoc-gen-validate v1.0.1/go.mod h1:0vj8bNkYbSTNS2PIyH87KZaeN4x9zpL9Qt8fQC7d+vs= +github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -296,49 +252,49 @@ github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZM github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8= github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= -github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= -github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= -github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= -github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= +github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA= +github.com/frankban/quicktest v1.14.5/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= -github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQmYw= -github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0= -github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E= -github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg= +github.com/fvbommel/sortorder v1.0.2 h1:mV4o8B2hKboCdkJm+a7uX/SIpZob4JzUpc5GGnM45eo= +github.com/fvbommel/sortorder v1.0.2/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0= +github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= -github.com/go-critic/go-critic v0.6.1/go.mod h1:SdNCfU0yF3UBjtaZGw6586/WocupMOJuiqgom5DsQxM= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= +github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= +github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU= github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4= +github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk= -github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= -github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= -github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= +github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= +github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= @@ -351,14 +307,13 @@ github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwds github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= @@ -381,46 +336,26 @@ github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/ github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= -github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= -github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= -github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= -github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= -github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= -github.com/go-toolsmith/astequal v1.0.1/go.mod h1:4oGA3EZXTVItV/ipGiOx7NWkY5veFfcsOJVS2YxltLw= -github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw= -github.com/go-toolsmith/astinfo v0.0.0-20180906194353-9809ff7efb21/go.mod h1:dDStQCHtmZpYOmjRP/8gHHnCCch3Zz3oEgCdZVdtweU= -github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI= -github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Ilcwuh3clNrQJc= -github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslWct4wyljWhSRy8= -github.com/go-toolsmith/typep v1.0.0/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= -github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= -github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobuffalo/flect v0.2.0/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= @@ -441,7 +376,6 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= -github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -462,26 +396,19 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4= -github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= -github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613/go.mod h1:SyvUF2NxV+sN8upjjeVYr5W7tyxaT1JVtvhKhOn2ii8= -github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU= -github.com/golangci/golangci-lint v1.43.0/go.mod h1:VIFlUqidx5ggxDfQagdvd9E67UjMXtTHBkBQ7sHoC5Q= -github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg= -github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca/go.mod h1:tvlJhZqDe4LMs4ZHD0oMUlt9G2LWuDGoisJTBzLMV9o= -github.com/golangci/misspell v0.3.5/go.mod h1:dEbvlSfYbMQDtrpRMQU675gSDLDNa8sCPPChZ7PhiVA= -github.com/golangci/revgrep v0.0.0-20210930125155-c22e5001d4f2/go.mod h1:LK+zW4MpyytAWQRz0M4xnzEk50lSvqDQKfx304apFkY= -github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= -github.com/google/cel-go v0.12.6 h1:kjeKudqV0OygrAqA9fX6J55S8gj+Jre2tckIm5RoG4M= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw= -github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= -github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= -github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= +github.com/google/cel-go v0.16.0 h1:DG9YQ8nFCFXAs/FDDwBxmL1tpKNrdlGUM9U3537bX/Y= +github.com/google/cel-go v0.16.0/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= +github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= +github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -494,12 +421,11 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.11.0 h1:Xt8x1adcREjFcmDoDK8OdOsjxu90PHkGuwNP8GiHMLM= -github.com/google/go-containerregistry v0.11.0/go.mod h1:BBaYtsHPHA42uEgAvd/NejvAfPSlz281sJWqupjSxfk= +github.com/google/go-containerregistry v0.15.2 h1:MMkSh+tjSdnmJZO7ljvEqV1DjfekB6VUEAZgy3a+TQE= +github.com/google/go-containerregistry v0.15.2/go.mod h1:wWK+LnOv4jXMM23IT/F1wdYftGWGr47Is8CG+pmHK1Q= github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -518,7 +444,6 @@ github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200507031123-427632fa3b1c/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= @@ -528,183 +453,127 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 h1:hR7/MlvK23p6+lIw9SN1TigNLn9ZnF3W4SYRKq2gAHs= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= -github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= -github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= -github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM= +github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= -github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= -github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= -github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= -github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= -github.com/googleapis/gax-go/v2 v2.7.1 h1:gF4c0zjUP2H/s/hEGyLA3I0fA2ZWjzYiONAD6cvPr8A= -github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= +github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= -github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= -github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= -github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= -github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254/go.mod h1:M9mZEtGIsR1oDaZagNPNG9iq9n2HrhZ17dsXk73V3Lw= -github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= -github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= -github.com/gostaticanalysis/analysisutil v0.0.3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= -github.com/gostaticanalysis/analysisutil v0.1.0/go.mod h1:dMhHRU9KTiDcuLGdy87/2gTR8WruwYZrKdRq9m1O6uw= -github.com/gostaticanalysis/analysisutil v0.4.1/go.mod h1:18U/DLpRgIUd459wGxVHE0fRgmo1UgHDcbw7F5idXu0= -github.com/gostaticanalysis/analysisutil v0.7.1/go.mod h1:v21E3hY37WKMGSnbsw2S/ojApNWb6C1//mXO48CXbVc= -github.com/gostaticanalysis/comment v1.3.0/go.mod h1:xMicKDx7XRXYdVwY9f9wQpDJVnqWxw9wCauCMKp+IBI= -github.com/gostaticanalysis/comment v1.4.1/go.mod h1:ih6ZxzTHLdadaiSnF5WY3dxUoXfXAlTaRzuaNDlSado= -github.com/gostaticanalysis/comment v1.4.2/go.mod h1:KLUTGDv6HOCotCH8h2erHKmpci2ZoR8VPu34YA2uzdM= -github.com/gostaticanalysis/forcetypeassert v0.0.0-20200621232751-01d4955beaa5/go.mod h1:qZEedyP/sY1lTGV1uJ3VhWZ2mqag3IkWsDHVbplHXak= -github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A= -github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= -github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU= -github.com/grafana/regexp v0.0.0-20220304095617-2e8d9baf4ac2 h1:uirlL/j72L93RhV4+mkWhjv0cov2I0MIgPOG9rMDr1k= -github.com/grafana/regexp v0.0.0-20220304095617-2e8d9baf4ac2/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A= +github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd h1:PpuIBO5P3e9hpqBD0O/HjhShYuM6XE0i/lbE6J94kww= +github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= -github.com/grpc-ecosystem/go-grpc-middleware v1.2.2/go.mod h1:EaizFBKfUKtMIF5iaDEhniwNedqGo9FuLFzppDr3uwI= -github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= +github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= +github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= -github.com/hashicorp/consul/api v1.10.1/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= -github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= -github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= -github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= -github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= -github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru/v2 v2.0.4 h1:7GHuZcgid37q8o5i3QI9KMT4nCWQQ3Kx3Ov6bb9MfK0= +github.com/hashicorp/golang-lru/v2 v2.0.4/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= -github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= -github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= -github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw= -github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= +github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= +github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= -github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= -github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= -github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= -github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0= -github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= -github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= -github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg= +github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= -github.com/josharian/txtarfs v0.0.0-20210218200122-0702f000015a/go.mod h1:izVPOvVRsHiKkeGCT6tYBNWyDVuzj9wAaBb5R9qamfw= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= -github.com/juju/ratelimit v1.0.1/go.mod h1:qapgC/Gy+xNh9UxzV13HGGl/6UXNN+ct+vwSgWNm/qk= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= -github.com/julz/importas v0.0.0-20210419104244-841f0c0fe66d/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0= -github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/errcheck v1.6.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= -github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= -github.com/klauspost/compress v1.15.8 h1:JahtItbkWjf2jzm/T+qgMxkP9EMHsqEUA6vCMGmXvhA= +github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= +github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kulti/thelper v0.4.0/go.mod h1:vMu2Cizjy/grP+jmsvOFDx1kYP6+PD1lqg4Yu5exl2U= -github.com/kunwardeep/paralleltest v1.0.3/go.mod h1:vLydzomDFpk7yu5UX02RmP0H8QfRPOV/oFhWN85Mjb4= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= -github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg= -github.com/ldez/gomoddirectives v0.2.2/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0= -github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88= github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A= github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= @@ -718,75 +587,38 @@ github.com/lestrrat-go/jwx v1.2.26/go.mod h1:MaiCdGbn3/cckbOFSCluJlJMmp9dmZm5hDu github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= -github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= -github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4= -github.com/lucas-clemente/quic-go v0.29.0 h1:Vw0mGTfmWqGzh4jx/kMymsIkFK6rErFVmg+t9RLrnZE= -github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= -github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/maratori/testpackage v1.0.1/go.mod h1:ddKdw+XG0Phzhx8BFDTKgpWP4i7MpApTE5fXSKAqwDU= -github.com/marten-seemann/qpack v0.2.1 h1:jvTsT/HpCn2UZJdP+UUB53FfUUgeOyG5K1ns0OJOGVs= -github.com/marten-seemann/qtls-go1-18 v0.1.2 h1:JH6jmzbduz0ITVQ7ShevK10Av5+jBEKAHMntXmIV7kM= -github.com/marten-seemann/qtls-go1-19 v0.1.0 h1:rLFKD/9mp/uq1SYGYuVZhm83wkmU95pK5df3GufyYYU= -github.com/matoous/godox v0.0.0-20210227103229-6504466cf951/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s= -github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= -github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= -github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= -github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= -github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= -github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= -github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= -github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= -github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= -github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= -github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= -github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc= -github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg= -github.com/mgechev/revive v1.1.2/go.mod h1:bnXsMr+ZTH09V5rssEI+jHAZ4z+ZdyhgO/zsy3EhK+0= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= -github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= -github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= -github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME= -github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= -github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo= +github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= -github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= @@ -795,10 +627,8 @@ github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0Qu github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= @@ -812,213 +642,182 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= -github.com/moricho/tparallel v0.2.1/go.mod h1:fXEIZxG2vdfl0ZF8b42f5a78EhjjD5mX8qUplsoSU4k= -github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8= -github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo= -github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= -github.com/natefinch/lumberjack v2.0.0+incompatible h1:4QJd3OLAMgj7ph+yZTuX13Ld4UpgHp07nNdFX7mqFfM= -github.com/natefinch/lumberjack v2.0.0+incompatible/go.mod h1:Wi9p2TTF5DG5oU+6YfsmYQpsTIOm0B1VNzQg9Mw6nPk= -github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nishanths/exhaustive v0.2.3/go.mod h1:bhIX678Nx8inLM9PbpvK1yv6oGtoP8BfaIeMzgBNKvc= -github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ= -github.com/nishanths/predeclared v0.2.1/go.mod h1:HvkGJcA3naj4lOwnFXFDkFxVtSqQMB9sbB1usJ+xjQE= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= -github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ= -github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= -github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= -github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= github.com/onsi/ginkgo/v2 v2.1.6/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk= +github.com/onsi/ginkgo/v2 v2.3.0/go.mod h1:Eew0uilEqZmIEZr8JrvYlvOM7Rr6xzTmMV8AyFNU9d0= +github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= +github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw= +github.com/onsi/ginkgo/v2 v2.7.0/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= +github.com/onsi/ginkgo/v2 v2.8.1/go.mod h1:N1/NbDngAFcSLdyZ+/aYTYGSlq9qMCS/cNKGJjy+csc= +github.com/onsi/ginkgo/v2 v2.9.0/go.mod h1:4xkjoL/tZv4SMWeww56BU5kAt19mVB47gTWxmrTcxyk= +github.com/onsi/ginkgo/v2 v2.9.1/go.mod h1:FEcmzVcCHl+4o9bQZVab+4dC9+j+91t2FHSzmGAPfuo= +github.com/onsi/ginkgo/v2 v2.9.2/go.mod h1:WHcJJG2dIlcCqVfBAwUCrJxSPFb6v4azBwgxeMeDuts= +github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= +github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= +github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo= -github.com/onsi/gomega v1.20.2 h1:8uQq0zMgLEfa0vRrrBgaJF2gyW9Da9BmfGV+OyUzfkY= +github.com/onsi/gomega v1.21.1/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc= +github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM= +github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= +github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM= +github.com/onsi/gomega v1.26.0/go.mod h1:r+zV744Re+DiYCIPRlYOTxn0YkOLcAnW8k1xXdMPGhM= +github.com/onsi/gomega v1.27.1/go.mod h1:aHX5xOykVYzWOV4WqQy0sy8BQptgukenXpCXfadcIAw= +github.com/onsi/gomega v1.27.3/go.mod h1:5vG284IBtfDAmDyrK+eGyZmUgUlmi+Wngqo557cZ6Gw= +github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3q3fQ= +github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= +github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= +github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 h1:+czc/J8SlhPKLOtVLMQc+xDCFBT73ZStMsRhSsUhsSg= -github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198/go.mod h1:j4h1pJW6ZcJTgMZWP3+7RlG3zTaP02aDZ/Qw0sppK7Q= -github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd h1:MV2FH/cm1wqoVCIL98GT46CMnXZw9faUoIzdZ4nfZw0= -github.com/openshift/api v0.0.0-20200713203337-b2494ecb17dd/go.mod h1:vWmWTm4y7XR3wkLR+bDDjRbvkBfx2yP7yve6kfb7+Ts= -github.com/openshift/build-machinery-go v0.0.0-20200713135615-1f43d26dccc7/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= +github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8= +github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/openshift/api v0.0.0-20230720094506-afcbe27aec7c h1:8eqzYRuueEQ0Ie17Fm35dssh/YcSjaBaBCvcaalyLSo= +github.com/openshift/api v0.0.0-20230720094506-afcbe27aec7c/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= -github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= -github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= -github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= -github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= -github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= -github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw= +github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= -github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/polyfloyd/go-errorlint v0.0.0-20210722154253-910bb7978349/go.mod h1:wi9BfjxjF/bwiZ701TzmfKu6UKC357IOAtNr0Td0Lvw= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= -github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= -github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= +github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= +github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= -github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= -github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= +github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= +github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= -github.com/prometheus/prom2json v1.3.1 h1:OogL5hsrJpLPz3jZ4LPz4sJRTtADzViCNRQoqrzUQvk= -github.com/prometheus/prom2json v1.3.1/go.mod h1:A8Oy9aiQx4wrJY9ya1i4nHOySGmkVp5EO0aU1iSJR+g= -github.com/prometheus/prometheus v0.36.2 h1:ZMqiEKdamv/YgI/7V5WtQGWbwEerCsXJ26CZgeXDUXM= -github.com/prometheus/prometheus v0.36.2/go.mod h1:GBcYMr17Nr2/iDIrWmiy9wC5GKl0NOQ5R9XynB1HAG8= -github.com/prometheus/statsd_exporter v0.22.7 h1:7Pji/i2GuhK6Lu7DHrtTkFmNBCudCPT1pX2CziuyQR0= +github.com/prometheus/prom2json v1.3.2 h1:heRKAGHWqm8N3IaRDDNBBJNVS6a9mLdsTlFhvOaNGb0= +github.com/prometheus/prom2json v1.3.2/go.mod h1:TQ9o1OxW0eyhl4BBpVpGGsavyJfTDETna4/d0Kib+V0= +github.com/prometheus/prometheus v0.45.0 h1:O/uG+Nw4kNxx/jDPxmjsSDd+9Ohql6E7ZSY1x5x/0KI= +github.com/prometheus/prometheus v0.45.0/go.mod h1:jC5hyO8ItJBnDWGecbEucMyXjzxGv9cxsxsjS9u5s1w= github.com/prometheus/statsd_exporter v0.22.7/go.mod h1:N/TevpjkIh9ccs6nuzY3jQn9dFqnUakOjnEuMPJJJnI= +github.com/prometheus/statsd_exporter v0.23.0 h1:GEkriUCmARYh1gSA0gzpvmTg/oHMc5MfDFNlS/che4E= +github.com/prometheus/statsd_exporter v0.23.0/go.mod h1:1itCY9XMa2p5pjO5HseGjs5cnaIA5qxLCYmn3OUna58= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/pseudomuto/protoc-gen-doc v1.3.2/go.mod h1:y5+P6n3iGrbKG+9O04V5ld71in3v/bX88wUwgt+U8EA= -github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= -github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= -github.com/quasilyte/go-ruleguard v0.3.1-0.20210203134552-1b5a410e1cc8/go.mod h1:KsAh3x0e7Fkpgs+Q9pNLS5XpFSvYCEVl5gP9Pp1xp30= -github.com/quasilyte/go-ruleguard v0.3.13/go.mod h1:Ul8wwdqR6kBVOCt2dipDBkE+T6vAV/iixkrKuRTN1oQ= -github.com/quasilyte/go-ruleguard/dsl v0.3.0/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= -github.com/quasilyte/go-ruleguard/dsl v0.3.10/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= -github.com/quasilyte/go-ruleguard/rules v0.0.0-20201231183845-9e62ed36efe1/go.mod h1:7JTjp89EGyU1d6XfBiXihJNG37wB2VRkd125Q1u7Plc= -github.com/quasilyte/go-ruleguard/rules v0.0.0-20210428214800-545e0d2e0bf7/go.mod h1:4cgAphtvu7Ftv7vOT2ZOYhC6CvBxZixcasr8qIOTA50= -github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0= +github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo= +github.com/quic-go/qtls-go1-19 v0.2.1 h1:aJcKNMkH5ASEJB9FXNeZCyTEIHU1J7MmHyz1Q1TSG1A= +github.com/quic-go/qtls-go1-20 v0.1.1 h1:KbChDlg82d3IHqaj2bn6GfKRj84Per2VGf5XV3wSwQk= +github.com/quic-go/quic-go v0.33.0 h1:ItNoTDN/Fm/zBlq769lLJc8ECe9gYaW40veHCCco7y0= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= -github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= +github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= -github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww= -github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryancurrah/gomodguard v1.2.3/go.mod h1:rYbA/4Tg5c54mV1sv4sQTP5WOPBcoLtnBZ7/TEhXAbg= -github.com/ryanrolds/sqlclosecheck v0.3.0/go.mod h1:1gREqxyTGR3lVtpngyFo3hZAgk0KCtEdgEkHwDbigdA= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYIR88KRMEuODE= -github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= -github.com/shirou/gopsutil/v3 v3.21.10/go.mod h1:t75NhzCZ/dYyPQjyQmrAYP6c8+LCdFANeBMdLPCNnew= -github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= -github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= +github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= +github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/sivchari/tenv v1.4.7/go.mod h1:5nF+bITvkebQVanjU6IuMbvIot/7ReNsUV7I5NbprB0= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= -github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4lqBjiZI= -github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= -github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= -github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= +github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= +github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= -github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= +github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= +github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= -github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= -github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4= -github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= -github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= +github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -1028,39 +827,23 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= -github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ= -github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM= -github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0= -github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY= -github.com/tetafro/godot v1.4.11/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaEohUpn8= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= -github.com/timakin/bodyclose v0.0.0-20200424151742-cb6215831a94/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk= -github.com/tklauser/go-sysconf v0.3.9/go.mod h1:11DU/5sG7UexIrp/O6g35hrWzu0JxlwQ3LSFUzyeuhs= -github.com/tklauser/numcpus v0.3.0/go.mod h1:yFGUr7TUHQRAhyqBcEg0Ge34zDBAsIvJJcyE6boqnA8= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tomarrell/wrapcheck/v2 v2.4.0/go.mod h1:68bQ/eJg55BROaRTbMjC7vuhL2OgfoG8bLp9ZyoBfyY= -github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= -github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= +github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= -github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= -github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/uudashr/gocognit v1.0.5/go.mod h1:wgYz0mitoKOTysqxTDMOUXg+Jb5SvtihkfmugIZYpEA= -github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= -github.com/valyala/fasthttp v1.30.0/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus= -github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/VPSJnLYn+LmLk8= -github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= -github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME= +github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= +github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= +github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= -github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -1068,39 +851,36 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xhit/go-str2duration v1.2.0/go.mod h1:3cPSlfZlUHVlneIVfePFWcJZsuwf+P1v2SRTV4cUmp4= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= -github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= -github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= +github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= +github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= -github.com/yeya24/promlinter v0.1.0/go.mod h1:rs5vtZzeBHqqMwXqFScncpCF6u06lezhZepno9AB1Oc= github.com/yl2chen/cidranger v1.0.2 h1:lbOWZVCG1tCRX4u24kuM1Tb4nHqWkDxwLdoS+SevawU= github.com/yl2chen/cidranger v1.0.2/go.mod h1:9U1yz7WPYDwf0vpNWFaeRh0bjwz5RVgRy/9UEQfHl0g= -github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= -github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= -github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zhaohuabing/debounce v1.0.0 h1:8uDnPkomwDAcH/vmNxIuLeT6486k5TZt+Nl6p2uhBp8= github.com/zhaohuabing/debounce v1.0.0/go.mod h1:ZGhZxSg/6MUe4CkFd9NEsYuZzW+LXgHXcnytXk8BCgs= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= +go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= -go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= -go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= +go.etcd.io/etcd/api/v3 v3.5.7/go.mod h1:9qew1gCdDDLu+VwmeG+iFpL+QlpHTo7iubavdVDgCAA= +go.etcd.io/etcd/client/pkg/v3 v3.5.7/go.mod h1:o0Abi1MK86iad3YrWhgUsbGx1pmTS+hrORWc2CamuhY= +go.etcd.io/etcd/client/v2 v2.305.7/go.mod h1:GQGT5Z3TBuAQGvgPfhR7VPySu/SudxmEkRq9BgzFU6s= +go.etcd.io/etcd/client/v3 v3.5.7/go.mod h1:sOWmj9DZUMyAngS7QQwCyAXXAL6WhgTOPLNS/NabQgw= +go.etcd.io/etcd/pkg/v3 v3.5.7/go.mod h1:kcOfWt3Ov9zgYdOiJ/o1Y9zFfLhQjylTgL4Lru8opRo= +go.etcd.io/etcd/raft/v3 v3.5.7/go.mod h1:TflkAb/8Uy6JFBxcRaH2Fr6Slm9mCPVdI2efzxY96yU= +go.etcd.io/etcd/server/v3 v3.5.7/go.mod h1:gxBgT84issUVBRpZ3XkW1T55NjOb4vZZRI4wVvNhf4A= go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= -go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -1110,31 +890,51 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.25.0/go.mod h1:E5NNboN0UqSAki0Atn9kVwaN7I+l25gGxDqBueo/74E= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c= +go.opentelemetry.io/otel v1.0.1/go.mod h1:OPEOD4jIT2SlZPMmwT6FqZz2C0ZNdQqiWcoK6M0SNFU= +go.opentelemetry.io/otel v1.8.0/go.mod h1:2pkj+iMj0o03Y+cW6/m8Y4WkRdYN3AvCXCnzRMp9yvM= +go.opentelemetry.io/otel v1.10.0/go.mod h1:NbvWjCthWHKBEUMpf0/v8ZRZlni86PpGFEMA9pnQSnQ= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0/go.mod h1:78XhIg8Ht9vR4tbLNUhXsiOnE2HOuSeKAiAcoVQEpOY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.0.1/go.mod h1:Kv8liBeVNFkkkbilbgWRpV+wWuu+H5xdOT6HAgd30iw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0/go.mod h1:Krqnjl22jUJ0HgMzw5eveuCvFDXY4nSYb4F8t5gdrag= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.0.1/go.mod h1:xOvWoTOrQjxjW61xtOmD/WKGRYb/P4NzRo3bs65U6Rk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0/go.mod h1:OfUCyyIiDvNXHWpcWgbF+MWvqPZiNa3YDEnivcnYsV0= +go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A= +go.opentelemetry.io/otel/sdk v1.0.1/go.mod h1:HrdXne+BiwsOHYYkBE5ysIcv2bvdZstxzmCQhxTcZkI= +go.opentelemetry.io/otel/sdk v1.10.0/go.mod h1:vO06iKzD5baltJz1zarxMCNHFpUlUiOy4s65ECtn6kE= +go.opentelemetry.io/otel/trace v1.0.1/go.mod h1:5g4i4fKLaX2BQpSBsxw8YYcgKpMMSW3x7ZTuYBr3sUk= +go.opentelemetry.io/otel/trace v1.8.0/go.mod h1:0Bt3PXY8w+3pheS3hQUt+wow8b1ojPaTBoTCh2zIFI4= +go.opentelemetry.io/otel/trace v1.10.0/go.mod h1:Sij3YYczqAdz+EhmGhE6TpTxUO5/F/AzrK+kxfGqySM= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v0.9.0/go.mod h1:1vKfU9rv61e9EVGthD1zNvUbiwPcimSsOPU9brfSHJg= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= -go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.starlark.net v0.0.0-20211013185944-b0039bd2cfe3 h1:oBcONsksxvpeodDrLjiMDaKHXKAVVfAydhe/792CE/o= +go.starlark.net v0.0.0-20211013185944-b0039bd2cfe3/go.mod h1:t3mmBBPzAVvK0L0n1drDmrQsJ8FoIx4INCqVMTr/Zo0= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= -go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= +go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= -go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= +go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= +go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= -golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -1143,19 +943,15 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= +golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= -golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= @@ -1169,9 +965,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw= -golang.org/x/exp v0.0.0-20220921164117-439092de6870 h1:j8b6j9gzSigH28O5SjSpQSSh9lFd6f5D/q0aHjNTulc= -golang.org/x/exp v0.0.0-20220921164117-439092de6870/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= +golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 h1:MGwJjxBy0HJshjDNfLsYO8xppfqWlA5ZT9OhtUUhTNw= +golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1197,12 +992,15 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU= +golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1225,8 +1023,6 @@ golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -1235,7 +1031,6 @@ golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= @@ -1247,6 +1042,7 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= @@ -1254,25 +1050,26 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= -golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY= +golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1284,24 +1081,19 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= -golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= +golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1312,6 +1104,7 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1335,12 +1128,8 @@ golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1349,22 +1138,20 @@ golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1379,52 +1166,48 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220708085239-5a0f0661e09d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= @@ -1437,7 +1220,12 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= @@ -1445,25 +1233,19 @@ golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190307163923-6a08e3108db3/go.mod h1:25r3+/G6/xytQM8iWZKq3Hn0kr0rgFKPUNVEL/dr3z4= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190311215038-5c2858a9cfe5/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190321232350-e250d351ecad/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= @@ -1474,15 +1256,9 @@ golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190910044552-dd2b5c81c578/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190916130336-e45ffcd953cc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191010075000-0337d82405ff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -1490,12 +1266,9 @@ golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200115044656-831fdb1e1868/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117220505-0cba7a3a9ee9/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= @@ -1505,71 +1278,44 @@ golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapK golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200414032229-332987a829c3/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200422022333-3d57cf2e726e/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200622203043-20e05c1c8ffa/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200624225443-88f3c62a19ff/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200625211823-6506e20df31f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200724022722-7017fd6b1305/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200812195022-5ae4c3c160a0/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200820010801-b793a1359eac/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200831203904-5a2aa26beb65/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201001104356-43ebab892c4c/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= -golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= -golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201028025901-8cd080b735b3/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201114224030-61ea331ec02b/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201118003311-bd56c0adb394/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201230224404-63754364767c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210101214203-2dba1e4ea05c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210104081019-d8d6ddbec6ee/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= -golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= -golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= +golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8= -golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8= +golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc= gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= gomodules.xyz/jsonpatch/v3 v3.0.1 h1:Te7hKxV52TKCbNYq3t84tzKav3xhThdvSsSp/W89IyI= @@ -1580,7 +1326,6 @@ google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEt google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.10.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= @@ -1598,39 +1343,24 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= -google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= -google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= -google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= -google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= -google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= -google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= -google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= -google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= -google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= -google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= -google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= -google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= -google.golang.org/api v0.114.0 h1:1xQPji6cO2E2vLiI+C/XiFAnsn1WV3mjaEwGLhi3grE= -google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= +google.golang.org/api v0.132.0 h1:8t2/+qZ26kAOGSmOiHwVycqVaDg7q3JDILrNi/Z6rvc= +google.golang.org/api v0.132.0/go.mod h1:AeTBC6GpJnJSRJjktDcPX0QwtS8pGYZOV6MSuSCusw0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20181107211654-5fc9ac540362/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -1638,7 +1368,6 @@ google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRn google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= @@ -1659,8 +1388,6 @@ google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200626011028-ee7919e894b5/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -1674,7 +1401,6 @@ google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= @@ -1690,49 +1416,27 @@ google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEc google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= -google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54 h1:9NWlQfY2ePejTmfwUH1OWwmznFa+0kKcHGPDvcPza9M= -google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk= -google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 h1:m8v1xLLLzMe1m5P+gCTF8nJB9epwZQUBERm20Oy1poQ= -google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= -google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20230720185612-659f7aaaa771 h1:2CKO8yUZZPdYiN1S9T7/PWPcFeZbzWrK88x4dT+j/Qg= +google.golang.org/genproto v0.0.0-20230720185612-659f7aaaa771/go.mod h1:iqkVr8IRpZ53gx1dEnWlCUIEwDWqWARWrbzpasaTNYM= +google.golang.org/genproto/googleapis/api v0.0.0-20230720185612-659f7aaaa771 h1:tlEtY2VFw8zKbcpukWhtzP/B/FDS9MQ9oV9nwA8i4K8= +google.golang.org/genproto/googleapis/api v0.0.0-20230720185612-659f7aaaa771/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771 h1:Z8qdAF9GFsmcUuWQ5KVYIpP3PCKydn/YKORnghIalu4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= @@ -1749,15 +1453,15 @@ google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag= -google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= +google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= +google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw= +google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1774,40 +1478,34 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= -gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= @@ -1821,9 +1519,9 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= -gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= -helm.sh/helm/v3 v3.10.3 h1:wL7IUZ7Zyukm5Kz0OUmIFZgKHuAgByCrUcJBtY0kDyw= -helm.sh/helm/v3 v3.10.3/go.mod h1:CXOcs02AYvrlPMWARNYNRgf2rNP7gLJQsi/Ubd4EDrI= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +helm.sh/helm/v3 v3.11.2 h1:P3cLaFxfoxaGLGJVnoPrhf1j86LC5EDINSpYSpMUkkA= +helm.sh/helm/v3 v3.11.2/go.mod h1:Hw+09mfpDiRRKAgAIZlFkPSeOkvv7Acl5McBvQyNPVw= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1831,81 +1529,77 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY= -istio.io/api v0.0.0-20230518153929-d0aebaa77ab8 h1:i86IfBRpZ5MqqiAOx7DbVkY4fHY36/crm6/12Bm7sKs= -istio.io/api v0.0.0-20230518153929-d0aebaa77ab8/go.mod h1:hQkF0Q19MCmfOTre/Sg4KvrwwETq45oaFplnBm2p4j8= -istio.io/client-go v1.16.5 h1:9fkeexPpzjEVIflY+GIwQrw6rx4bTZvBsY3C+lzYYf0= -istio.io/client-go v1.16.5/go.mod h1:/Q5XkHUdYck8qQTsiHXnAthMuvxukBzeviAUgje335U= +istio.io/api v0.0.0-20230713061407-06047cce866f h1:Z+KCZ5Eo48Ea3ZrbqyCLvoyT30ZUzCTrGXzoy1Qw5kM= +istio.io/api v0.0.0-20230713061407-06047cce866f/go.mod h1:dDMe1TsOtrRoUlBzdxqNolWXpXPQjLfbcXvqPMtQ6eo= +istio.io/client-go v1.18.1-0.20230713061908-17d95fabac25 h1:fV6T5GcNXe688Le36srf35Ikuwvwy7pgmH9OnZjBlfc= +istio.io/client-go v1.18.1-0.20230713061908-17d95fabac25/go.mod h1:ha62DtaYYStYdisMZw9OG5iG92irhr2sWK7C38qCdqI= istio.io/gogo-genproto v0.0.0-20230705213215-8f59b5a7ddde h1:h/EeQmV8x9xZMd7VP+sja+UmUW5sAWnqjDlFkYK1T7A= istio.io/gogo-genproto v0.0.0-20230705213215-8f59b5a7ddde/go.mod h1:CX4lrhfV/KnShn+slx+0MDsSKL+PeUsqniKmiBS7f54= -istio.io/istio v0.0.0-20230519000352-ae8d5164776c h1:Z25ZiElSql9rihCr3T7xivF69ErimeVykur76KV7JSc= -istio.io/istio v0.0.0-20230519000352-ae8d5164776c/go.mod h1:AeO7WGaJrM0iqGzMEf53Hwpim4I3xvL9O6nGT6bat1w= -istio.io/pkg v0.0.0-20221107183613-574f8d141535 h1:kmbIDhOWCyVV3o80NR2O9SiTDoN5sXjE+AtABDQrOxs= -istio.io/pkg v0.0.0-20221107183613-574f8d141535/go.mod h1:Rom8KLVw76XZdvGZet+54VPZswL/XqX8x4MBH6khECw= -k8s.io/api v0.25.2 h1:v6G8RyFcwf0HR5jQGIAYlvtRNrxMJQG1xJzaSeVnIS8= -k8s.io/api v0.25.2/go.mod h1:qP1Rn4sCVFwx/xIhe+we2cwBLTXNcheRyYXwajonhy0= +istio.io/istio v0.0.0-20230713183549-b39cf4080772 h1:xFyLrLSXICF4PD0bO7DLv0TBTZjl9oNAYMkJb9ZA0O4= +istio.io/istio v0.0.0-20230713183549-b39cf4080772/go.mod h1:MD6vtUgg32SZtPWnBEJyv7aDhN9KcArqrCZVWn2Docs= +istio.io/pkg v0.0.0-20230524020242-1015535057be h1:H+ww/6ysv++W5na8wIVNfoE01shRez0rXZXzLGoMIvg= +istio.io/pkg v0.0.0-20230524020242-1015535057be/go.mod h1:ZcwaaLCBsaAszynqi6s8Bs6VL3yeTtuXDon9QuzSD5E= +k8s.io/api v0.27.0 h1:2owttiA8Oa+J3idFeq8TSnNpm4y6AOGPI3PDbIpp2cE= +k8s.io/api v0.27.0/go.mod h1:Wl+QRvQlh+T8SK5f4F6YBhhyH6hrFO08nl74xZb1MUE= k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY= -k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= -k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo= k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ= -k8s.io/apimachinery v0.25.2 h1:WbxfAjCx+AeN8Ilp9joWnyJ6xu9OMeS/fsfjK/5zaQs= -k8s.io/apimachinery v0.25.2/go.mod h1:hqqA1X0bsgsxI6dXsJ4HnNTBOmJNxyPp8dw3u2fSHwA= +k8s.io/apiextensions-apiserver v0.28.0-beta.0 h1:MR2+ED9MR6UEmLLoijQR+l/Lh9BLCuK/+QrVH88BhnY= +k8s.io/apiextensions-apiserver v0.28.0-beta.0/go.mod h1:vWwcuxi3IV/hmPTetF8TDY4IZ1m+58ulhRYyE+nvoZw= +k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA= +k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw= -k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= -k8s.io/apiserver v0.27.2 h1:p+tjwrcQEZDrEorCZV2/qE8osGTINPuS5ZNqWAvKm5E= k8s.io/apiserver v0.27.2/go.mod h1:EsOf39d75rMivgvvwjJ3OW/u9n1/BmUMK5otEOJrb1Y= -k8s.io/cli-runtime v0.25.2 h1:XOx+SKRjBpYMLY/J292BHTkmyDffl/qOx3YSuFZkTuc= -k8s.io/cli-runtime v0.25.2/go.mod h1:OQx3+/0st6x5YpkkJQlEWLC73V0wHsOFMC1/roxV8Oc= -k8s.io/client-go v0.25.2 h1:SUPp9p5CwM0yXGQrwYurw9LWz+YtMwhWd0GqOsSiefo= -k8s.io/client-go v0.25.2/go.mod h1:i7cNU7N+yGQmJkewcRD2+Vuj4iz7b30kI8OcL3horQ4= +k8s.io/apiserver v0.28.0-beta.0 h1:cBEihWU2oxBKwVOGUGLmj2UfaP8u6R8HtibIUb8IMfo= +k8s.io/apiserver v0.28.0-beta.0/go.mod h1:ManA8E9ARrLN6MJhBcKk9tx0NMLlzF9TduC/YrZk02Q= +k8s.io/cli-runtime v0.27.0 h1:kYVGqjmBbaj22nJ7je/3tigjiSlB04kVbjW+51zivu8= +k8s.io/cli-runtime v0.27.0/go.mod h1:kN+Q+5L37DFCdpNuCLTHO7w+dwlJb0xzn8jveB3bPSw= +k8s.io/client-go v0.27.0 h1:DyZS1fJkv73tEy7rWv4VF6NwGeJ7SKvNaLRXZBYLA+4= +k8s.io/client-go v0.27.0/go.mod h1:XVEmpNnM+4JYO3EENoFV/ZDv3KxKVJUnzGo70avk+C4= k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= -k8s.io/code-generator v0.18.3/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= -k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= +k8s.io/code-generator v0.27.2/go.mod h1:DPung1sI5vBgn4AGKtlPRQAyagj/ir/4jI55ipZHVww= k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM= -k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= +k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo= k8s.io/component-base v0.28.0-beta.0 h1:ipTyy//lORGt/s9oPhhmFea6RApO9Eacy6nqotcs/Fc= k8s.io/component-base v0.28.0-beta.0/go.mod h1:sQOKkWDP2luVhnhjjq20OJ4lbnxH5yfHJUQMx/r9fuk= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea h1:3QOH5+2fGsY8e1qf+GIFpg+zw/JGNrgyZRQR7/m6uWg= -k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= -k8s.io/kubectl v0.25.2 h1:2993lTeVimxKSWx/7z2PiJxUILygRa3tmC4QhFaeioA= -k8s.io/kubectl v0.25.2/go.mod h1:eoBGJtKUj7x38KXelz+dqVtbtbKwCqyKzJWmBHU0prg= +k8s.io/kms v0.27.2/go.mod h1:dahSqjI05J55Fo5qipzvHSRbm20d7llrSeQjjl86A7c= +k8s.io/kube-openapi v0.0.0-20230327201221-f5883ff37f0c h1:EFfsozyzZ/pggw5qNx7ftTVZdp7WZl+3ih89GEjYEK8= +k8s.io/kube-openapi v0.0.0-20230327201221-f5883ff37f0c/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/kubectl v0.27.0 h1:ZcWS6ufixDXwovWtzF149gd5GzxdpsIl4YqfioSkq5w= +k8s.io/kubectl v0.27.0/go.mod h1:tyFzo+6WfbUEccm8rFIliQ79FAmm9uTFN+1oC5Ytamo= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= -k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= -mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= -mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= -mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7/go.mod h1:hBpJkZE8H/sb+VRFvw2+rBpHNsTBcvSpk61hr8mzXZE= +k8s.io/utils v0.0.0-20230711102312-30195339c3c7 h1:ZgnF1KZsYxWIifwSNZFZgNtWE89WI5yiP5WwlfDoIyc= +k8s.io/utils v0.0.0-20230711102312-30195339c3c7/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= -sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ= -sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2/go.mod h1:+qG7ISXqCDVVcyO8hLn12AKVYYUjM7ftlqsqmrhMZE0= +sigs.k8s.io/controller-runtime v0.15.1 h1:9UvgKD4ZJGcj24vefUFgZFP3xej/3igL9BsOUTb/+4c= +sigs.k8s.io/controller-runtime v0.15.1/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= -sigs.k8s.io/gateway-api v0.5.1-0.20220921185115-ee7a83814203 h1:t53lCjyZa7bsj1vZbAboYAH0p0OpqdGpGeM30IZIew8= -sigs.k8s.io/gateway-api v0.5.1-0.20220921185115-ee7a83814203/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/gateway-api v0.6.2 h1:583XHiX2M2bKEA0SAdkoxL1nY73W1+/M+IAm8LJvbEA= +sigs.k8s.io/gateway-api v0.6.2/go.mod h1:EYJT+jlPWTeNskjV0JTki/03WX1cyAnBhwBJfYHpV/0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= -sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= -sigs.k8s.io/kustomize/api v0.12.1/go.mod h1:y3JUhimkZkR6sbLNwfJHxvo1TCLwuwm14sCYnkH6S1s= -sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2Tk= -sigs.k8s.io/kustomize/kyaml v0.13.9/go.mod h1:QsRbD0/KcU+wdk0/L0fIp2KLnohkVzs6fQ85/nOXac4= +sigs.k8s.io/kustomize/api v0.13.2 h1:kejWfLeJhUsTGioDoFNJET5LQe/ajzXhJGYoU+pJsiA= +sigs.k8s.io/kustomize/api v0.13.2/go.mod h1:DUp325VVMFVcQSq+ZxyDisA8wtldwHxLZbr1g94UHsw= +sigs.k8s.io/kustomize/kyaml v0.14.1 h1:c8iibius7l24G2wVAGZn/Va2wNys03GXLjYVIcFVxKA= +sigs.k8s.io/kustomize/kyaml v0.14.1/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4= sigs.k8s.io/mcs-api v0.1.0 h1:edDbg0oRGfXw8TmZjKYep06LcJLv/qcYLidejnUp0PM= sigs.k8s.io/mcs-api v0.1.0/go.mod h1:gGiAryeFNB4GBsq2LBmVqSgKoobLxt+p7ii/WG5QYYw= sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= diff --git a/internal/bootstrap/server.go b/internal/bootstrap/server.go index ed1bd624d..188275aee 100644 --- a/internal/bootstrap/server.go +++ b/internal/bootstrap/server.go @@ -22,10 +22,8 @@ import ( "fmt" "net" "net/http" - // nolint _ "net/http/pprof" // pprof - "sync" "sync/atomic" "time" @@ -34,6 +32,7 @@ import ( istioscheme "istio.io/client-go/pkg/apis/networking/v1alpha3" "istio.io/client-go/pkg/clientset/versioned" "istio.io/istio/pilot/pkg/model" + "istio.io/istio/pkg/cluster" istioconfig "istio.io/istio/pkg/config" "istio.io/istio/pkg/config/mesh" kubelib "istio.io/istio/pkg/kube" @@ -402,7 +401,7 @@ func (s *Server) initKubeClient() error { if err != nil { return err } - s.kubeClient, err = kubelib.NewClient(kubelib.NewClientConfigForRestConfig(kubeConfig)) + s.kubeClient, err = kubelib.NewClient(kubelib.NewClientConfigForRestConfig(kubeConfig), cluster.ID(s.args.ClusterID)) return err } diff --git a/internal/ca/istio_ca.go b/internal/ca/istio_ca.go index e2e3daae4..00faf2d59 100644 --- a/internal/ca/istio_ca.go +++ b/internal/ca/istio_ca.go @@ -129,8 +129,8 @@ func getIstioCA(client corev1.CoreV1Interface, namespace string) (*util.KeyCertB selfSignedRootCertGracePeriodPercentile.Get(), selfSignedCACertTTL.Get(), selfSignedRootCertCheckInterval.Get(), workloadCertTTL.Get(), maxWorkloadCertTTL.Get(), opts.TrustDomain, true, - opts.Namespace, -1, client, rootCertFile, - enableJitterForRootCertRotator.Get(), caRSAKeySize.Get()) + opts.Namespace, client, rootCertFile, enableJitterForRootCertRotator.Get(), + caRSAKeySize.Get()) } else { log.Warnf( "Use local self-signed CA certificate for testing. Will use in-memory root CA, no K8S access and no ca key file %s", diff --git a/internal/controller/istio/controller.go b/internal/controller/istio/controller.go index 9019747de..cdf9600f5 100644 --- a/internal/controller/istio/controller.go +++ b/internal/controller/istio/controller.go @@ -44,11 +44,11 @@ const ( var ( controllerLog = log.RegisterScope("config-controller", "config-controller debugging", 0) // We need serviceentry and virtualservice to generate the envoyfiters - configCollection = collection.NewSchemasBuilder().MustAdd(collections.IstioNetworkingV1Alpha3Serviceentries). - MustAdd(collections.IstioNetworkingV1Alpha3Virtualservices). - MustAdd(collections.IstioNetworkingV1Alpha3Destinationrules). - MustAdd(collections.IstioNetworkingV1Alpha3Envoyfilters). - MustAdd(collections.IstioNetworkingV1Alpha3Gateways).Build() + configCollection = collection.NewSchemasBuilder().MustAdd(collections.ServiceEntry). + MustAdd(collections.VirtualService). + MustAdd(collections.DestinationRule). + MustAdd(collections.EnvoyFilter). + MustAdd(collections.Gateway).Build() ) // Options for config controller @@ -149,7 +149,7 @@ func (c *Controller) configInitialRequests() []*discovery.DiscoveryRequest { requests := make([]*discovery.DiscoveryRequest, len(schemas)) for i, schema := range schemas { requests[i] = &discovery.DiscoveryRequest{ - TypeUrl: schema.Resource().GroupVersionKind().String(), + TypeUrl: schema.GroupVersionResource().String(), } } return requests @@ -167,22 +167,22 @@ func (c *Controller) RegisterEventHandler(handler func(*istioconfig.Config, *ist // * DestinationRule: the Load balancing policy in set in the dr, // httpHeaderName is used to convey the metadata key for generating hash switch curr.GroupVersionKind { - case collections.IstioNetworkingV1Alpha3Serviceentries.Resource().GroupVersionKind(): + case collections.ServiceEntry.GroupVersionKind(): controllerLog.Infof("service entry changed: %s %s", event.String(), curr.Name) if c.shouldHandleServiceEntryChange(&prev, &curr) { handler(&prev, &curr, event) } - case collections.IstioNetworkingV1Alpha3Virtualservices.Resource().GroupVersionKind(): + case collections.VirtualService.GroupVersionKind(): controllerLog.Infof("virtual service changed: %s %s", event.String(), curr.Name) if c.shouldHandleVirtualServiceChange(&prev, &curr) { handler(&prev, &curr, event) } - case collections.IstioNetworkingV1Alpha3Destinationrules.Resource().GroupVersionKind(): + case collections.DestinationRule.GroupVersionKind(): controllerLog.Infof("Destination rules changed: %s %s", event.String(), curr.Name) if c.shouldHandleDestinationRuleChange(&prev, &curr) { handler(&prev, &curr, event) } - case collections.IstioNetworkingV1Alpha3Gateways.Resource().GroupVersionKind(): + case collections.Gateway.GroupVersionKind(): controllerLog.Infof("Gateway changed: %s %s", event.String(), curr.Name) if c.shouldHandleGatewayChange(&prev, &curr) { handler(&prev, &curr, event) @@ -192,7 +192,7 @@ func (c *Controller) RegisterEventHandler(handler func(*istioconfig.Config, *ist schemas := configCollection.All() for _, schema := range schemas { - c.configCache.RegisterEventHandler(schema.Resource().GroupVersionKind(), handlerWrapper) + c.configCache.RegisterEventHandler(schema.GroupVersionKind(), handlerWrapper) } } @@ -241,16 +241,12 @@ func (c *Controller) shouldHandleVirtualService(vsConfig *istioconfig.Config) bo controllerLog.Errorf("failed in getting a virtual service: %v", vsConfig.Name) return false } - serviceEntries, err := c.Store.List( - collections.IstioNetworkingV1Alpha3Serviceentries.Resource().GroupVersionKind(), "") - if err != nil { - controllerLog.Errorf("failed to list configs: %v", err) - return false - } + serviceEntries := c.Store.List( + collections.ServiceEntry.GroupVersionKind(), "") for i := range serviceEntries { service, ok := serviceEntries[i].Spec.(*networking.ServiceEntry) if !ok { // should never happen - controllerLog.Errorf("failed in getting a service entry: %s: %v", serviceEntries[i].Name, err) + controllerLog.Errorf("failed in getting a service entry: %s: %v", serviceEntries[i].Name) return false } if len(vs.Hosts) > 0 { @@ -277,16 +273,12 @@ func (c *Controller) shouldHandleDestinationRule(drConfig *istioconfig.Config) b controllerLog.Errorf("failed in getting a destination rule: %s", drConfig.Name) return false } - serviceEntries, err := c.Store.List( - collections.IstioNetworkingV1Alpha3Serviceentries.Resource().GroupVersionKind(), "") - if err != nil { - controllerLog.Errorf("failed to list configs: %v", err) - return false - } + serviceEntries := c.Store.List( + collections.ServiceEntry.GroupVersionKind(), "") for i := range serviceEntries { service, ok := serviceEntries[i].Spec.(*networking.ServiceEntry) if !ok { // should never happen - controllerLog.Errorf("failed in getting a service entry: %s: %v", serviceEntries[i].Name, err) + controllerLog.Errorf("failed in getting a service entry: %s: %v", serviceEntries[i].Name) return false } diff --git a/internal/controller/kube/dubbo.go b/internal/controller/kube/dubbo.go index 8c059aacb..5513cb725 100644 --- a/internal/controller/kube/dubbo.go +++ b/internal/controller/kube/dubbo.go @@ -56,7 +56,7 @@ func AddDubboAuthorizationPolicyController(mgr manager.Manager, triggerPush func return err } // Watch for changes to primary resource IstioFilter - err = c.Watch(&source.Kind{Type: &v1alpha1.DubboAuthorizationPolicy{}}, + err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.DubboAuthorizationPolicy{}), &handler.EnqueueRequestForObject{}, dubboPredicates) if err != nil { return err diff --git a/internal/controller/kube/metaprotocol.go b/internal/controller/kube/metaprotocol.go index a757ec430..0ffbe8842 100644 --- a/internal/controller/kube/metaprotocol.go +++ b/internal/controller/kube/metaprotocol.go @@ -96,7 +96,7 @@ func AddApplicationProtocolController(mgr manager.Manager, triggerPush func() er return err } // Watch for changes to primary resource IstioFilter - err = c.Watch(&source.Kind{Type: &v1alpha1.ApplicationProtocol{}}, &handler.EnqueueRequestForObject{}, + err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.ApplicationProtocol{}), &handler.EnqueueRequestForObject{}, metaProtocolPredicates) if err != nil { return err diff --git a/internal/controller/kube/metarouter.go b/internal/controller/kube/metarouter.go index ac4c44405..2e8c9fa00 100644 --- a/internal/controller/kube/metarouter.go +++ b/internal/controller/kube/metarouter.go @@ -86,7 +86,7 @@ func AddMetaRouterController(mgr manager.Manager, triggerPush func() error) erro return err } // Watch for changes on MetaRouter CRD - err = c.Watch(&source.Kind{Type: &v1alpha1.MetaRouter{}}, &handler.EnqueueRequestForObject{}, + err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.MetaRouter{}), &handler.EnqueueRequestForObject{}, metaRouterlPredicates) if err != nil { return err diff --git a/internal/controller/kube/namesapce.go b/internal/controller/kube/namesapce.go index 269ba7084..b4912b1b3 100644 --- a/internal/controller/kube/namesapce.go +++ b/internal/controller/kube/namesapce.go @@ -86,7 +86,7 @@ func AddNamespaceController(mgr manager.Manager, aerakiAddr, aerakiPort string) return err } // Watch for changes on Namespace CRD - err = c.Watch(&source.Kind{Type: &v1.Namespace{}}, &handler.EnqueueRequestForObject{}, + err = c.Watch(source.Kind(mgr.GetCache(), &v1.Namespace{}), &handler.EnqueueRequestForObject{}, namespacePredicates) if err != nil { return err diff --git a/internal/controller/kube/redis.go b/internal/controller/kube/redis.go index 1fe947d5a..924f89eaf 100644 --- a/internal/controller/kube/redis.go +++ b/internal/controller/kube/redis.go @@ -55,7 +55,7 @@ func AddRedisServiceController(mgr manager.Manager, triggerPush func() error) er return err } // Watch for changes to primary resource IstioFilter - err = c.Watch(&source.Kind{Type: &v1alpha1.RedisService{}}, &handler.EnqueueRequestForObject{}, redisPredicates) + err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.RedisService{}), &handler.EnqueueRequestForObject{}, redisPredicates) if err != nil { return err } @@ -71,7 +71,7 @@ func AddRedisDestinationController(mgr manager.Manager, triggerPush func() error return err } // Watch for changes to primary resource IstioFilter - err = c.Watch(&source.Kind{Type: &v1alpha1.RedisDestination{}}, &handler.EnqueueRequestForObject{}, redisPredicates) + err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.RedisDestination{}), &handler.EnqueueRequestForObject{}, redisPredicates) if err != nil { return err } diff --git a/internal/controller/kube/serviceentry.go b/internal/controller/kube/serviceentry.go index 7c11bdc0a..d22936f0f 100644 --- a/internal/controller/kube/serviceentry.go +++ b/internal/controller/kube/serviceentry.go @@ -106,7 +106,7 @@ func AddServiceEntryController(mgr manager.Manager) error { return err } // Watch for changes on ServiceEntry CRD - err = c.Watch(&source.Kind{Type: &networking.ServiceEntry{}}, &handler.EnqueueRequestForObject{}, + err = c.Watch(source.Kind(mgr.GetCache(), &networking.ServiceEntry{}), &handler.EnqueueRequestForObject{}, serviceEntryPredicates) if err != nil { return err diff --git a/internal/envoyfilter/controller.go b/internal/envoyfilter/controller.go index 857601105..f581c79b2 100644 --- a/internal/envoyfilter/controller.go +++ b/internal/envoyfilter/controller.go @@ -197,16 +197,12 @@ func (c *Controller) toEnvoyFilterCRD(newEf *model.EnvoyFilterWrapper, func (c *Controller) generateEnvoyFilters() (map[string]*model.EnvoyFilterWrapper, error) { envoyFilters := make(map[string]*model.EnvoyFilterWrapper) - serviceEntries, err := c.configStore.List(collections.IstioNetworkingV1Alpha3Serviceentries.Resource(). - GroupVersionKind(), "") - if err != nil { - return envoyFilters, fmt.Errorf("failed to listconfigs: %v", err) - } + serviceEntries := c.configStore.List(collections.ServiceEntry.GroupVersionKind(), "") for i := range serviceEntries { service, ok := serviceEntries[i].Spec.(*networking.ServiceEntry) if !ok { // should never happen - return envoyFilters, fmt.Errorf("failed in getting a service entry: %s: %v", serviceEntries[i].Labels, err) + return envoyFilters, fmt.Errorf("failed in getting a service entry: %s", serviceEntries[i].Labels) } if len(service.Hosts) == 0 { @@ -248,21 +244,19 @@ func (c *Controller) generateEnvoyFilters() (map[string]*model.EnvoyFilterWrappe } // generate envoyFilters for gateway with tcp-metaprotocol server - err = c.generateGatewayEnvoyFilters(envoyFilters) + err := c.generateGatewayEnvoyFilters(envoyFilters) return envoyFilters, err } func (c *Controller) generateGatewayEnvoyFilters(envoyFilters map[string]*model.EnvoyFilterWrapper) error { var envoyFilterContexts []*model.EnvoyFilterContext - gateways, err := c.configStore.List(collections.IstioNetworkingV1Alpha3Gateways.Resource().GroupVersionKind(), "") - if err != nil { - log.Errorf("failed to listconfigs: %v", err) - } + gateways := c.configStore.List(collections.Gateway.GroupVersionKind(), "") + for i := range gateways { gw, ok := gateways[i].Spec.(*networking.Gateway) if !ok { // should never happen - log.Errorf("failed in getting a gateway: %s: %v", gateways[i].Labels, err) + log.Errorf("failed in getting a gateway: %s", gateways[i].Labels) } if gw.Servers == nil || len(gw.Servers) == 0 { continue @@ -472,16 +466,13 @@ func envoyFilterMapKey(name, ns string) string { } func (c *Controller) findRelatedVirtualService(service *networking.ServiceEntry) (*model.VirtualServiceWrapper, error) { - virtualServices, err := c.configStore.List( - collections.IstioNetworkingV1Alpha3Virtualservices.Resource().GroupVersionKind(), "") - if err != nil { - return nil, fmt.Errorf("failed to list configs: %v", err) - } + virtualServices := c.configStore.List( + collections.VirtualService.GroupVersionKind(), "") for i := range virtualServices { vs, ok := virtualServices[i].Spec.(*networking.VirtualService) if !ok { // should never happen - return nil, fmt.Errorf("failed in getting a virtual service: %s: %v", virtualServices[i].Name, err) + return nil, fmt.Errorf("failed in getting a virtual service: %s", virtualServices[i].Name) } //Todo: we may need to deal with delegate Virtual services diff --git a/internal/envoyfilter/network_filter.go b/internal/envoyfilter/network_filter.go index ffe81510e..55dd642d3 100644 --- a/internal/envoyfilter/network_filter.go +++ b/internal/envoyfilter/network_filter.go @@ -42,7 +42,7 @@ func GenerateInsertBeforeNetworkFilter(service *model.ServiceEntryWrapper, outbo // GenerateReplaceNetworkFilter generates an EnvoyFilter that replaces the default tcp proxy with a protocol specified // proxy -func GenerateReplaceNetworkFilter(service *model.ServiceEntryWrapper, port *networking.Port, +func GenerateReplaceNetworkFilter(service *model.ServiceEntryWrapper, port *networking.ServicePort, outboundProxy proto.Message, inboundProxy proto.Message, filterName string, filterType string) []*model.EnvoyFilterWrapper { return generateNetworkFilter(service, port, outboundProxy, inboundProxy, filterName, filterType, @@ -51,7 +51,7 @@ func GenerateReplaceNetworkFilter(service *model.ServiceEntryWrapper, port *netw // GenerateReplaceNetworkFilter generates an EnvoyFilter that replaces the default tcp proxy with a protocol specified // proxy -func generateNetworkFilter(service *model.ServiceEntryWrapper, port *networking.Port, outboundProxy proto.Message, +func generateNetworkFilter(service *model.ServiceEntryWrapper, port *networking.ServicePort, outboundProxy proto.Message, inboundProxy proto.Message, filterName string, filterType string, operation networking.EnvoyFilter_Patch_Operation) []*model.EnvoyFilterWrapper { var envoyFilters []*model.EnvoyFilterWrapper @@ -74,7 +74,7 @@ func generateNetworkFilter(service *model.ServiceEntryWrapper, port *networking. return envoyFilters } -func generateOutboundListenerEnvoyFilters(service *model.ServiceEntryWrapper, port *networking.Port, +func generateOutboundListenerEnvoyFilters(service *model.ServiceEntryWrapper, port *networking.ServicePort, outboundProxy proto.Message, filterName string, filterType string, operation networking.EnvoyFilter_Patch_Operation) []*model.EnvoyFilterWrapper { outboundProxyStruct, err := generateValue(outboundProxy, filterName, filterType) @@ -118,7 +118,7 @@ func generateOutboundListenerEnvoyFilters(service *model.ServiceEntryWrapper, po return envoyFilters } -func generateInboundListenerEnvoyFilters(service *model.ServiceEntryWrapper, port *networking.Port, +func generateInboundListenerEnvoyFilters(service *model.ServiceEntryWrapper, port *networking.ServicePort, inboundProxy proto.Message, filterName string, filterType string, operation networking.EnvoyFilter_Patch_Operation, workloadSelector *networking.WorkloadSelector) []*model.EnvoyFilterWrapper { diff --git a/internal/plugin/metaprotocol/generator.go b/internal/plugin/metaprotocol/generator.go index fc54d0147..61b2e946c 100644 --- a/internal/plugin/metaprotocol/generator.go +++ b/internal/plugin/metaprotocol/generator.go @@ -106,8 +106,8 @@ func generateSidecarEnvoyFilters(context *model.EnvoyFilterContext) ([]*model.En return envoyfilters, nil } -func trans2Port(server *istionetworking.Server) *istionetworking.Port { - return &istionetworking.Port{ +func trans2Port(server *istionetworking.Server) *istionetworking.ServicePort { + return &istionetworking.ServicePort{ Number: server.Port.Number, Protocol: server.Port.Protocol, Name: server.Port.Name, diff --git a/internal/plugin/metaprotocol/metaprotocolproxy.go b/internal/plugin/metaprotocol/metaprotocolproxy.go index bb6a16f19..9b84774c3 100644 --- a/internal/plugin/metaprotocol/metaprotocolproxy.go +++ b/internal/plugin/metaprotocol/metaprotocolproxy.go @@ -31,7 +31,7 @@ const ( ) func buildOutboundProxy(context *model.EnvoyFilterContext, - port *istionetworking.Port) (*metaprotocol.MetaProtocolProxy, error) { + port *istionetworking.ServicePort) (*metaprotocol.MetaProtocolProxy, error) { applicationProtocol, err := metaprotocolmodel.GetApplicationProtocolFromPortName(port.Name) if err != nil { return nil, err @@ -79,7 +79,7 @@ func buildOutboundProxy(context *model.EnvoyFilterContext, } func buildInboundProxy(context *model.EnvoyFilterContext, - port *istionetworking.Port) (*metaprotocol.MetaProtocolProxy, error) { + port *istionetworking.ServicePort) (*metaprotocol.MetaProtocolProxy, error) { route := buildInboundRouteConfig(context, port) applicationProtocol, err := metaprotocolmodel.GetApplicationProtocolFromPortName(port. Name) diff --git a/internal/plugin/metaprotocol/route.go b/internal/plugin/metaprotocol/route.go index 9fed7fdbe..f13d61667 100644 --- a/internal/plugin/metaprotocol/route.go +++ b/internal/plugin/metaprotocol/route.go @@ -22,7 +22,7 @@ import ( ) func buildInboundRouteConfig(context *model.EnvoyFilterContext, - port *istionetworking.Port) *metaroute.RouteConfiguration { + port *istionetworking.ServicePort) *metaroute.RouteConfiguration { clusterName := model.BuildClusterName(model.TrafficDirectionInbound, "", context.ServiceEntry.Spec.Hosts[0], int(port.Number)) diff --git a/internal/plugin/redis/generator.go b/internal/plugin/redis/generator.go index 3568d274c..827bc0302 100644 --- a/internal/plugin/redis/generator.go +++ b/internal/plugin/redis/generator.go @@ -87,14 +87,14 @@ func (g *Generator) Generate(filterContext *model.EnvoyFilterContext) (filters [ } func (g *Generator) generate(ctx context.Context, filterContext *model.EnvoyFilterContext, - targetPort *networking.Port) []*model.EnvoyFilterWrapper { + targetPort *networking.ServicePort) []*model.EnvoyFilterWrapper { port := targetPort.Number portName := targetPort.Name generatorLog.Debugf("generate %s/%s/%s", filterContext.ServiceEntry.Namespace, filterContext.ServiceEntry.Name, portName) // copy and replace ports spec := *filterContext.ServiceEntry.Spec.DeepCopy() - spec.Ports = []*networking.Port{targetPort} + spec.Ports = []*networking.ServicePort{targetPort} filters := envoyfilter.GenerateReplaceNetworkFilter( filterContext.ServiceEntry, filterContext.ServiceEntry.Spec.Ports[0], diff --git a/internal/plugin/redis/outbound.go b/internal/plugin/redis/outbound.go index 1e51c98a2..e098a6762 100644 --- a/internal/plugin/redis/outbound.go +++ b/internal/plugin/redis/outbound.go @@ -200,7 +200,7 @@ func (g *Generator) findTargetHostAndRedisService(ctx context.Context, ns string func (g *Generator) hostServices(ns string) (hostServices map[string]*networking.ServiceEntry) { hostServices = map[string]*networking.ServiceEntry{} - entries, _ := g.store.List(collections.IstioNetworkingV1Alpha3Serviceentries.Resource().GroupVersionKind(), ns) + entries := g.store.List(collections.ServiceEntry.GroupVersionKind(), ns) for i := range entries { se := entries[i].Spec.(*networking.ServiceEntry) for _, host := range se.Hosts { diff --git a/internal/webhook/validation/scheme/collections.go b/internal/webhook/validation/scheme/collections.go index 0d6809212..f01fe1ba7 100755 --- a/internal/webhook/validation/scheme/collections.go +++ b/internal/webhook/validation/scheme/collections.go @@ -17,55 +17,51 @@ package scheme import ( "reflect" - istioioapimetav1alpha1 "istio.io/api/meta/v1alpha1" + metaprotocolv1alpha1 "github.com/aeraki-mesh/api/metaprotocol/v1alpha1" "istio.io/istio/pkg/config/schema/collection" "istio.io/istio/pkg/config/schema/resource" - - metaprotocolv1alpha1 "github.com/aeraki-mesh/api/metaprotocol/v1alpha1" ) var ( // AerakiMetaprotocolV1Alpha1Applicationprotocols describes the collection // aeraki/metaprotocol/v1alpha1/applicationprotocols - AerakiMetaprotocolV1Alpha1Applicationprotocols = collection.Builder{ - Name: "aeraki/metaprotocol/v1alpha1/applicationprotocols", - VariableName: "AerakiMetaprotocolV1Alpha1Applicationprotocols", - Resource: resource.Builder{ - Group: "metaprotocol.aeraki.io", - Kind: "ApplicationProtocol", - Plural: "applicationprotocols", - Version: "v1alpha1", - Proto: "aeraki.io.v1alpha1.ApplicationProtocol", - //StatusProto: "istio.meta.v1alpha1.IstioStatus", - ReflectType: reflect.TypeOf(&metaprotocolv1alpha1.ApplicationProtocol{}).Elem(), - StatusType: reflect.TypeOf(&istioioapimetav1alpha1.IstioStatus{}).Elem(), - ProtoPackage: "github.com/aeraki-mesh/api/metaprotocol/v1alpha1", - //StatusPackage: "istio.io/api/meta/v1alpha1", - ClusterScoped: false, - ValidateProto: ValidateApplicationProtocol, - }.MustBuild(), + AerakiMetaprotocolV1Alpha1Applicationprotocols = resource.Builder{ + Identifier: "ApplicationProtocol", + Group: "metaprotocol.aeraki.io", + Kind: "ApplicationProtocol", + Plural: "applicationprotocols", + Version: "v1alpha1", + VersionAliases: []string{ + "v1", + }, + Proto: "aeraki.io.v1alpha1.ApplicationProtocol", //StatusProto: "istio.meta.v1alpha1.IstioStatus", + ReflectType: reflect.TypeOf(&metaprotocolv1alpha1.ApplicationProtocol{}).Elem(), //StatusType: reflect.TypeOf(&istioioapimetav1alpha1.IstioStatus{}).Elem(), + ProtoPackage: "github.com/aeraki-mesh/api/metaprotocol/v1alpha1", // StatusPackage: "istio.io/api/meta/v1alpha1", + ClusterScoped: false, + Synthetic: false, + Builtin: false, + ValidateProto: ValidateApplicationProtocol, }.MustBuild() // AerakiMetaprotocolV1Alpha1Metarouters describes the collection // aeraki/metaprotocol/v1alpha1/metarouters - AerakiMetaprotocolV1Alpha1Metarouters = collection.Builder{ - Name: "aeraki/metaprotocol/v1alpha1/metarouters", - VariableName: "AerakiMetaprotocolV1Alpha1Metarouters", - Resource: resource.Builder{ - Group: "metaprotocol.aeraki.io", - Kind: "MetaRouter", - Plural: "metarouters", - Version: "v1alpha1", - Proto: "aeraki.io.v1alpha1.MetaRouter", - //StatusProto: "istio.meta.v1alpha1.IstioStatus", - ReflectType: reflect.TypeOf(&metaprotocolv1alpha1.MetaRouter{}).Elem(), - //StatusType: reflect.TypeOf(&istioioapimetav1alpha1.IstioStatus{}).Elem(), - ProtoPackage: "github.com/aeraki-mesh/api/metaprotocol/v1alpha1", - //StatusPackage: "istio.io/api/meta/v1alpha1", - ClusterScoped: false, - ValidateProto: ValidateMetaRouter, - }.MustBuild(), + AerakiMetaprotocolV1Alpha1Metarouters = resource.Builder{ + Identifier: "MetaRouter", + Group: "metaprotocol.aeraki.io", + Kind: "MetaRouter", + Plural: "metarouters", + Version: "v1alpha1", + VersionAliases: []string{ + "v1", + }, + Proto: "aeraki.io.v1alpha1.MetaRouter", //StatusProto: "istio.meta.v1alpha1.IstioStatus", + ReflectType: reflect.TypeOf(&metaprotocolv1alpha1.MetaRouter{}).Elem(), //StatusType: reflect.TypeOf(&istioioapimetav1alpha1.IstioStatus{}).Elem(), + ProtoPackage: "github.com/aeraki-mesh/api/metaprotocol/v1alpha1", // StatusPackage: "istio.io/api/meta/v1alpha1", + ClusterScoped: false, + Synthetic: false, + Builtin: false, + ValidateProto: ValidateMetaRouter, }.MustBuild() // Aeraki contains Aeraki collections in the system. diff --git a/internal/webhook/validation/server/server.go b/internal/webhook/validation/server/server.go index 15c364ded..1ec9d292d 100644 --- a/internal/webhook/validation/server/server.go +++ b/internal/webhook/validation/server/server.go @@ -21,7 +21,7 @@ import ( "fmt" "net/http" - multierror "github.com/hashicorp/go-multierror" + "github.com/hashicorp/go-multierror" "istio.io/istio/pilot/pkg/config/kube/crd" "istio.io/istio/pkg/config/schema/collection" "istio.io/istio/pkg/config/schema/resource" @@ -224,7 +224,7 @@ func (wh *Webhook) validate(request *kube.AdmissionRequest) *kube.AdmissionRespo return toAdmissionResponse(fmt.Errorf("error decoding configuration: %v", err)) } - warnings, err := s.Resource().ValidateConfig(*out) + warnings, err := s.ValidateConfig(*out) if err != nil { scope.Infof("configuration is invalid: %v", err) reportValidationFailed(request, reasonInvalidConfig) diff --git a/internal/xds/cache_mgr.go b/internal/xds/cache_mgr.go index 461359dd3..3c680433b 100644 --- a/internal/xds/cache_mgr.go +++ b/internal/xds/cache_mgr.go @@ -118,11 +118,8 @@ func (c *CacheMgr) updateRouteCache() error { return nil } - serviceEntries, err := c.configStore.List(collections.IstioNetworkingV1Alpha3Serviceentries.Resource(). - GroupVersionKind(), "") - if err != nil { - return fmt.Errorf("failed to list service entries from the config store: %v", err) - } + serviceEntries := c.configStore.List( + collections.ServiceEntry.GroupVersionKind(), "") routes := c.generateMetaRoutes(serviceEntries) snapshot, err := generateSnapshot(routes) @@ -209,7 +206,7 @@ func isMetaProtocolService(service *networking.ServiceEntry) bool { } func (c *CacheMgr) constructRoute(service *networking.ServiceEntry, - port *networking.Port, metaRouter *metaprotocol.MetaRouter, dr *model.DestinationRuleWrapper) *metaroute. + port *networking.ServicePort, metaRouter *metaprotocol.MetaRouter, dr *model.DestinationRuleWrapper) *metaroute. RouteConfiguration { var routes []*metaroute.Route for _, route := range metaRouter.Spec.Routes { @@ -232,7 +229,7 @@ func (c *CacheMgr) constructRoute(service *networking.ServiceEntry, return &metaRoute } -func (c *CacheMgr) constructAction(port *networking.Port, +func (c *CacheMgr) constructAction(port *networking.ServicePort, route *metaprotocolapi.MetaRoute, dr *model.DestinationRuleWrapper) *metaroute.RouteAction { var routeAction = &metaroute.RouteAction{} @@ -310,7 +307,7 @@ func (c *CacheMgr) constructAction(port *networking.Port, return routeAction } -func (c *CacheMgr) defaultRoute(service *networking.ServiceEntry, port *networking.Port, +func (c *CacheMgr) defaultRoute(service *networking.ServiceEntry, port *networking.ServicePort, dr *model.DestinationRuleWrapper) *metaroute.RouteConfiguration { metaRoute := metaroute.RouteConfiguration{ Name: model.BuildMetaProtocolRouteName(service.Hosts[0], int(port.Number)), @@ -339,16 +336,13 @@ func (c *CacheMgr) defaultRoute(service *networking.ServiceEntry, port *networki } func (c *CacheMgr) findRelatedServiceEntry(dr *model.DestinationRuleWrapper) (*model.ServiceEntryWrapper, error) { - serviceEntries, err := c.configStore.List( - collections.IstioNetworkingV1Alpha3Serviceentries.Resource().GroupVersionKind(), "") - if err != nil { - return nil, fmt.Errorf("failed to list configs: %v", err) - } + serviceEntries := c.configStore.List( + collections.ServiceEntry.GroupVersionKind(), "") for i := range serviceEntries { se, ok := serviceEntries[i].Spec.(*networking.ServiceEntry) if !ok { // should never happen - return nil, fmt.Errorf("failed in getting a service entry: %s: %v", serviceEntries[i].Name, err) + return nil, fmt.Errorf("failed in getting a service entry: %s", serviceEntries[i].Name) } if model.IsFQDNEquals(dr.Spec.Host, dr.Namespace, se.Hosts[0], serviceEntries[i].Namespace) { return &model.ServiceEntryWrapper{ @@ -383,16 +377,13 @@ func (c *CacheMgr) findRelatedMetaRouter(service *networking.ServiceEntry) (*met func (c *CacheMgr) findRelatedDestinationRule(service *model.ServiceEntryWrapper) (*model.DestinationRuleWrapper, error) { - drs, err := c.configStore.List( - collections.IstioNetworkingV1Alpha3Destinationrules.Resource().GroupVersionKind(), "") - if err != nil { - return nil, fmt.Errorf("failed to list configs: %v", err) - } + drs := c.configStore.List( + collections.DestinationRule.GroupVersionKind(), "") for i := range drs { dr, ok := drs[i].Spec.(*networking.DestinationRule) if !ok { // should never happen - return nil, fmt.Errorf("failed in getting a destination rule: %s: %v", drs[i].Name, err) + return nil, fmt.Errorf("failed in getting a destination rule: %s", drs[i].Name) } if model.IsFQDNEquals(dr.Host, drs[i].Namespace, service.Spec.Hosts[0], service.Namespace) { return &model.DestinationRuleWrapper{ @@ -415,7 +406,7 @@ func (c *CacheMgr) ConfigUpdated(prev, curr *istioconfig.Config, event istiomode func (c *CacheMgr) shouldUpdateCache(config *istioconfig.Config) bool { var serviceEntry *networking.ServiceEntry - if config.GroupVersionKind == collections.IstioNetworkingV1Alpha3Serviceentries.Resource().GroupVersionKind() { + if config.GroupVersionKind == collections.ServiceEntry.GroupVersionKind() { service, ok := config.Spec.(*networking.ServiceEntry) if !ok { xdsLog.Errorf("Failed in getting a service entry: %v", config.Name) @@ -425,7 +416,7 @@ func (c *CacheMgr) shouldUpdateCache(config *istioconfig.Config) bool { } // Cache needs to be updated if dr changed, the hash policy in the dr is used to generate routes - if config.GroupVersionKind == collections.IstioNetworkingV1Alpha3Destinationrules.Resource().GroupVersionKind() { + if config.GroupVersionKind == collections.DestinationRule.GroupVersionKind() { dr, ok := config.Spec.(*networking.DestinationRule) if !ok { xdsLog.Errorf("Failed in getting a destination rule: %v", config.Name) diff --git a/test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml b/test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml index 96134f8c0..6c497367d 100644 --- a/test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml +++ b/test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml @@ -40,7 +40,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-provider version: v1 @@ -76,7 +76,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-provider version: v2 @@ -112,7 +112,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-second-provider version: v2 @@ -148,7 +148,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 labels: app: dubbo-sample-consumer spec: diff --git a/test/e2e/metaprotocolgateway/testdata/ingress-gateway.yaml b/test/e2e/metaprotocolgateway/testdata/ingress-gateway.yaml index 0576bcc0b..1a82f5df6 100644 --- a/test/e2e/metaprotocolgateway/testdata/ingress-gateway.yaml +++ b/test/e2e/metaprotocolgateway/testdata/ingress-gateway.yaml @@ -149,7 +149,7 @@ spec: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: ISTIO_META_ROUTER_MODE value: standard - image: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.0 + image: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 imagePullPolicy: IfNotPresent name: istio-proxy ports: diff --git a/test/e2e/scripts/istio.sh b/test/e2e/scripts/istio.sh index 2fd71664f..6c98c64a1 100644 --- a/test/e2e/scripts/istio.sh +++ b/test/e2e/scripts/istio.sh @@ -25,7 +25,7 @@ if [ -z "$ISTIO_NAMESPACE" ]; then fi if [ -z "$ISTIO_VERSION" ]; then - export ISTIO_VERSION=1.18.2 + export ISTIO_VERSION=1.18.1 fi kubectl create ns ${ISTIO_NAMESPACE} || true diff --git a/test/e2e/scripts/uninstall-istio.sh b/test/e2e/scripts/uninstall-istio.sh index c3dfcee3f..17129c337 100644 --- a/test/e2e/scripts/uninstall-istio.sh +++ b/test/e2e/scripts/uninstall-istio.sh @@ -25,7 +25,7 @@ if [ -z "$ISTIO_NAMESPACE" ]; then fi if [ -z "$ISTIO_VERSION" ]; then - export ISTIO_VERSION=1.18.2 + export ISTIO_VERSION=1.18.1 fi rm -rf ~/.aeraki/istio/istio-config.yaml From f22d38c2ad4485cd5c43eba40ee66e3c247f448e Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 18 Aug 2023 09:54:41 +0800 Subject: [PATCH 2/9] fix goimports Signed-off-by: huabing zhao --- internal/bootstrap/server.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/bootstrap/server.go b/internal/bootstrap/server.go index 188275aee..4874b9cc0 100644 --- a/internal/bootstrap/server.go +++ b/internal/bootstrap/server.go @@ -22,6 +22,7 @@ import ( "fmt" "net" "net/http" + // nolint _ "net/http/pprof" // pprof "sync" From ae491b05ba8ae156091a1dbabec7e96b5060f69c Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 18 Aug 2023 10:42:28 +0800 Subject: [PATCH 3/9] fix lint Signed-off-by: huabing zhao --- go.mod | 2 -- internal/controller/kube/redis.go | 3 ++- internal/envoyfilter/network_filter.go | 9 +++++++-- internal/plugin/metaprotocol/filters.go | 4 ++-- internal/plugin/metaprotocol/generator.go | 2 +- .../webhook/validation/scheme/collections.go | 18 ++++++++++++------ internal/xds/cache_mgr.go | 4 ++-- 7 files changed, 26 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index c5068744d..8fcf5189a 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,6 @@ require ( github.com/aeraki-mesh/api v1.4.1 github.com/aeraki-mesh/client-go v1.4.1 github.com/aeraki-mesh/meta-protocol-control-plane-api v1.4.1 - github.com/apache/thrift v0.18.1 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 github.com/envoyproxy/go-control-plane v0.11.2-0.20230811160418-a0dbac19f027 github.com/gogo/protobuf v1.3.2 @@ -45,7 +44,6 @@ require ( google.golang.org/protobuf v1.31.0 istio.io/api v1.19.0-alpha.1.0.20230810203008-3cdd517bf131 istio.io/client-go v1.19.0-alpha.1.0.20230810203904-45e85278e0fc - istio.io/gogo-genproto v0.0.0-20230705213215-8f59b5a7ddde istio.io/istio v0.0.0-20230817160302-031c6b290e0b istio.io/pkg v0.0.0-20230524020242-1015535057be k8s.io/api v0.28.0 diff --git a/internal/controller/kube/redis.go b/internal/controller/kube/redis.go index 924f89eaf..ab78f5d9f 100644 --- a/internal/controller/kube/redis.go +++ b/internal/controller/kube/redis.go @@ -71,7 +71,8 @@ func AddRedisDestinationController(mgr manager.Manager, triggerPush func() error return err } // Watch for changes to primary resource IstioFilter - err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.RedisDestination{}), &handler.EnqueueRequestForObject{}, redisPredicates) + err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.RedisDestination{}), + &handler.EnqueueRequestForObject{}, redisPredicates) if err != nil { return err } diff --git a/internal/envoyfilter/network_filter.go b/internal/envoyfilter/network_filter.go index 55dd642d3..7d3844ce6 100644 --- a/internal/envoyfilter/network_filter.go +++ b/internal/envoyfilter/network_filter.go @@ -51,8 +51,13 @@ func GenerateReplaceNetworkFilter(service *model.ServiceEntryWrapper, port *netw // GenerateReplaceNetworkFilter generates an EnvoyFilter that replaces the default tcp proxy with a protocol specified // proxy -func generateNetworkFilter(service *model.ServiceEntryWrapper, port *networking.ServicePort, outboundProxy proto.Message, - inboundProxy proto.Message, filterName string, filterType string, +func generateNetworkFilter( + service *model.ServiceEntryWrapper, + port *networking.ServicePort, + outboundProxy proto.Message, + inboundProxy proto.Message, + filterName string, + filterType string, operation networking.EnvoyFilter_Patch_Operation) []*model.EnvoyFilterWrapper { var envoyFilters []*model.EnvoyFilterWrapper diff --git a/internal/plugin/metaprotocol/filters.go b/internal/plugin/metaprotocol/filters.go index 34e066d0d..bbb6ff678 100644 --- a/internal/plugin/metaprotocol/filters.go +++ b/internal/plugin/metaprotocol/filters.go @@ -21,12 +21,12 @@ import ( mpclient "github.com/aeraki-mesh/client-go/pkg/apis/metaprotocol/v1alpha1" metaroute "github.com/aeraki-mesh/meta-protocol-control-plane-api/aeraki/meta_protocol_proxy/config/route/v1alpha" - // nolint + //nolint grldpl "github.com/aeraki-mesh/meta-protocol-control-plane-api/aeraki/meta_protocol_proxy/filters/global_ratelimit/v1alpha" stats "github.com/aeraki-mesh/meta-protocol-control-plane-api/aeraki/meta_protocol_proxy/filters/istio_stats/v1alpha" - // nolint + //nolint lrldpl "github.com/aeraki-mesh/meta-protocol-control-plane-api/aeraki/meta_protocol_proxy/filters/local_ratelimit/v1alpha" mpdataplane "github.com/aeraki-mesh/meta-protocol-control-plane-api/aeraki/meta_protocol_proxy/v1alpha" diff --git a/internal/plugin/metaprotocol/generator.go b/internal/plugin/metaprotocol/generator.go index 61b2e946c..f51702a55 100644 --- a/internal/plugin/metaprotocol/generator.go +++ b/internal/plugin/metaprotocol/generator.go @@ -111,6 +111,6 @@ func trans2Port(server *istionetworking.Server) *istionetworking.ServicePort { Number: server.Port.Number, Protocol: server.Port.Protocol, Name: server.Port.Name, - TargetPort: server.Port.TargetPort, + TargetPort: server.Port.Number, } } diff --git a/internal/webhook/validation/scheme/collections.go b/internal/webhook/validation/scheme/collections.go index f01fe1ba7..34947f785 100755 --- a/internal/webhook/validation/scheme/collections.go +++ b/internal/webhook/validation/scheme/collections.go @@ -35,9 +35,12 @@ var ( VersionAliases: []string{ "v1", }, - Proto: "aeraki.io.v1alpha1.ApplicationProtocol", //StatusProto: "istio.meta.v1alpha1.IstioStatus", - ReflectType: reflect.TypeOf(&metaprotocolv1alpha1.ApplicationProtocol{}).Elem(), //StatusType: reflect.TypeOf(&istioioapimetav1alpha1.IstioStatus{}).Elem(), - ProtoPackage: "github.com/aeraki-mesh/api/metaprotocol/v1alpha1", // StatusPackage: "istio.io/api/meta/v1alpha1", + Proto: "aeraki.io.v1alpha1.ApplicationProtocol", + //StatusProto: "istio.meta.v1alpha1.IstioStatus", + ReflectType: reflect.TypeOf(&metaprotocolv1alpha1.ApplicationProtocol{}).Elem(), + //StatusType: reflect.TypeOf(&istioioapimetav1alpha1.IstioStatus{}).Elem(), + ProtoPackage: "github.com/aeraki-mesh/api/metaprotocol/v1alpha1", + // StatusPackage: "istio.io/api/meta/v1alpha1", ClusterScoped: false, Synthetic: false, Builtin: false, @@ -55,9 +58,12 @@ var ( VersionAliases: []string{ "v1", }, - Proto: "aeraki.io.v1alpha1.MetaRouter", //StatusProto: "istio.meta.v1alpha1.IstioStatus", - ReflectType: reflect.TypeOf(&metaprotocolv1alpha1.MetaRouter{}).Elem(), //StatusType: reflect.TypeOf(&istioioapimetav1alpha1.IstioStatus{}).Elem(), - ProtoPackage: "github.com/aeraki-mesh/api/metaprotocol/v1alpha1", // StatusPackage: "istio.io/api/meta/v1alpha1", + Proto: "aeraki.io.v1alpha1.MetaRouter", + //StatusProto: "istio.meta.v1alpha1.IstioStatus", + ReflectType: reflect.TypeOf(&metaprotocolv1alpha1.MetaRouter{}).Elem(), + //StatusType: reflect.TypeOf(&istioioapimetav1alpha1.IstioStatus{}).Elem(), + ProtoPackage: "github.com/aeraki-mesh/api/metaprotocol/v1alpha1", + // StatusPackage: "istio.io/api/meta/v1alpha1", ClusterScoped: false, Synthetic: false, Builtin: false, diff --git a/internal/xds/cache_mgr.go b/internal/xds/cache_mgr.go index 3c680433b..ae6c4eaac 100644 --- a/internal/xds/cache_mgr.go +++ b/internal/xds/cache_mgr.go @@ -126,14 +126,14 @@ func (c *CacheMgr) updateRouteCache() error { if err != nil { xdsLog.Errorf("failed to generate route cache: %v", err) // We don't retry in this scenario - return nil + return err } for _, node := range c.routeCache.GetStatusKeys() { xdsLog.Debugf("set route cahe for: %s", node) if err := c.routeCache.SetSnapshot(context.TODO(), node, snapshot); err != nil { xdsLog.Errorf("failed to set route cache: %v", err) - // We don't retry in this scenario + return err } } return nil From b45dc566759cb9fab7296578d47ac85bab9b27bf Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 18 Aug 2023 10:51:42 +0800 Subject: [PATCH 4/9] fix test Signed-off-by: huabing zhao --- .github/workflows/ci.yaml | 8 ++++---- .../workflows/e2e-metaprotocol-gateway.yaml | 2 +- .github/workflows/e2e-metaprotocol.yaml | 18 +++++++++--------- .github/workflows/e2e-redis.yaml | 2 +- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a7255ced2..908f9ea1f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -36,7 +36,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v1 with: - go-version: 1.19 + go-version: '1.20' - name: Build run: go build -race ./internal/... - name: Test @@ -54,7 +54,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v1 with: - go-version: 1.19 + go-version: '1.20' - name: golangci-lint uses: golangci/golangci-lint-action@v3.1.0 with: @@ -69,7 +69,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -83,7 +83,7 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-go@v1 with: - go-version: 1.19 + go-version: '1.20' - run: go mod tidy - name: Check for changes in go.mod or go.sum run: | diff --git a/.github/workflows/e2e-metaprotocol-gateway.yaml b/.github/workflows/e2e-metaprotocol-gateway.yaml index c7d4c910c..06a76ac75 100644 --- a/.github/workflows/e2e-metaprotocol-gateway.yaml +++ b/.github/workflows/e2e-metaprotocol-gateway.yaml @@ -36,7 +36,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version diff --git a/.github/workflows/e2e-metaprotocol.yaml b/.github/workflows/e2e-metaprotocol.yaml index 792d61706..512b7dfbd 100644 --- a/.github/workflows/e2e-metaprotocol.yaml +++ b/.github/workflows/e2e-metaprotocol.yaml @@ -36,7 +36,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -65,7 +65,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -94,7 +94,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -123,7 +123,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -152,7 +152,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -181,7 +181,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -210,7 +210,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -239,7 +239,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version @@ -268,7 +268,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go version diff --git a/.github/workflows/e2e-redis.yaml b/.github/workflows/e2e-redis.yaml index 04941397d..c2132f429 100644 --- a/.github/workflows/e2e-redis.yaml +++ b/.github/workflows/e2e-redis.yaml @@ -36,7 +36,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v2 with: - go-version: 1.19 + go-version: '1.20' - name: Install dependencies run: | go install golang.org/x/tools/cmd/goimports@latest From 20935e449ac8ab54b81e2ed9dff04a9c1dfcd94f Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 18 Aug 2023 11:03:08 +0800 Subject: [PATCH 5/9] address comments Signed-off-by: huabing zhao --- demo/metaprotocol-brpc/brpc-sample.yaml | 6 +++--- demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml | 8 ++++---- demo/metaprotocol-dubbo/dubbo-sample.yaml | 8 ++++---- .../outlier-detection/outlier-detection.yaml | 2 +- demo/metaprotocol-thrift/thrift-sample.yaml | 6 +++--- test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml | 8 ++++---- .../e2e/metaprotocolgateway/testdata/ingress-gateway.yaml | 2 +- 7 files changed, 20 insertions(+), 20 deletions(-) diff --git a/demo/metaprotocol-brpc/brpc-sample.yaml b/demo/metaprotocol-brpc/brpc-sample.yaml index ceb1386e7..d86f49e97 100644 --- a/demo/metaprotocol-brpc/brpc-sample.yaml +++ b/demo/metaprotocol-brpc/brpc-sample.yaml @@ -28,7 +28,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: brpc-echo-server version: v1 @@ -57,7 +57,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: brpc-echo-server version: v2 @@ -86,7 +86,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: brpc-echo-client spec: diff --git a/demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml b/demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml index 05eb43751..0ef67506c 100644 --- a/demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml +++ b/demo/metaprotocol-dubbo-app-level/dubbo-sample.yaml @@ -40,7 +40,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-provider version: v1 @@ -76,7 +76,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-provider version: v2 @@ -112,7 +112,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-second-provider version: v2 @@ -139,7 +139,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-consumer spec: diff --git a/demo/metaprotocol-dubbo/dubbo-sample.yaml b/demo/metaprotocol-dubbo/dubbo-sample.yaml index db69e208c..29c5f6ba1 100644 --- a/demo/metaprotocol-dubbo/dubbo-sample.yaml +++ b/demo/metaprotocol-dubbo/dubbo-sample.yaml @@ -40,7 +40,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-provider version: v1 @@ -76,7 +76,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-provider version: v2 @@ -112,7 +112,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-second-provider version: v2 @@ -139,7 +139,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-consumer spec: diff --git a/demo/metaprotocol-thrift/outlier-detection/outlier-detection.yaml b/demo/metaprotocol-thrift/outlier-detection/outlier-detection.yaml index dde92cb21..1a522b0ff 100644 --- a/demo/metaprotocol-thrift/outlier-detection/outlier-detection.yaml +++ b/demo/metaprotocol-thrift/outlier-detection/outlier-detection.yaml @@ -29,7 +29,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 sidecar.istio.io/rewriteAppHTTPProbers: "false" labels: app: thrift-sample-server diff --git a/demo/metaprotocol-thrift/thrift-sample.yaml b/demo/metaprotocol-thrift/thrift-sample.yaml index b27d542f4..1d20a9b29 100644 --- a/demo/metaprotocol-thrift/thrift-sample.yaml +++ b/demo/metaprotocol-thrift/thrift-sample.yaml @@ -28,7 +28,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 sidecar.istio.io/rewriteAppHTTPProbers: "false" labels: app: thrift-sample-server @@ -55,7 +55,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 sidecar.istio.io/rewriteAppHTTPProbers: "false" labels: app: thrift-sample-server @@ -82,7 +82,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 sidecar.istio.io/rewriteAppHTTPProbers: "false" labels: app: thrift-sample-client diff --git a/test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml b/test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml index 6c497367d..20d1a0688 100644 --- a/test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml +++ b/test/e2e/metaprotocol/testdata/metaprotocol-sample.yaml @@ -40,7 +40,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-provider version: v1 @@ -76,7 +76,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-provider version: v2 @@ -112,7 +112,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-second-provider version: v2 @@ -148,7 +148,7 @@ spec: metadata: annotations: sidecar.istio.io/bootstrapOverride: aeraki-bootstrap-config - sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + sidecar.istio.io/proxyImage: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 labels: app: dubbo-sample-consumer spec: diff --git a/test/e2e/metaprotocolgateway/testdata/ingress-gateway.yaml b/test/e2e/metaprotocolgateway/testdata/ingress-gateway.yaml index 1a82f5df6..f43603f70 100644 --- a/test/e2e/metaprotocolgateway/testdata/ingress-gateway.yaml +++ b/test/e2e/metaprotocolgateway/testdata/ingress-gateway.yaml @@ -149,7 +149,7 @@ spec: fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: ISTIO_META_ROUTER_MODE value: standard - image: ghcr.io/aeraki-mesh/meta-protocol-proxy-debug:1.4.1 + image: ghcr.io/aeraki-mesh/meta-protocol-proxy:1.4.1 imagePullPolicy: IfNotPresent name: istio-proxy ports: From b2fd61f19d697654807eb9d88f0a20f59060427d Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 18 Aug 2023 11:14:43 +0800 Subject: [PATCH 6/9] fix lint Signed-off-by: huabing zhao --- .github/workflows/ci.yaml | 2 +- demo/install-demo.sh | 2 +- go.mod | 2 + istio-1.18.2/LICENSE | 202 + istio-1.18.2/README.md | 117 + istio-1.18.2/manifest.yaml | 33 + istio-1.18.2/manifests/charts/README.md | 136 + .../manifests/charts/UPDATING-CHARTS.md | 67 + istio-1.18.2/manifests/charts/base/Chart.yaml | 14 + istio-1.18.2/manifests/charts/base/README.md | 21 + .../charts/base/crds/crd-all.gen.yaml | 7199 ++++++++++++++++ .../charts/base/crds/crd-operator.yaml | 48 + .../manifests/charts/base/templates/NOTES.txt | 5 + .../charts/base/templates/clusterrole.yaml | 181 + .../base/templates/clusterrolebinding.yaml | 37 + .../manifests/charts/base/templates/crds.yaml | 4 + .../charts/base/templates/default.yaml | 48 + .../charts/base/templates/endpoints.yaml | 23 + .../base/templates/reader-serviceaccount.yaml | 16 + .../manifests/charts/base/templates/role.yaml | 25 + .../charts/base/templates/rolebinding.yaml | 21 + .../charts/base/templates/serviceaccount.yaml | 19 + .../charts/base/templates/services.yaml | 28 + .../manifests/charts/base/values.yaml | 29 + .../manifests/charts/default/Chart.yaml | 13 + .../default/templates/mutatingwebhook.yaml | 125 + .../default/templates/validatingwebhook.yaml | 47 + .../manifests/charts/default/values.yaml | 27 + .../manifests/charts/gateway/Chart.yaml | 16 + .../manifests/charts/gateway/README.md | 148 + .../charts/gateway/templates/NOTES.txt | 9 + .../charts/gateway/templates/_helpers.tpl | 61 + .../charts/gateway/templates/deployment.yaml | 107 + .../charts/gateway/templates/hpa.yaml | 31 + .../templates/poddisruptionbudget.yaml | 16 + .../charts/gateway/templates/role.yaml | 33 + .../charts/gateway/templates/service.yaml | 50 + .../gateway/templates/serviceaccount.yaml | 13 + .../charts/gateway/values.schema.json | 219 + .../manifests/charts/gateway/values.yaml | 127 + .../charts/gateways/istio-egress/Chart.yaml | 15 + .../charts/gateways/istio-egress/NOTES.txt | 45 + .../istio-egress/templates/_affinity.tpl | 104 + .../istio-egress/templates/autoscale.yaml | 60 + .../istio-egress/templates/deployment.yaml | 348 + .../templates/injected-deployment.yaml | 146 + .../templates/poddisruptionbudget.yaml | 23 + .../gateways/istio-egress/templates/role.yaml | 16 + .../istio-egress/templates/rolebindings.yaml | 19 + .../istio-egress/templates/service.yaml | 47 + .../templates/serviceaccount.yaml | 22 + .../charts/gateways/istio-egress/values.yaml | 299 + .../charts/gateways/istio-ingress/Chart.yaml | 16 + .../charts/gateways/istio-ingress/NOTES.txt | 43 + .../istio-ingress/templates/_affinity.tpl | 104 + .../istio-ingress/templates/autoscale.yaml | 60 + .../istio-ingress/templates/deployment.yaml | 348 + .../templates/injected-deployment.yaml | 146 + .../templates/poddisruptionbudget.yaml | 23 + .../istio-ingress/templates/role.yaml | 16 + .../istio-ingress/templates/rolebindings.yaml | 19 + .../istio-ingress/templates/service.yaml | 47 + .../templates/serviceaccount.yaml | 22 + .../charts/gateways/istio-ingress/values.yaml | 319 + .../manifests/charts/install-OpenShift.md | 43 + .../manifests/charts/istio-cni/Chart.yaml | 14 + .../manifests/charts/istio-cni/README.md | 43 + .../charts/istio-cni/templates/NOTES.txt | 5 + .../istio-cni/templates/clusterrole.yaml | 34 + .../templates/clusterrolebinding.yaml | 58 + .../istio-cni/templates/configmap-cni.yaml | 33 + .../charts/istio-cni/templates/daemonset.yaml | 202 + .../istio-cni/templates/resourcequota.yaml | 16 + .../istio-cni/templates/serviceaccount.yaml | 17 + .../manifests/charts/istio-cni/values.yaml | 127 + .../istio-control/istio-discovery/Chart.yaml | 16 + .../istio-control/istio-discovery/README.md | 59 + .../files/gateway-injection-template.yaml | 237 + .../istio-discovery/files/grpc-agent.yaml | 320 + .../istio-discovery/files/grpc-simple.yaml | 65 + .../files/injection-template.yaml | 513 ++ .../istio-discovery/files/kube-gateway.yaml | 312 + .../istio-discovery/files/waypoint.yaml | 238 + .../istio-discovery/templates/NOTES.txt | 56 + .../istio-discovery/templates/_helpers.tpl | 35 + .../istio-discovery/templates/autoscale.yaml | 59 + .../templates/clusterrole.yaml | 147 + .../templates/clusterrolebinding.yaml | 33 + .../templates/configmap-jwks.yaml | 14 + .../istio-discovery/templates/configmap.yaml | 120 + .../istio-discovery/templates/deployment.yaml | 258 + .../templates/istiod-injector-configmap.yaml | 75 + .../templates/mutatingwebhook.yaml | 152 + .../templates/poddisruptionbudget.yaml | 29 + .../templates/reader-clusterrole.yaml | 55 + .../templates/reader-clusterrolebinding.yaml | 15 + .../templates/revision-tags.yaml | 140 + .../istio-discovery/templates/role.yaml | 30 + .../templates/rolebinding.yaml | 16 + .../istio-discovery/templates/service.yaml | 41 + .../templates/serviceaccount.yaml | 15 + .../templates/telemetryv2_1.16.yaml | 616 ++ .../templates/telemetryv2_1.17.yaml | 486 ++ .../templates/telemetryv2_1.18.yaml | 486 ++ .../validatingwebhookconfiguration.yaml | 58 + .../istio-control/istio-discovery/values.yaml | 485 ++ .../charts/istio-operator/Chart.yaml | 15 + .../istio-operator/crds/crd-operator.yaml | 48 + .../istio-operator/templates/clusterrole.yaml | 117 + .../templates/clusterrole_binding.yaml | 13 + .../charts/istio-operator/templates/crds.yaml | 6 + .../istio-operator/templates/deployment.yaml | 81 + .../istio-operator/templates/service.yaml | 16 + .../templates/service_account.yaml | 12 + .../charts/istio-operator/values.yaml | 51 + .../manifests/charts/istiod-remote/Chart.yaml | 15 + .../manifests/charts/istiod-remote/NOTES.txt | 4 + .../files/gateway-injection-template.yaml | 237 + .../files/injection-template.yaml | 513 ++ .../istiod-remote/templates/_helpers.tpl | 35 + .../istiod-remote/templates/clusterrole.yaml | 149 + .../templates/clusterrolebinding.yaml | 35 + .../istiod-remote/templates/configmap.yaml | 120 + .../istiod-remote/templates/crd-all.gen.yaml | 7201 +++++++++++++++++ .../istiod-remote/templates/crd-operator.yaml | 50 + .../istiod-remote/templates/default.yaml | 50 + .../istiod-remote/templates/endpoints.yaml | 23 + .../templates/istiod-injector-configmap.yaml | 75 + .../templates/mutatingwebhook.yaml | 152 + .../templates/reader-clusterrole.yaml | 55 + .../templates/reader-clusterrolebinding.yaml | 15 + .../templates/reader-serviceaccount.yaml | 16 + .../charts/istiod-remote/templates/role.yaml | 32 + .../istiod-remote/templates/rolebinding.yaml | 18 + .../templates/serviceaccount.yaml | 17 + .../istiod-remote/templates/services.yaml | 28 + .../templates/telemetryv2_1.16.yaml | 616 ++ .../templates/telemetryv2_1.17.yaml | 486 ++ .../templates/telemetryv2_1.18.yaml | 486 ++ .../validatingwebhookconfiguration.yaml | 60 + .../charts/istiod-remote/values.yaml | 416 + .../manifests/charts/ztunnel/Chart.yaml | 14 + .../manifests/charts/ztunnel/README.md | 36 + .../charts/ztunnel/templates/NOTES.txt | 5 + .../charts/ztunnel/templates/daemonset.yaml | 121 + .../charts/ztunnel/templates/rbac.yaml | 16 + .../manifests/charts/ztunnel/values.yaml | 55 + .../istio_v1alpha1_istiooperator_cr.yaml | 9 + .../user-gateway/ingress-gateway-only.yaml | 8 + istio-1.18.2/manifests/profiles/ambient.yaml | 52 + istio-1.18.2/manifests/profiles/default.yaml | 177 + istio-1.18.2/manifests/profiles/demo.yaml | 85 + istio-1.18.2/manifests/profiles/empty.yaml | 13 + istio-1.18.2/manifests/profiles/external.yaml | 23 + istio-1.18.2/manifests/profiles/minimal.yaml | 8 + .../manifests/profiles/openshift.yaml | 21 + istio-1.18.2/manifests/profiles/preview.yaml | 21 + istio-1.18.2/manifests/profiles/remote.yaml | 24 + istio-1.18.2/samples/README.md | 3 + istio-1.18.2/samples/addons/README.md | 102 + .../addons/extras/prometheus-operator.yaml | 66 + .../samples/addons/extras/prometheus_vm.yaml | 530 ++ .../addons/extras/prometheus_vm_tls.yaml | 548 ++ .../samples/addons/extras/skywalking.yaml | 133 + .../samples/addons/extras/zipkin.yaml | 61 + istio-1.18.2/samples/addons/grafana.yaml | 1129 +++ istio-1.18.2/samples/addons/jaeger.yaml | 117 + istio-1.18.2/samples/addons/kiali.yaml | 551 ++ istio-1.18.2/samples/addons/loki.yaml | 283 + istio-1.18.2/samples/addons/prometheus.yaml | 531 ++ istio-1.18.2/samples/bookinfo/README.md | 100 + .../bookinfo/build_push_update_images.sh | 130 + .../bookinfo/demo-profile-no-gateways.yaml | 12 + .../gateway-api/bookinfo-gateway.yaml | 41 + .../bookinfo/gateway-api/route-all-v1.yaml | 56 + .../gateway-api/route-reviews-50-v3.yaml | 17 + .../gateway-api/route-reviews-90-10.yaml | 17 + .../gateway-api/route-reviews-v1.yaml | 13 + .../gateway-api/route-reviews-v3.yaml | 13 + .../bookinfo/networking/bookinfo-gateway.yaml | 43 + .../networking/certmanager-gateway.yaml | 35 + .../networking/destination-rule-all-mtls.yaml | 74 + .../networking/destination-rule-all.yaml | 62 + .../networking/destination-rule-reviews.yaml | 19 + .../networking/egress-rule-google-apis.yaml | 46 + .../fault-injection-details-v1.yaml | 32 + .../networking/virtual-service-all-v1.yaml | 52 + .../virtual-service-details-v2.yaml | 12 + .../virtual-service-ratings-db.yaml | 26 + .../virtual-service-ratings-mysql-vm.yaml | 26 + .../virtual-service-ratings-mysql.yaml | 26 + .../virtual-service-ratings-test-abort.yaml | 25 + .../virtual-service-ratings-test-delay.yaml | 25 + .../virtual-service-reviews-50-v3.yaml | 17 + .../virtual-service-reviews-80-20.yaml | 17 + .../virtual-service-reviews-90-10.yaml | 17 + .../virtual-service-reviews-jason-v2-v3.yaml | 20 + .../virtual-service-reviews-test-v2.yaml | 20 + .../virtual-service-reviews-v2-v3.yaml | 17 + .../virtual-service-reviews-v3.yaml | 12 + .../samples/bookinfo/platform/kube/README.md | 2 + .../platform/kube/bookinfo-certificate.yaml | 37 + .../bookinfo/platform/kube/bookinfo-db.yaml | 60 + .../platform/kube/bookinfo-details-v2.yaml | 48 + .../platform/kube/bookinfo-details.yaml | 59 + .../platform/kube/bookinfo-ingress.yaml | 63 + .../platform/kube/bookinfo-mysql.yaml | 79 + .../bookinfo/platform/kube/bookinfo-psa.yaml | 369 + .../kube/bookinfo-ratings-discovery.yaml | 31 + .../kube/bookinfo-ratings-v2-mysql-vm.yaml | 55 + .../kube/bookinfo-ratings-v2-mysql.yaml | 58 + .../platform/kube/bookinfo-ratings-v2.yaml | 65 + .../platform/kube/bookinfo-ratings.yaml | 59 + .../platform/kube/bookinfo-reviews-v2.yaml | 58 + .../platform/kube/bookinfo-versions.yaml | 72 + .../bookinfo/platform/kube/bookinfo.yaml | 347 + .../samples/bookinfo/platform/kube/cleanup.sh | 85 + .../platform/kube/productpage-nodeport.yaml | 32 + .../policy/productpage_envoy_ratelimit.yaml | 88 + .../samples/bookinfo/src/build-services.sh | 103 + .../bookinfo/src/mongodb/ratings_data.json | 2 + .../samples/bookinfo/src/mongodb/script.sh | 18 + .../bookinfo/src/productpage/requirements.txt | 32 + .../src/productpage/test-requirements.txt | 1 + .../samples/bookinfo/src/ratings/package.json | 11 + istio-1.18.2/samples/bookinfo/swagger.yaml | 248 + istio-1.18.2/samples/certs/README.md | 34 + istio-1.18.2/samples/certs/ca-cert-alt.pem | 31 + istio-1.18.2/samples/certs/ca-cert.pem | 22 + istio-1.18.2/samples/certs/ca-key-alt.pem | 51 + istio-1.18.2/samples/certs/ca-key.pem | 27 + istio-1.18.2/samples/certs/cert-chain-alt.pem | 61 + istio-1.18.2/samples/certs/cert-chain.pem | 22 + .../samples/certs/generate-workload.sh | 111 + .../samples/certs/leaf-workload-bar-cert.pem | 21 + .../samples/certs/leaf-workload-foo-cert.pem | 21 + istio-1.18.2/samples/certs/root-cert-alt.pem | 30 + istio-1.18.2/samples/certs/root-cert.pem | 24 + .../samples/certs/workload-bar-cert.pem | 43 + .../samples/certs/workload-bar-key.pem | 27 + .../samples/certs/workload-bar-root-certs.pem | 46 + .../samples/certs/workload-foo-cert.pem | 43 + .../samples/certs/workload-foo-key.pem | 27 + .../samples/certs/workload-foo-root-certs.pem | 46 + istio-1.18.2/samples/cicd/skaffold/README.md | 45 + .../samples/cicd/skaffold/skaffold.yaml | 145 + .../samples/custom-bootstrap/README.md | 52 + .../custom-bootstrap/custom-bootstrap.yaml | 20 + .../samples/custom-bootstrap/example-app.yaml | 30 + istio-1.18.2/samples/extauthz/README.md | 99 + istio-1.18.2/samples/extauthz/ext-authz.yaml | 55 + .../samples/extauthz/local-ext-authz.yaml | 99 + istio-1.18.2/samples/external/README.md | 34 + istio-1.18.2/samples/external/aptget.yaml | 20 + istio-1.18.2/samples/external/github.yaml | 53 + istio-1.18.2/samples/external/pypi.yaml | 44 + istio-1.18.2/samples/grpc-echo/README.md | 7 + istio-1.18.2/samples/grpc-echo/grpc-echo.yaml | 197 + .../health-check/liveness-command.yaml | 58 + .../health-check/liveness-http-same-port.yaml | 40 + istio-1.18.2/samples/helloworld/README.md | 110 + .../samples/helloworld/gateway-api/README.md | 74 + .../gateway-api/helloworld-gateway.yaml | 29 + .../gateway-api/helloworld-route.yaml | 19 + .../gateway-api/helloworld-versions.yaml | 23 + .../samples/helloworld/gen-helloworld.sh | 131 + .../helloworld/helloworld-gateway.yaml | 33 + .../samples/helloworld/helloworld.yaml | 71 + istio-1.18.2/samples/helloworld/loadgen.sh | 17 + .../samples/helloworld/src/build_service.sh | 22 + .../samples/helloworld/src/requirements.txt | 7 + istio-1.18.2/samples/httpbin/README.md | 41 + .../httpbin/gateway-api/httpbin-gateway.yaml | 25 + .../samples/httpbin/httpbin-gateway.yaml | 30 + .../samples/httpbin/httpbin-nodeport.yaml | 55 + .../samples/httpbin/httpbin-vault.yaml | 55 + istio-1.18.2/samples/httpbin/httpbin.yaml | 60 + .../httpbin/sample-client/fortio-deploy.yaml | 49 + .../samples/jwt-server/jwt-server.yaml | 125 + istio-1.18.2/samples/jwt-server/src/Makefile | 19 + istio-1.18.2/samples/kind-lb/README.md | 48 + istio-1.18.2/samples/kind-lb/setupkind.sh | 241 + istio-1.18.2/samples/multicluster/README.md | 47 + .../multicluster/expose-istiod-https.yaml | 76 + .../samples/multicluster/expose-istiod.yaml | 54 + .../samples/multicluster/expose-services.yaml | 16 + .../multicluster/gen-eastwest-gateway.sh | 146 + .../samples/open-telemetry/als/README.md | 79 + .../samples/open-telemetry/loki/REAME.md | 99 + .../samples/open-telemetry/loki/iop.yaml | 15 + .../samples/open-telemetry/loki/otel.yaml | 122 + .../open-telemetry/loki/telemetry.yaml | 9 + istio-1.18.2/samples/open-telemetry/otel.yaml | 137 + .../samples/open-telemetry/tracing/README.md | 137 + .../open-telemetry/tracing/telemetry.yaml | 9 + istio-1.18.2/samples/operator/cni-on.yaml | 6 + .../samples/operator/default-install.yaml | 8 + .../operator/pilot-advanced-override.yaml | 19 + istio-1.18.2/samples/operator/pilot-k8s.yaml | 13 + .../samples/operator/values-global.yaml | 7 + .../samples/operator/values-pilot.yaml | 6 + .../samples/ratelimit/rate-limit-service.yaml | 151 + .../samples/security/psp/sidecar-psp.yaml | 46 + istio-1.18.2/samples/security/spire/README.md | 90 + .../security/spire/clusterspiffeid.yaml | 9 + .../security/spire/istio-spire-config.yaml | 70 + .../samples/security/spire/sleep-spire.yaml | 70 + .../security/spire/spire-quickstart.yaml | 985 +++ istio-1.18.2/samples/sleep/README.md | 37 + istio-1.18.2/samples/sleep/notsleep.yaml | 78 + istio-1.18.2/samples/sleep/sleep-vault.yaml | 57 + istio-1.18.2/samples/sleep/sleep.yaml | 66 + istio-1.18.2/samples/tcp-echo/README.md | 38 + .../tcp-echo/gateway-api/tcp-echo-20-v2.yaml | 16 + .../tcp-echo/gateway-api/tcp-echo-all-v1.yaml | 50 + .../samples/tcp-echo/tcp-echo-20-v2.yaml | 39 + .../samples/tcp-echo/tcp-echo-all-v1.yaml | 61 + .../samples/tcp-echo/tcp-echo-dual-stack.yaml | 62 + .../samples/tcp-echo/tcp-echo-ipv4.yaml | 61 + .../samples/tcp-echo/tcp-echo-ipv6.yaml | 61 + .../samples/tcp-echo/tcp-echo-services.yaml | 86 + istio-1.18.2/samples/tcp-echo/tcp-echo.yaml | 58 + istio-1.18.2/samples/wasm_modules/README.md | 3 + .../wasm_modules/header_injector/Makefile | 22 + istio-1.18.2/samples/websockets/README.md | 48 + istio-1.18.2/samples/websockets/app.yaml | 37 + istio-1.18.2/samples/websockets/route.yaml | 32 + istio-1.18.2/tools/_istioctl | 212 + istio-1.18.2/tools/certs/Makefile.k8s.mk | 102 + .../tools/certs/Makefile.selfsigned.mk | 98 + istio-1.18.2/tools/certs/README.md | 26 + istio-1.18.2/tools/certs/common.mk | 101 + istio-1.18.2/tools/istioctl.bash | 338 + 333 files changed, 43692 insertions(+), 2 deletions(-) create mode 100644 istio-1.18.2/LICENSE create mode 100644 istio-1.18.2/README.md create mode 100644 istio-1.18.2/manifest.yaml create mode 100644 istio-1.18.2/manifests/charts/README.md create mode 100644 istio-1.18.2/manifests/charts/UPDATING-CHARTS.md create mode 100644 istio-1.18.2/manifests/charts/base/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/base/README.md create mode 100644 istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml create mode 100644 istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/NOTES.txt create mode 100644 istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/crds.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/default.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/endpoints.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/role.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/base/templates/services.yaml create mode 100644 istio-1.18.2/manifests/charts/base/values.yaml create mode 100644 istio-1.18.2/manifests/charts/default/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml create mode 100644 istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml create mode 100644 istio-1.18.2/manifests/charts/default/values.yaml create mode 100644 istio-1.18.2/manifests/charts/gateway/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/gateway/README.md create mode 100644 istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt create mode 100644 istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl create mode 100644 istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml create mode 100644 istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml create mode 100644 istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml create mode 100644 istio-1.18.2/manifests/charts/gateway/templates/role.yaml create mode 100644 istio-1.18.2/manifests/charts/gateway/templates/service.yaml create mode 100644 istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/gateway/values.schema.json create mode 100644 istio-1.18.2/manifests/charts/gateway/values.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml create mode 100644 istio-1.18.2/manifests/charts/install-OpenShift.md create mode 100644 istio-1.18.2/manifests/charts/istio-cni/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-cni/README.md create mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt create mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-cni/values.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml create mode 100644 istio-1.18.2/manifests/charts/istio-operator/values.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml create mode 100644 istio-1.18.2/manifests/charts/istiod-remote/values.yaml create mode 100644 istio-1.18.2/manifests/charts/ztunnel/Chart.yaml create mode 100644 istio-1.18.2/manifests/charts/ztunnel/README.md create mode 100644 istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt create mode 100644 istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml create mode 100644 istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml create mode 100644 istio-1.18.2/manifests/charts/ztunnel/values.yaml create mode 100644 istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml create mode 100644 istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml create mode 100644 istio-1.18.2/manifests/profiles/ambient.yaml create mode 100644 istio-1.18.2/manifests/profiles/default.yaml create mode 100644 istio-1.18.2/manifests/profiles/demo.yaml create mode 100644 istio-1.18.2/manifests/profiles/empty.yaml create mode 100644 istio-1.18.2/manifests/profiles/external.yaml create mode 100644 istio-1.18.2/manifests/profiles/minimal.yaml create mode 100644 istio-1.18.2/manifests/profiles/openshift.yaml create mode 100644 istio-1.18.2/manifests/profiles/preview.yaml create mode 100644 istio-1.18.2/manifests/profiles/remote.yaml create mode 100644 istio-1.18.2/samples/README.md create mode 100644 istio-1.18.2/samples/addons/README.md create mode 100644 istio-1.18.2/samples/addons/extras/prometheus-operator.yaml create mode 100644 istio-1.18.2/samples/addons/extras/prometheus_vm.yaml create mode 100644 istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml create mode 100644 istio-1.18.2/samples/addons/extras/skywalking.yaml create mode 100644 istio-1.18.2/samples/addons/extras/zipkin.yaml create mode 100644 istio-1.18.2/samples/addons/grafana.yaml create mode 100644 istio-1.18.2/samples/addons/jaeger.yaml create mode 100644 istio-1.18.2/samples/addons/kiali.yaml create mode 100644 istio-1.18.2/samples/addons/loki.yaml create mode 100644 istio-1.18.2/samples/addons/prometheus.yaml create mode 100644 istio-1.18.2/samples/bookinfo/README.md create mode 100755 istio-1.18.2/samples/bookinfo/build_push_update_images.sh create mode 100644 istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml create mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml create mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml create mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml create mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml create mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml create mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml create mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/README.md create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml create mode 100755 istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh create mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml create mode 100644 istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml create mode 100755 istio-1.18.2/samples/bookinfo/src/build-services.sh create mode 100644 istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json create mode 100644 istio-1.18.2/samples/bookinfo/src/mongodb/script.sh create mode 100644 istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt create mode 100644 istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt create mode 100644 istio-1.18.2/samples/bookinfo/src/ratings/package.json create mode 100644 istio-1.18.2/samples/bookinfo/swagger.yaml create mode 100644 istio-1.18.2/samples/certs/README.md create mode 100644 istio-1.18.2/samples/certs/ca-cert-alt.pem create mode 100644 istio-1.18.2/samples/certs/ca-cert.pem create mode 100644 istio-1.18.2/samples/certs/ca-key-alt.pem create mode 100644 istio-1.18.2/samples/certs/ca-key.pem create mode 100644 istio-1.18.2/samples/certs/cert-chain-alt.pem create mode 100644 istio-1.18.2/samples/certs/cert-chain.pem create mode 100755 istio-1.18.2/samples/certs/generate-workload.sh create mode 100644 istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem create mode 100644 istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem create mode 100644 istio-1.18.2/samples/certs/root-cert-alt.pem create mode 100644 istio-1.18.2/samples/certs/root-cert.pem create mode 100644 istio-1.18.2/samples/certs/workload-bar-cert.pem create mode 100644 istio-1.18.2/samples/certs/workload-bar-key.pem create mode 100644 istio-1.18.2/samples/certs/workload-bar-root-certs.pem create mode 100644 istio-1.18.2/samples/certs/workload-foo-cert.pem create mode 100644 istio-1.18.2/samples/certs/workload-foo-key.pem create mode 100644 istio-1.18.2/samples/certs/workload-foo-root-certs.pem create mode 100644 istio-1.18.2/samples/cicd/skaffold/README.md create mode 100644 istio-1.18.2/samples/cicd/skaffold/skaffold.yaml create mode 100644 istio-1.18.2/samples/custom-bootstrap/README.md create mode 100644 istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml create mode 100644 istio-1.18.2/samples/custom-bootstrap/example-app.yaml create mode 100644 istio-1.18.2/samples/extauthz/README.md create mode 100644 istio-1.18.2/samples/extauthz/ext-authz.yaml create mode 100644 istio-1.18.2/samples/extauthz/local-ext-authz.yaml create mode 100644 istio-1.18.2/samples/external/README.md create mode 100644 istio-1.18.2/samples/external/aptget.yaml create mode 100644 istio-1.18.2/samples/external/github.yaml create mode 100644 istio-1.18.2/samples/external/pypi.yaml create mode 100644 istio-1.18.2/samples/grpc-echo/README.md create mode 100644 istio-1.18.2/samples/grpc-echo/grpc-echo.yaml create mode 100644 istio-1.18.2/samples/health-check/liveness-command.yaml create mode 100644 istio-1.18.2/samples/health-check/liveness-http-same-port.yaml create mode 100644 istio-1.18.2/samples/helloworld/README.md create mode 100644 istio-1.18.2/samples/helloworld/gateway-api/README.md create mode 100644 istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml create mode 100644 istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml create mode 100644 istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml create mode 100755 istio-1.18.2/samples/helloworld/gen-helloworld.sh create mode 100644 istio-1.18.2/samples/helloworld/helloworld-gateway.yaml create mode 100644 istio-1.18.2/samples/helloworld/helloworld.yaml create mode 100755 istio-1.18.2/samples/helloworld/loadgen.sh create mode 100755 istio-1.18.2/samples/helloworld/src/build_service.sh create mode 100644 istio-1.18.2/samples/helloworld/src/requirements.txt create mode 100644 istio-1.18.2/samples/httpbin/README.md create mode 100644 istio-1.18.2/samples/httpbin/gateway-api/httpbin-gateway.yaml create mode 100644 istio-1.18.2/samples/httpbin/httpbin-gateway.yaml create mode 100644 istio-1.18.2/samples/httpbin/httpbin-nodeport.yaml create mode 100644 istio-1.18.2/samples/httpbin/httpbin-vault.yaml create mode 100644 istio-1.18.2/samples/httpbin/httpbin.yaml create mode 100644 istio-1.18.2/samples/httpbin/sample-client/fortio-deploy.yaml create mode 100644 istio-1.18.2/samples/jwt-server/jwt-server.yaml create mode 100644 istio-1.18.2/samples/jwt-server/src/Makefile create mode 100644 istio-1.18.2/samples/kind-lb/README.md create mode 100755 istio-1.18.2/samples/kind-lb/setupkind.sh create mode 100644 istio-1.18.2/samples/multicluster/README.md create mode 100644 istio-1.18.2/samples/multicluster/expose-istiod-https.yaml create mode 100644 istio-1.18.2/samples/multicluster/expose-istiod.yaml create mode 100644 istio-1.18.2/samples/multicluster/expose-services.yaml create mode 100755 istio-1.18.2/samples/multicluster/gen-eastwest-gateway.sh create mode 100644 istio-1.18.2/samples/open-telemetry/als/README.md create mode 100644 istio-1.18.2/samples/open-telemetry/loki/REAME.md create mode 100644 istio-1.18.2/samples/open-telemetry/loki/iop.yaml create mode 100644 istio-1.18.2/samples/open-telemetry/loki/otel.yaml create mode 100644 istio-1.18.2/samples/open-telemetry/loki/telemetry.yaml create mode 100644 istio-1.18.2/samples/open-telemetry/otel.yaml create mode 100644 istio-1.18.2/samples/open-telemetry/tracing/README.md create mode 100644 istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml create mode 100644 istio-1.18.2/samples/operator/cni-on.yaml create mode 100644 istio-1.18.2/samples/operator/default-install.yaml create mode 100644 istio-1.18.2/samples/operator/pilot-advanced-override.yaml create mode 100644 istio-1.18.2/samples/operator/pilot-k8s.yaml create mode 100644 istio-1.18.2/samples/operator/values-global.yaml create mode 100644 istio-1.18.2/samples/operator/values-pilot.yaml create mode 100644 istio-1.18.2/samples/ratelimit/rate-limit-service.yaml create mode 100644 istio-1.18.2/samples/security/psp/sidecar-psp.yaml create mode 100644 istio-1.18.2/samples/security/spire/README.md create mode 100644 istio-1.18.2/samples/security/spire/clusterspiffeid.yaml create mode 100644 istio-1.18.2/samples/security/spire/istio-spire-config.yaml create mode 100644 istio-1.18.2/samples/security/spire/sleep-spire.yaml create mode 100644 istio-1.18.2/samples/security/spire/spire-quickstart.yaml create mode 100644 istio-1.18.2/samples/sleep/README.md create mode 100644 istio-1.18.2/samples/sleep/notsleep.yaml create mode 100644 istio-1.18.2/samples/sleep/sleep-vault.yaml create mode 100644 istio-1.18.2/samples/sleep/sleep.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/README.md create mode 100644 istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml create mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo.yaml create mode 100644 istio-1.18.2/samples/wasm_modules/README.md create mode 100644 istio-1.18.2/samples/wasm_modules/header_injector/Makefile create mode 100644 istio-1.18.2/samples/websockets/README.md create mode 100644 istio-1.18.2/samples/websockets/app.yaml create mode 100644 istio-1.18.2/samples/websockets/route.yaml create mode 100644 istio-1.18.2/tools/_istioctl create mode 100644 istio-1.18.2/tools/certs/Makefile.k8s.mk create mode 100644 istio-1.18.2/tools/certs/Makefile.selfsigned.mk create mode 100644 istio-1.18.2/tools/certs/README.md create mode 100644 istio-1.18.2/tools/certs/common.mk create mode 100644 istio-1.18.2/tools/istioctl.bash diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 908f9ea1f..8c0036400 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -56,7 +56,7 @@ jobs: with: go-version: '1.20' - name: golangci-lint - uses: golangci/golangci-lint-action@v3.1.0 + uses: golangci/golangci-lint-action@v3.7.0 with: args: --timeout=10m --tests="false" version: v1.47.0 diff --git a/demo/install-demo.sh b/demo/install-demo.sh index fc04c1d35..0d5abf580 100755 --- a/demo/install-demo.sh +++ b/demo/install-demo.sh @@ -21,7 +21,7 @@ DEMO=$1 SCRIPTS_DIR=$BASEDIR/test/e2e/scripts if [ -z "$AERAKI_TAG" ]; then - export AERAKI_TAG="1.4.0" + export AERAKI_TAG="1.4.1" fi bash ${SCRIPTS_DIR}/istio.sh bash ${SCRIPTS_DIR}/addons.sh diff --git a/go.mod b/go.mod index 8fcf5189a..c5068744d 100644 --- a/go.mod +++ b/go.mod @@ -27,6 +27,7 @@ require ( github.com/aeraki-mesh/api v1.4.1 github.com/aeraki-mesh/client-go v1.4.1 github.com/aeraki-mesh/meta-protocol-control-plane-api v1.4.1 + github.com/apache/thrift v0.18.1 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 github.com/envoyproxy/go-control-plane v0.11.2-0.20230811160418-a0dbac19f027 github.com/gogo/protobuf v1.3.2 @@ -44,6 +45,7 @@ require ( google.golang.org/protobuf v1.31.0 istio.io/api v1.19.0-alpha.1.0.20230810203008-3cdd517bf131 istio.io/client-go v1.19.0-alpha.1.0.20230810203904-45e85278e0fc + istio.io/gogo-genproto v0.0.0-20230705213215-8f59b5a7ddde istio.io/istio v0.0.0-20230817160302-031c6b290e0b istio.io/pkg v0.0.0-20230524020242-1015535057be k8s.io/api v0.28.0 diff --git a/istio-1.18.2/LICENSE b/istio-1.18.2/LICENSE new file mode 100644 index 000000000..bb7b19dec --- /dev/null +++ b/istio-1.18.2/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016-2022 Istio Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/istio-1.18.2/README.md b/istio-1.18.2/README.md new file mode 100644 index 000000000..8955af708 --- /dev/null +++ b/istio-1.18.2/README.md @@ -0,0 +1,117 @@ +# Istio + +[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1395/badge)](https://bestpractices.coreinfrastructure.org/projects/1395) +[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio) +[![GoDoc](https://godoc.org/istio.io/istio?status.svg)](https://godoc.org/istio.io/istio) + + + Istio logo + + +--- + +Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes. + +- For in-depth information about how to use Istio, visit [istio.io](https://istio.io) +- To ask questions and get assistance from our community, visit [discuss.istio.io](https://discuss.istio.io) +- To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) + +In this README: + +- [Introduction](#introduction) +- [Repositories](#repositories) +- [Issue management](#issue-management) + +In addition, here are some other documents you may wish to read: + +- [Istio Community](https://github.com/istio/community#istio-community) - describes how to get involved and contribute to the Istio project +- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Preparing-for-Development) - explains how to set up and use an Istio development environment +- [Project Conventions](https://github.com/istio/istio/wiki/Development-Conventions) - describes the conventions we use within the code base +- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base + +You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki). + +## Introduction + +[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate +microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies +and aggregate telemetry data. Istio's control plane provides an abstraction +layer over the underlying cluster management platform, such as Kubernetes. + +Istio is composed of these components: + +- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic + between services in the cluster and from a service to external + services. The proxies form a _secure microservice mesh_ providing a rich + set of functions like discovery, rich layer-7 routing, circuit breakers, + policy enforcement and telemetry recording/reporting + functions. + + > Note: The service mesh is not an overlay network. It + > simplifies and enhances how microservices in an application talk to each + > other over the network provided by the underlying platform. + +- **Istiod** - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components: + + - **Pilot** - Responsible for configuring the proxies at runtime. + + - **Citadel** - Responsible for certificate issuance and rotation. + + - **Galley** - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio. + +- **Operator** - The component provides user friendly options to operate the Istio service mesh. + +## Repositories + +The Istio project is divided across a few GitHub repositories: + +- [istio/api](https://github.com/istio/api). This repository defines +component-level APIs and common configuration formats for the Istio platform. + +- [istio/community](https://github.com/istio/community). This repository contains +information on the Istio community, including the various documents that govern +the Istio open source project. + +- [istio/istio](README.md). This is the main code repository. It hosts Istio's +core components, install artifacts, and sample programs. It includes: + + - [istioctl](istioctl/). This directory contains code for the +[_istioctl_](https://istio.io/latest/docs/reference/commands/istioctl/) command line utility. + + - [operator](operator/). This directory contains code for the +[Istio Operator](https://istio.io/latest/docs/setup/install/operator/). + + - [pilot](pilot/). This directory +contains platform-specific code to populate the +[abstract service model](https://istio.io/docs/concepts/traffic-management/#pilot), dynamically reconfigure the proxies +when the application topology changes, as well as translate +[routing rules](https://istio.io/latest/docs/reference/config/networking/) into proxy specific configuration. + + - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code, +including Citadel (acting as Certificate Authority), citadel agent, etc. + +- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains +extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of +Envoy filters) that support authentication, authorization, and telemetry collection. + +## Issue management + +We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata: + +- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. +Each issue is ultimately part of an epic. + +- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we +think the issue should get addressed. + +- **Priority**. Each issue has a priority which is represented by the column in the [Prioritization](https://github.com/orgs/istio/projects/6) project. Priority can be one of +P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the +milestone cannot be considered achieved if the issue isn't resolved. + +--- + +
+ Cloud Native Computing Foundation logo +

Istio is a Cloud Native Computing Foundation project.

+
diff --git a/istio-1.18.2/manifest.yaml b/istio-1.18.2/manifest.yaml new file mode 100644 index 000000000..d8a508160 --- /dev/null +++ b/istio-1.18.2/manifest.yaml @@ -0,0 +1,33 @@ +architectures: +- linux/amd64 +- linux/arm64 +dashboards: + istio-extension-dashboard: 13277 + istio-mesh-dashboard: 7639 + istio-performance-dashboard: 11829 + istio-service-dashboard: 7636 + istio-workload-dashboard: 7630 + pilot-dashboard: 7645 +dependencies: + api: + sha: 06047cce866f317d90b6ee58386aba7faa63ed9e + client-go: + sha: 2683ac554dc2cf65a0a78dfbe8335e593a207f42 + istio: + sha: 0183f2886bc078e8df4d6bbd21fa452a3a23481d + pkg: + sha: 1015535057be24595b88a2b39555716bb0d82bf6 + proxy: + sha: 3c27a1b0cf381ca854ccc3a2034e88c206928da2 + release-builder: + sha: bcf4277ff6c526761200652122bb4ea2d21f5747 + test-infra: + sha: 776c397ca9590b77c00b19d58f888805f3cb986f + tools: + sha: 60988e44238a79538c9d667a56b15895296f95a3 + ztunnel: + sha: 556e299c60ecba1fc2697810010a6a76c3ae6535 +docker: docker.io/istio +dockerOutput: tar +skipGenerateBillOfMaterials: false +version: 1.18.2 diff --git a/istio-1.18.2/manifests/charts/README.md b/istio-1.18.2/manifests/charts/README.md new file mode 100644 index 000000000..6575a50c7 --- /dev/null +++ b/istio-1.18.2/manifests/charts/README.md @@ -0,0 +1,136 @@ +# Istio Installer + +Note: If making any changes to the charts or values.yaml in this dir, first read [UPDATING-CHARTS.md](UPDATING-CHARTS.md) + +Istio installer is a modular, 'a-la-carte' installer for Istio. It is based on a +fork of the Istio helm templates, refactored to increase modularity and isolation. + +Goals: +- Improve upgrade experience: users should be able to gradually roll upgrades, with proper +canary deployments for Istio components. It should be possible to deploy a new version while keeping the +stable version in place and gradually migrate apps to the new version. + +- More flexibility: the new installer allows multiple 'environments', allowing applications to select +a set of control plane settings and components. While the entire mesh respects the same APIs and config, +apps may target different 'environments' which contain different instances and variants of Istio. + +- Better security: separate Istio components reside in different namespaces, allowing different teams or +roles to manage different parts of Istio. For example, a security team would maintain the +root CA and policy, a telemetry team may only have access to Prometheus, +and a different team may maintain the control plane components (which are highly security sensitive). + +The install is organized in 'environments' - each environment consists of a set of components +in different namespaces that are configured to work together. Regardless of 'environment', +workloads can talk with each other and obey the Istio configuration resources, but each environment +can use different Istio versions and different configuration defaults. + +`istioctl kube-inject` or the automatic sidecar injector are used to select the environment. +In the case of the sidecar injector, the namespace label `istio-env: ` is used instead +of the conventional `istio-injected: true`. The name of the environment is defined as the namespace +where the corresponding control plane components (config, discovery, auto-injection) are running. +In the examples below, by default this is the `istio-control` namespace. Pod annotations can also +be used to select a different 'environment'. + +## Installing + +The new installer is intended to be modular and very explicit about what is installed. It has +far more steps than the Istio installer - but each step is smaller and focused on a specific +feature, and can be performed by different people/teams at different times. + +It is strongly recommended that different namespaces are used, with different service accounts. +In particular access to the security-critical production components (root CA, policy, control) +should be locked down and restricted. The new installer allows multiple instances of +policy/control/telemetry - so testing/staging of new settings and versions can be performed +by a different role than the prod version. + +The intended users of this repo are users running Istio in production who want to select, tune +and understand each binary that gets deployed, and select which combination to use. + +Note: each component can be installed in parallel with an existing Istio 1.0 or 1.1 install in +`istio-system`. The new components will not interfere with existing apps, but can interoperate +and it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and +across environments ( for example canary -> prod ) + +Note: there are still some cluster roles that may need to be fixed, most likely cluster permissions +will need to move to the security component. + +## Everything is Optional + +Each component in the new installer is optional. Users can install the component defined in the new installer, +use the equivalent component in `istio-system`, configured with the official installer, or use a different +version or implementation. + +For example you may use your own Prometheus and Grafana installs, or you may use a specialized/custom +certificate provisioning tool, or use components that are centrally managed and running in a different cluster. + +This is a work in progress - building on top of the multi-cluster installer. + +As an extreme, the goal is to be possible to run Istio workloads in a cluster without installing any Istio component +in that cluster. Currently the minimum we require is the security provider (node agent or citadel). + +### Install Istio CRDs + +This is the first step of the install. Please do not remove or edit any CRD - config currently requires +all CRDs to be present. On each upgrade it is recommended to reapply the file, to make sure +you get all CRDs. CRDs are separated by release and by component type in the CRD directory. + +Istio has strong integration with certmanager. Some operators may want to keep their current certmanager +CRDs in place and not have Istio modify them. In this case, it is necessary to apply CRD files individually. + +```bash +kubectl apply -k github.com/istio/installer/base +``` + +or + +```bash +kubectl apply -f base/files +``` + +### Install Istio-CNI + +This is an optional step - CNI must run in a dedicated namespace, it is a 'singleton' and extremely +security sensitive. Access to the CNI namespace must be highly restricted. + +**NOTE:** The environment variable `ISTIO_CLUSTER_ISGKE` is assumed to be set to `true` if the cluster +is a GKE cluster. + +```bash +ISTIO_CNI_ARGS= +# TODO: What k8s data can we use for this check for whether GKE? +if [[ "${ISTIO_CLUSTER_ISGKE}" == "true" ]]; then + ISTIO_CNI_ARGS="--set cni.cniBinDir=/home/kubernetes/bin" +fi +iop kube-system istio-cni $IBASE/istio-cni/ ${ISTIO_CNI_ARGS} +``` + +TODO. It is possible to add Istio-CNI later, and gradually migrate. + +### Install Control plane + +This can run in any cluster. A mesh should have at least one cluster should run Pilot or equivalent XDS server, +and it is recommended to have Pilot running in each region and in multiple availability zones for multi cluster. + +```bash +iop istio-control istio-discovery $IBASE/istio-control/istio-discovery \ + --set global.istioNamespace=istio-system + +# Second istio-discovery, using master version of istio +TAG=latest HUB=gcr.io/istio-testing iop istio-master istio-discovery-master $IBASE/istio-control/istio-discovery \ + --set policy.enable=false \ + --set global.istioNamespace=istio-master +``` + +### Gateways + +A cluster may use multiple Gateways, each with a different load balancer IP, domains and certificates. + +Since the domain certificates are stored in the gateway namespace, it is recommended to keep each +gateway in a dedicated namespace and restrict access. + +For large-scale gateways it is optionally possible to use a dedicated pilot in the gateway namespace. + +### Additional test templates + +A number of helm test setups are general-purpose and should be installable in any cluster, to confirm +Istio works properly and allow testing the specific install. diff --git a/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md b/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md new file mode 100644 index 000000000..88a89291e --- /dev/null +++ b/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md @@ -0,0 +1,67 @@ +# Updating charts and values.yaml + +## Acceptable Pull Requests + +Helm charts `values.yaml` represent a complex user facing API that tends to grow uncontrollably over time +due to design choices in Helm. +The underlying Kubernetes resources we configure have 1000s of fields; given enough users and bespoke use cases, +eventually someone will want to customize every one of those fields. +If all fields are exposed in `values.yaml`, we end up with an massive API that is also likely worse than just using the Kubernetes API directly. + +To avoid this, the project attempts to minimize additions to the `values.yaml` API where possible. + +If the change is a dynamic runtime configuration, it probably belongs in the [MeshConfig API](https://github.com/istio/api/blob/master/mesh/v1alpha1/config.proto). +This allows configuration without re-installing or restarting deployments. + +If the change is to a Kubernetes field (such as modifying a Deployment attribute), it will likely need to be install-time configuration. +However, that doesn't necessarily mean a PR to add a value will be accepted. +The `values.yaml` API is intended to maintain a *minimal core set of configuration* that most users will use. +For bespoke use cases, [Helm Chart Customization](https://istio.io/latest/docs/setup/additional-setup/customize-installation-helm/#advanced-helm-chart-customization) can be used +to allow arbitrary customizations. + +If the change truly is generally purpose, it is generally preferred to have broader APIs. For example, instead of providing +direct access to each of the complex fields in [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/), just providing +a single `affinity` field that is passed through as-is to the Kubernetes resource. +This provides maximum flexibility with minimal API surface overhead. + +## Making changes + +## Step 1. Make changes in charts and values.yaml in `manifests` directory + +Be sure to provide sufficient documentation and example usage in values.yaml. +If the chart has a `values.schema.json`, that should be updated as well. + +## Step 2. Update the istioctl/Operator values + +If you are modifying the `gateway` chart, you can stop here. +All other charts, however, are exposed by `istioctl` and need to follow the steps below. + +The charts in the `manifests` directory are used in istioctl to generate an installation manifest. + +If `values.yaml` is changed, be sure to update corresponding values changes in [../profiles/default.yaml](../profiles/default.yaml) + +## Step 3. Update istioctl schema + +Istioctl uses a [schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto) to validate the values. Any changes to +the schema must be added here, otherwise istioctl users will see errors. +Once the schema file is updated, run: + +```bash +$ make operator-proto +``` + +This will regenerate the Go structs used for schema validation. + +## Step 4. Update the generated manifests + +Tests of istioctl use the auto-generated manifests to ensure that the istioctl binary has the correct version of the charts. +These manifests can be found in [gen-istio.yaml](../charts/istio-control/istio-discovery/files/gen-istio.yaml). +To regenerate the manifests, run: + +```bash +$ make copy-templates update-golden +``` + +## Step 5. Create a PR using outputs from Steps 1 to 4 + +Your PR should pass all the checks if you followed these steps. diff --git a/istio-1.18.2/manifests/charts/base/Chart.yaml b/istio-1.18.2/manifests/charts/base/Chart.yaml new file mode 100644 index 000000000..8e2b4c5bf --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +name: base +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio cluster resources and CRDs +keywords: + - istio +sources: + - https://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/base/README.md b/istio-1.18.2/manifests/charts/base/README.md new file mode 100644 index 000000000..68bf667ac --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/README.md @@ -0,0 +1,21 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` diff --git a/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml b/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml new file mode 100644 index 000000000..7c2948565 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml @@ -0,0 +1,7199 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + imagePullPolicy: + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: Criteria for selecting traffic by their direction. + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + type: integer + type: object + type: array + type: object + type: array + phase: + description: Determines where in the filter chain this `WasmPlugin` + is to be injected. + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + nullable: true + type: integer + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + type: string + url: + description: URL of a Wasm module or OCI container. + type: string + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + type: string + value: + description: Value for the environment variable. + type: string + valueFrom: + enum: + - INLINE + - HOST + type: string + type: object + type: array + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + type: integer + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + type: integer + type: object + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + type: integer + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + type: integer + type: object + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + type: object + proxyVersion: + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + type: integer + vhost: + properties: + name: + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service resolution mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service resolution mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + reportingInterval: + description: Optional. + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + type: string + type: object + header: + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- diff --git a/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml b/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml new file mode 100644 index 000000000..2a80f4186 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml @@ -0,0 +1,48 @@ +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- diff --git a/istio-1.18.2/manifests/charts/base/templates/NOTES.txt b/istio-1.18.2/manifests/charts/base/templates/NOTES.txt new file mode 100644 index 000000000..006450167 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml new file mode 100644 index 000000000..e0cbea8fe --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml @@ -0,0 +1,181 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +{{- if or .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} +--- diff --git a/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..d61729b29 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} +--- diff --git a/istio-1.18.2/manifests/charts/base/templates/crds.yaml b/istio-1.18.2/manifests/charts/base/templates/crds.yaml new file mode 100644 index 000000000..871ee2a6b --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/crds.yaml @@ -0,0 +1,4 @@ +{{- if .Values.base.enableCRDTemplates }} +{{ .Files.Get "crds/crd-all.gen.yaml" }} +{{ .Files.Get "crds/crd-operator.yaml" }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/default.yaml b/istio-1.18.2/manifests/charts/base/templates/default.yaml new file mode 100644 index 000000000..f7950de2b --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/default.yaml @@ -0,0 +1,48 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + {{- if .Values.base.validateGateway }} + - gateway.networking.k8s.io + {{- end }} + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml b/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml new file mode 100644 index 000000000..2675b47a1 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml @@ -0,0 +1,23 @@ +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +# if the remotePilotAddress is an IP addr +apiVersion: v1 +kind: Endpoints +metadata: + {{- if .Values.pilot.enabled }} + name: istiod-remote + {{- else }} + name: istiod + {{- end }} + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml b/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/role.yaml b/istio-1.18.2/manifests/charts/base/templates/role.yaml new file mode 100644 index 000000000..ca1a4243f --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/role.yaml @@ -0,0 +1,25 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml new file mode 100644 index 000000000..2b591fb89 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec25fd250 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/services.yaml b/istio-1.18.2/manifests/charts/base/templates/services.yaml new file mode 100644 index 000000000..2bc55e669 --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/templates/services.yaml @@ -0,0 +1,28 @@ +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.pilot.enabled }} + # when local istiod is enabled, we can't use istiod service name to reach the remote control plane + name: istiod-remote + {{- else }} + # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane + name: istiod + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/values.yaml b/istio-1.18.2/manifests/charts/base/values.yaml new file mode 100644 index 000000000..96a74562e --- /dev/null +++ b/istio-1.18.2/manifests/charts/base/values.yaml @@ -0,0 +1,29 @@ +global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + istiod: + enableAnalysis: false + + configValidation: true + externalIstiod: false + remotePilotAddress: "" + +base: + # Used for helm2 to add the CRDs to templates. + enableCRDTemplates: false + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + +defaultRevision: "default" diff --git a/istio-1.18.2/manifests/charts/default/Chart.yaml b/istio-1.18.2/manifests/charts/default/Chart.yaml new file mode 100644 index 000000000..90ddf7568 --- /dev/null +++ b/istio-1.18.2/manifests/charts/default/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-default +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.0.0 +appVersion: 1.0.0 +description: Helm chart for istio default revision components. +keywords: + - istio +sources: + - https://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..5fa635ebd --- /dev/null +++ b/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml @@ -0,0 +1,125 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionURL" .Values.istiodRemote.injectionURL + "namespace" .Release.Namespace }} +{{- define "core" }} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: {{ .injectionURL }} + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "/inject" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-revision-tag-default + labels: + istio.io/tag: "default" + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "default" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "default" + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} diff --git a/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml b/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml new file mode 100644 index 000000000..8ffa277e7 --- /dev/null +++ b/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml @@ -0,0 +1,47 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + istio.io/tag: "default" + # Required to make sure this resource is removed + # when purging Istio resources + operator.istio.io/component: Pilot +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + {{- if .Values.base.validateGateway }} + - gateway.networking.k8s.io + {{- end }} + apiVersions: + - "*" + resources: + - "*" + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist +--- diff --git a/istio-1.18.2/manifests/charts/default/values.yaml b/istio-1.18.2/manifests/charts/default/values.yaml new file mode 100644 index 000000000..f0b1c35d3 --- /dev/null +++ b/istio-1.18.2/manifests/charts/default/values.yaml @@ -0,0 +1,27 @@ +global: + # Used to locate istiod. + istioNamespace: "istio-system" + +base: + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # If enabled, gateway-api types will be validated using the standard upstream validation logic. + # This is an alternative to deploying the standalone validation server the project provides. + # This is disabled by default, as the cluster may already have a validation server; while technically + # it works to have multiple redundant validations, this adds complexity and operational risks. + # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. + validateGateway: false + +istiodRemote: + # Sidecar injector mutating webhook configuration url + # For example: https://$remotePilotAddress:15017/inject + injectionURL: "" + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +sidecarInjectorWebhook: + # This enables injection of sidecar in all namespaces, + enableNamespacesByDefault: false + diff --git a/istio-1.18.2/manifests/charts/gateway/Chart.yaml b/istio-1.18.2/manifests/charts/gateway/Chart.yaml new file mode 100644 index 000000000..e16d97e68 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +name: gateway +description: Helm chart for deploying Istio gateways +type: application + +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 + +sources: +- https://github.com/istio/istio +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/gateway/README.md b/istio-1.18.2/manifests/charts/gateway/README.md new file mode 100644 index 000000000..0e58c00f2 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/README.md @@ -0,0 +1,148 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt b/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt new file mode 100644 index 000000000..78451d33e --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl new file mode 100644 index 000000000..a777d43bc --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,61 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "gateway.labels" -}} +helm.sh/chart: {{ include "gateway.chart" . }} +{{ include "gateway.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ include "gateway.name" . }} +{{- range $key, $val := .Values.labels }} +{{- if not (or (eq $key "app") (eq $key "istio")) }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.podLabels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if not (or (eq $key "app") (eq $key "istio")) }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +{{- if hasKey .Values.labels "app" }} +{{- with .Values.labels.app }}app: {{.|quote}} +{{- end}} +{{- else }}app: {{ include "gateway.name" . }} +{{- end }} +{{- if hasKey .Values.labels "istio" }} +{{- with .Values.labels.istio }} +istio: {{.|quote}} +{{- end}} +{{- else }} +istio: {{ include "gateway.name" . | trimPrefix "istio-" }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml new file mode 100644 index 000000000..da0fa270b --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + {{- include "gateway.podLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + {{- else }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 0 + runAsGroup: 1337 + runAsNonRoot: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml b/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml new file mode 100644 index 000000000..e287406c4 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml @@ -0,0 +1,31 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} +apiVersion: autoscaling/v2 +{{- else }} +apiVersion: autoscaling/v2beta2 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..77f71e7fa --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,16 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/role.yaml b/istio-1.18.2/manifests/charts/gateway/templates/role.yaml new file mode 100644 index 000000000..c8a25cb72 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/templates/role.yaml @@ -0,0 +1,33 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/service.yaml b/istio-1.18.2/manifests/charts/gateway/templates/service.yaml new file mode 100644 index 000000000..b96a52b90 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/templates/service.yaml @@ -0,0 +1,50 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 000000000..e5b2304d6 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/values.schema.json b/istio-1.18.2/manifests/charts/gateway/values.schema.json new file mode 100644 index 000000000..d0878a2cc --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/values.schema.json @@ -0,0 +1,219 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "additionalProperties": false, + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": ["object", "null"] + }, + "containerSecurityContext": { + "type": ["object", "null"] + }, + "kind":{ + "type": "string", + "enum": ["Deployment", "DaemonSet"] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "revision": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": ["string", "boolean"], + "enum": [true, false, "auto"] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": ["", "Always", "IfNotPresent", "Never"] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": ["integer", "string"] + }, + "maxUnavailable": { + "type": ["integer", "string"] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": ["", "IfHealthyBudget", "AlwaysAllow"] + } + } + } + } +} diff --git a/istio-1.18.2/manifests/charts/gateway/values.yaml b/istio-1.18.2/manifests/charts/gateway/values.yaml new file mode 100644 index 000000000..81e757e9d --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateway/values.yaml @@ -0,0 +1,127 @@ +# Name allows overriding the release name. Generally this should not be set +name: "" +# revision declares which revision this gateway is a part of +revision: "" + +replicaCount: 1 + +kind: Deployment + +rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + +serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + +podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + +# Define the security context for the pod. +# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. +# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. +securityContext: ~ +containerSecurityContext: ~ + +service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +# Pod environment variables +env: {} + +# Labels to apply to all resources +labels: {} + +# Annotations to apply to all resources +annotations: {} + +nodeSelector: {} + +tolerations: [] + +topologySpreadConstraints: [] + +affinity: {} + +# If specified, the gateway will act as a network gateway for the given network. +networkGateway: "" + +# Specify image pull policy if default behavior isn't desired. +# Default behavior: latest images will be Always else IfNotPresent +imagePullPolicy: "" + +imagePullSecrets: [] + +# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. +# +# By default, the `podDisruptionBudget` is disabled (set to `{}`), +# which means that no PodDisruptionBudget resource will be created. +# +# To enable the PodDisruptionBudget, configure it by specifying the +# `minAvailable` or `maxUnavailable`. For example, to set the +# minimum number of available replicas to 1, you can update this value as follows: +# +# podDisruptionBudget: +# minAvailable: 1 +# +# Or, to allow a maximum of 1 unavailable replica, you can set: +# +# podDisruptionBudget: +# maxUnavailable: 1 +# +# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. +# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: +# +# podDisruptionBudget: +# minAvailable: 1 +# unhealthyPodEvictionPolicy: AlwaysAllow +# +# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: +# +# podDisruptionBudget: {} +# +podDisruptionBudget: {} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml new file mode 100644 index 000000000..b42ee2215 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +name: istio-egress +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 +description: Helm chart for deploying Istio gateways +keywords: + - istio + - egressgateway + - gateways +sources: + - https://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt b/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt new file mode 100644 index 000000000..9baacc0ea --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt @@ -0,0 +1,45 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label structure. Label change is not supported on upgrade. + +- for 'internal load balancer' you should deploy a separate gateway, in a different +namespace. + +All ingress gateway have a "app:ingressgateway" label, used to identify it as an +ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection. + +The Gateways use "istio: ingressgateway$SUFFIX" selectors. + + +# Multiple gateway versions + + + +# Using different pilot versions + + + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl new file mode 100644 index 000000000..fc1ec5407 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl @@ -0,0 +1,104 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{ define "nodeaffinity" }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- if or .global.arch $nodeSelector }} + nodeSelectorTerms: + - matchExpressions: + {{- if .global.arch }} + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- if $item.namespaces }} + namespaces: + {{- $ns := split "," $item.namespaces }} + {{- range $i, $n := $ns }} + - {{ $n | quote }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml new file mode 100644 index 000000000..aa901685a --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml @@ -0,0 +1,60 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +{{- if not .Values.global.autoscalingv2API }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- else }} +{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} +apiVersion: autoscaling/v2 +{{- else }} +apiVersion: autoscaling/v2beta2 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml new file mode 100644 index 000000000..60dec8b32 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml @@ -0,0 +1,348 @@ +{{- $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if eq $gateway.injectionTemplate "" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" + sidecar.istio.io/inject: "false" + annotations: + istio.io/rev: {{ .Values.revision | default "default" }} + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if .Values.meshConfig.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if .Values.meshConfig.trustDomain }} + - name: TRUST_DOMAIN + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-egressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml new file mode 100644 index 000000000..150a5bd1c --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml @@ -0,0 +1,146 @@ +{{- $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if ne $gateway.injectionTemplate "" }} +{{/* This provides a minimal gateway, ready to be injected. + Any settings from values.gateways should be here - these are options specific to the gateway. + Global settings, like the image, various env vars and volumes, etc will be injected. + The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-egressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "true" + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: istio-proxy + image: auto +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + volumeMounts: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..ba3c6d24b --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml new file mode 100644 index 000000000..c472fcef2 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml new file mode 100644 index 000000000..fd1ffcd70 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name }}-service-account +--- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml new file mode 100644 index 000000000..2f8ce959e --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml @@ -0,0 +1,47 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{ range $app := $gateway.egressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml new file mode 100644 index 000000000..b6a3eb40c --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" + {{- with $gateway.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml new file mode 100644 index 000000000..dd8588efd --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml @@ -0,0 +1,299 @@ +# Standalone istio egress gateway. +# Should be installed in a separate namespace, to minimize access to config +gateways: + istio-egressgateway: + name: istio-egressgateway + ports: + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + name: https + targetPort: 8443 + protocol: TCP + + labels: + app: istio-egressgateway + istio: egressgateway + + # Scalability tuning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + cpu: + targetAverageUtilization: 80 + + serviceAnnotations: {} + podAnnotations: {} + type: ClusterIP # change to NodePort or LoadBalancer if need be + + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + + configVolumes: [] + additionalContainers: [] + + serviceAccount: + # Annotations to add to the service account + annotations: {} + + ### Advanced options ############ + # TODO: convert to real options, env should not be exposed + env: {} + # Set this to "external" if and only if you want the egress gateway to + # act as a transparent SNI gateway that routes mTLS/TLS traffic to + # external services defined using service entries, where the service + # entry has resolution set to DNS, has one or more endpoints with + # network field set to "external". By default its set to "" so that + # the egress gateway sees the same set of endpoints as the sidecars + # preserving backward compatibility + # ISTIO_META_REQUESTED_NETWORK_VIEW: "" + + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + + # The injection template to use for the gateway. If not set, no injection will be performed. + injectionTemplate: "" + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.18.2 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: {} + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # whether to use autoscaling/v2 template for HPA settings + # for internal usage only, not to be configured by users. + autoscalingv2API: true + +meshConfig: + enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml new file mode 100644 index 000000000..fd1e5f887 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +name: istio-ingress +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt b/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt new file mode 100644 index 000000000..221ee5605 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt @@ -0,0 +1,43 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minimize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label and chart structure. +- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades +and allows a bit more flexibility. +- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. + +# Port and basic host configuration + +In order to configure the Service object, the install/upgrade needs to provide a list of all ports. +In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured +both in upgrade, Gateway and VirtualService. + +The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, +Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual +config for the rest. + +All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl new file mode 100644 index 000000000..fc1ec5407 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl @@ -0,0 +1,104 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{ define "nodeaffinity" }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- if or .global.arch $nodeSelector }} + nodeSelectorTerms: + - matchExpressions: + {{- if .global.arch }} + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- if $item.namespaces }} + namespaces: + {{- $ns := split "," $item.namespaces }} + {{- range $i, $n := $ns }} + - {{ $n | quote }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml new file mode 100644 index 000000000..0a6299bf0 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml @@ -0,0 +1,60 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +{{- if not .Values.global.autoscalingv2API }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- else }} +{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} +apiVersion: autoscaling/v2 +{{- else }} +apiVersion: autoscaling/v2beta2 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml new file mode 100644 index 000000000..243545a5d --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml @@ -0,0 +1,348 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if eq $gateway.injectionTemplate "" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "false" + annotations: + istio.io/rev: {{ .Values.revision | default "default" }} + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if .Values.meshConfig.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if .Values.meshConfig.trustDomain }} + - name: TRUST_DOMAIN + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml new file mode 100644 index 000000000..bc666a8bf --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml @@ -0,0 +1,146 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if ne $gateway.injectionTemplate "" }} +{{/* This provides a minimal gateway, ready to be injected. + Any settings from values.gateways should be here - these are options specific to the gateway. + Global settings, like the image, various env vars and volumes, etc will be injected. + The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "true" + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: istio-proxy + image: auto +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + volumeMounts: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..8b3688959 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml new file mode 100644 index 000000000..3e21bca5b --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml new file mode 100644 index 000000000..d45255792 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name }}-service-account +--- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml new file mode 100644 index 000000000..a3b97be16 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml @@ -0,0 +1,47 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{ range $app := $gateway.ingressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml new file mode 100644 index 000000000..9cf3034cd --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + {{- with $gateway.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml new file mode 100644 index 000000000..89c24a0c7 --- /dev/null +++ b/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml @@ -0,0 +1,319 @@ +# A-la-carte istio ingress gateway. +# Must be installed in a separate namespace, to minimize access to secrets. + +gateways: + istio-ingressgateway: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + protocol: TCP + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + + # Scalability tuning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + + cpu: + targetAverageUtilization: 80 + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + serviceAnnotations: {} + + # To generate an internal load balancer: + # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal + #serviceAnnotations: + # cloud.google.com/load-balancer-type: "internal" + + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + + customService: false + externalTrafficPolicy: "" + + ingressPorts: [] + additionalContainers: [] + configVolumes: [] + + serviceAccount: + # Annotations to add to the service account + annotations: {} + + ### Advanced options ############ + env: {} + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + + # The injection template to use for the gateway. If not set, no injection will be performed. + injectionTemplate: "" + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.18.2 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: {} + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # The suffix for global service names + globalDomainSuffix: "global" + # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication + includeEnvoyFilter: true + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + # whether to use autoscaling/v2 template for HPA settings + # for internal usage only, not to be configured by users. + autoscalingv2API: true + +meshConfig: + enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/istio-1.18.2/manifests/charts/install-OpenShift.md b/istio-1.18.2/manifests/charts/install-OpenShift.md new file mode 100644 index 000000000..0417c07a3 --- /dev/null +++ b/istio-1.18.2/manifests/charts/install-OpenShift.md @@ -0,0 +1,43 @@ +# Installing Istio on OpenShift using Helm + +> Note: Be aware of the [platform setup required for OpenShift](https://istio.io/latest/docs/setup/platform-setup/openshift/) when installing Istio. + +To install with Helm, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows: + +```console +kubectl create namespace istio-system +``` + +The installation process using the Helm charts is as follows: + +1) `base` chart creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended. + +```console +helm install istio-base -n istio-system manifests/charts/base +``` + +2) `istio-cni` chart installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod` chart. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage. + +```console +helm install istio-cni -n kube-system manifests/charts/istio-cni --set cni.cniBinDir="/var/lib/cni/bin" --set cni.cniConfDir="/etc/cni/multus/net.d" --set cni.chained=false --set cni.cniConfFileName="istio-cni.conf" --set cni.excludeNamespaces[0]="istio-system" --set cni.excludeNamespaces[1]="kube-system" --set cni.repair.enabled=false --set cni.logLevel=info +``` + +3) `istio-control/istio-discovery` chart installs a revision of istiod. + +```console + helm install -n istio-system istio-17 manifests/charts/istio-control/istio-discovery --set istio_cni.enabled=true --set global.jwtPolicy=first-party-jwt --set sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"="istio-cni" +``` + +4) `gateways` charts install a load balancer with `ingress` and `egress`. + +Ingress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress --set global.jwtPolicy=first-party-jwt +``` + +Egress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress --set global.jwtPolicy=first-party-jwt +``` diff --git a/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml b/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml new file mode 100644 index 000000000..2d61757c1 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +name: cni +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 +description: Helm chart for istio-cni components +keywords: + - istio-cni + - istio +sources: + - https://github.com/istio/istio/tree/master/cni +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-cni/README.md b/istio-1.18.2/manifests/charts/istio-cni/README.md new file mode 100644 index 000000000..215051ae7 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/README.md @@ -0,0 +1,43 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Ambient + +To enable ambient, you need to to add `--set cni.ambient.enabled=true`. + +### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +## GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt b/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt new file mode 100644 index 000000000..994628240 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml new file mode 100644 index 000000000..4f930e2e7 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni-repair-role + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "delete", "patch", "update" ] +- apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..d7e4a861a --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml @@ -0,0 +1,58 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni-repair-rolebinding + labels: + k8s-app: istio-cni-repair + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-repair-role +{{- end }} +--- +{{- if ne .Values.cni.psp_cluster_role "" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-cni-psp + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.cni.psp_cluster_role }} +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml new file mode 100644 index 000000000..de62a0c7c --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml @@ -0,0 +1,33 @@ +{{- $defaultBinDir := + (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +kind: ConfigMap +apiVersion: v1 +metadata: + name: istio-cni-config + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +data: + # The CNI network configuration to add to the plugin chain on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "cniVersion": "0.3.1", + "name": "istio-cni", + "type": "istio-cni", + "log_level": {{ quote .Values.cni.logLevel }}, + "log_uds_address": "__LOG_UDS_ADDRESS__", + {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}} + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__", + "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, + "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] + } + } diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml new file mode 100644 index 000000000..6ce0e16aa --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml @@ -0,0 +1,202 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +{{- $defaultBinDir := + (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: istio-cni-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: istio-cni-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +spec: + selector: + matchLabels: + k8s-app: istio-cni-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} + template: + metadata: + labels: + k8s-app: istio-cni-node + sidecar.istio.io/inject: "false" + annotations: + sidecar.istio.io/inject: "false" + ambient.istio.io/redirection: disabled + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Custom annotations + {{- if .Values.cni.podAnnotations }} +{{ toYaml .Values.cni.podAnnotations | indent 8 }} + {{- end }} + spec: + {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes + {{- with .Values.cni.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: istio-cni + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.cni.image }} + image: "{{ .Values.cni.image }}" +{{- else }} + image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + privileged: {{ .Values.cni.privileged }} +{{- if .Values.cni.seccompProfile }} + seccompProfile: +{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + env: +{{- if .Values.cni.cniConfFileName }} + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "{{ .Values.cni.cniConfFileName }}" +{{- end }} + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: istio-cni-config + key: cni_network_config + - name: CNI_NET_DIR + value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Deploy as a standalone CNI plugin or as chained? + - name: CHAINED_CNI_PLUGIN + value: "{{ .Values.cni.chained }}" + - name: REPAIR_ENABLED + value: "{{ .Values.cni.repair.enabled }}" + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_LABEL_PODS + value: "{{.Values.cni.repair.labelPods}}" + # Set to true to enable pod deletion + - name: REPAIR_DELETE_PODS + value: "{{.Values.cni.repair.deletePods}}" + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + - name: REPAIR_INIT_CONTAINER_NAME + value: "{{ .Values.cni.repair.initContainerName }}" + - name: REPAIR_BROKEN_POD_LABEL_KEY + value: "{{.Values.cni.repair.brokenPodLabelKey}}" + - name: REPAIR_BROKEN_POD_LABEL_VALUE + value: "{{.Values.cni.repair.brokenPodLabelValue}}" + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: LOG_LEVEL + value: {{ .Values.cni.logLevel | quote }} + {{- if .Values.cni.ambient.enabled }} + - name: AMBIENT_ENABLED + value: "true" + {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} + - name: EBPF_ENABLED + value: "true" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-log-dir + {{- if .Values.cni.ambient.enabled }} + - mountPath: /etc/ambient-config + name: cni-ambientconfig + - mountPath: /var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: cni-bpffs-dir + {{- end }} + {{ end }} + resources: +{{- if .Values.cni.resources }} +{{ toYaml .Values.cni.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} + {{- if .Values.cni.ambient.enabled }} + - name: cni-ambientconfig + hostPath: + path: /etc/ambient-config + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Used for UDS log + - name: cni-log-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: /var/run/netns + {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} + - name: cni-bpffs-dir + hostPath: + path: /sys/fs/bpf + {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml new file mode 100644 index 000000000..15946ae72 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml @@ -0,0 +1,16 @@ +{{- if .Values.cni.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: istio-cni-resource-quota + namespace: {{ .Release.Namespace }} +spec: + hard: + pods: {{ .Values.cni.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml new file mode 100644 index 000000000..4645db63a --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-cni + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" diff --git a/istio-1.18.2/manifests/charts/istio-cni/values.yaml b/istio-1.18.2/manifests/charts/istio-cni/values.yaml new file mode 100644 index 000000000..157a9ee61 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-cni/values.yaml @@ -0,0 +1,127 @@ +cni: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Configuration log level of istio-cni binary + # by default istio-cni send all logs to UDS server + # if want to see them you need change global.logging.level with cni:debug + logLevel: debug + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI bin and conf dir override settings + # defaults: + cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + + excludeNamespaces: + - istio-system + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # If this value is set a RoleBinding will be created + # in the same namespace as the istio-cni DaemonSet is created. + # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount + # e.g. if you use PodSecurityPolicies + psp_cluster_role: "" + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) + privileged: false + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient redirection mode: "iptables" or "ebpf" + redirectMode: "iptables" + + repair: + enabled: true + hub: "" + tag: "" + + labelPods: true + deletePods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # The number of pods that can be unavailable during rolling update (see + # `updateStrategy.rollingUpdate.maxUnavailable` here: + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + # May be specified as a number of pods or as a percent of the total number + # of pods at the start of the update. + rollingMaxUnavailable: 1 + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.18.2 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: default:info,cni:info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml new file mode 100644 index 000000000..321d0f121 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +name: istiod +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 +tillerVersion: ">=2.7.2" +description: Helm chart for istio control plane +keywords: + - istio + - istiod + - istio-discovery +sources: + - https://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md new file mode 100644 index 000000000..9d4d07a42 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md @@ -0,0 +1,59 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml new file mode 100644 index 000000000..5002c03f8 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml @@ -0,0 +1,237 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml new file mode 100644 index 000000000..2bd673670 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml @@ -0,0 +1,320 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml new file mode 100644 index 000000000..9ba0c7a46 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml new file mode 100644 index 000000000..a05fd5768 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml @@ -0,0 +1,513 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - mountPath: /var/run/secrets/istio/kubernetes + name: kube-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - name: kube-ca-cert + configMap: + name: kube-root-ca.crt + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml new file mode 100644 index 000000000..ec80744c1 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml @@ -0,0 +1,312 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap .Labels | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + istio.io/gateway-name: {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .Labels + (strdict "istio.io/gateway-name" .Name) | nindent 8}} + spec: + {{- if .KubeVersion122 }} + {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + image: "{{ .ProxyImage }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + {{- if .KubeVersion122 }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + {{- else }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 0 + runAsGroup: 1337 + runAsNonRoot: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: true + {{- end }} + ports: + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .Labels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{ toJsonMap .Labels | nindent 4}} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + istio.io/gateway-name: {{.Name}} + {{- if .Spec.Addresses }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }} +--- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml new file mode 100644 index 000000000..aa5374cd9 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml @@ -0,0 +1,238 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap .Labels | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + istio.io/gateway-name: "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "ambient.istio.io/redirection" "disabled" + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .Labels + (strdict + "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + image: {{.ProxyImage}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + name: istio-proxy + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: true + runAsGroup: 1337 + runAsUser: 0 + capabilities: + add: + - NET_ADMIN + - NET_RAW + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{ toJsonMap .Labels | nindent 4}} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ports: + - name: https-hbone + port: 15008 + protocol: TCP + appProtocol: https + selector: + istio.io/gateway-name: "{{.Name}}" +--- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt new file mode 100644 index 000000000..03cb8192f --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt @@ -0,0 +1,56 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} + +Next steps: + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl new file mode 100644 index 000000000..ccf8a077f --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl @@ -0,0 +1,35 @@ +{{/* Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled + (not (or + .Values.telemetry.v2.prometheus.configOverride.gateway + .Values.telemetry.v2.prometheus.configOverride.inboundSidecar + .Values.telemetry.v2.prometheus.configOverride.outboundSidecar + )) }} +{{- end }} + +{{/* SD has metrics and logging split. Metrics are enabled if SD is enabled and there are no config overrides set */}} +{{ define "sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled + (not (or + .Values.telemetry.v2.stackdriver.configOverride + .Values.telemetry.v2.stackdriver.disableOutbound )) +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled + (not (or + .Values.telemetry.v2.stackdriver.configOverride + (has .Values.telemetry.v2.stackdriver.outboundAccessLogging (list "" "ERRORS_ONLY")) + (has .Values.telemetry.v2.stackdriver.inboundAccessLogging (list "" "ALL")) + .Values.telemetry.v2.stackdriver.disableOutbound )) +}} +{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml new file mode 100644 index 000000000..4069bbde2 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml @@ -0,0 +1,59 @@ +{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} +{{- if not .Values.global.autoscalingv2API }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + maxReplicas: {{ .Values.pilot.autoscaleMax }} + minReplicas: {{ .Values.pilot.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} +--- +{{- else }} +{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} +apiVersion: autoscaling/v2 +{{- else }} +apiVersion: autoscaling/v2beta2 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + maxReplicas: {{ .Values.pilot.autoscaleMax }} + minReplicas: {{ .Values.pilot.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml new file mode 100644 index 000000000..e910a317f --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml @@ -0,0 +1,147 @@ +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..f6e425210 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml new file mode 100644 index 000000000..7b719ac7e --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pilot.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +data: + extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml new file mode 100644 index 000000000..d55040477 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml @@ -0,0 +1,120 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "prometheus" . | eq "true" }} + {{ $sdMetrics := include "sd-metrics" . | eq "true" }} + {{ $sdLogs := include "sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if $sdMetrics }}- stackdriver{{ end }} + {{- end }} + {{- if $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- else }} + {} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml new file mode 100644 index 000000000..1aa802069 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml @@ -0,0 +1,258 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} +{{- range $key, $val := .Values.pilot.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.pilot.autoscaleEnabled }} +{{- if .Values.pilot.replicaCount }} + replicas: {{ .Values.pilot.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.pilot.rollingMaxSurge }} + maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.pilot.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + {{- end }} + ambient.istio.io/redirection: disabled + sidecar.istio.io/inject: "false" + {{- if .Values.pilot.podAnnotations }} +{{ toYaml .Values.pilot.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.pilot.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pilot.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.pilot.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.pilot.tolerations }} + tolerations: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + securityContext: + fsGroup: 1337 + containers: + - name: discovery +{{- if contains "/" .Values.pilot.image }} + image: "{{ .Values.pilot.image }}" +{{- else }} + image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.global.oneNamespace }} + - "-a" + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.pilot.plugins }} + - --plugins={{ .Values.pilot.plugins }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + {{- if .Values.pilot.env }} + {{- range $key, $val := .Values.pilot.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if semverCompare "<1.19" .Capabilities.KubeVersion.GitVersion }} + - name: ENABLE_LEGACY_FSGROUP_INJECTION + value: "true" +{{- end }} +{{- if .Values.pilot.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.pilot.traceSampling }}" +{{- end }} + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" + - name: ISTIOD_ADDR + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + resources: +{{- if .Values.pilot.resources }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.pilot.seccompProfile }} + seccompProfile: +{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + {{- end }} + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + configMap: + name: istio-ca-root-cert + defaultMode: 420 + optional: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + +--- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..69522c674 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml @@ -0,0 +1,75 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..fbffdd652 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml @@ -0,0 +1,152 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..454737a69 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml @@ -0,0 +1,29 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..793b75e66 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml @@ -0,0 +1,55 @@ +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml new file mode 100644 index 000000000..8bef54643 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml @@ -0,0 +1,140 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml new file mode 100644 index 000000000..195bdde40 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml new file mode 100644 index 000000000..0d700f008 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml new file mode 100644 index 000000000..b5ddf5b6e --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.pilot.serviceAnnotations }} + annotations: +{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} +--- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml new file mode 100644 index 000000000..ee6cbc326 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml new file mode 100644 index 000000000..8374fc05d --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml @@ -0,0 +1,616 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +{{ $prom := not (include "prometheus" . | eq "true") }} +{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} +{{ $sdLogs := not (include "sd-logs" . | eq "true") }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{/*TODO: this is broken, we do not handle the split quite right! */}} +{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml new file mode 100644 index 000000000..990d817ca --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml @@ -0,0 +1,486 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +{{ $prom := not (include "prometheus" . | eq "true") }} +{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} +{{ $sdLogs := not (include "sd-logs" . | eq "true") }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} +--- +{{- end }} +{{/*TODO: this is broken, we do not handle the split quite right! */}} +{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml new file mode 100644 index 000000000..736ed586f --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml @@ -0,0 +1,486 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +{{ $prom := not (include "prometheus" . | eq "true") }} +{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} +{{ $sdLogs := not (include "sd-logs" . | eq "true") }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} +--- +{{- end }} +{{/*TODO: this is broken, we do not handle the split quite right! */}} +{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..88b9eb7c6 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,58 @@ +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + {{- if .Values.base.validateGateway }} + - gateway.networking.k8s.io + {{- end }} + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml new file mode 100644 index 000000000..2c05e3dfb --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml @@ -0,0 +1,485 @@ +#.Values.pilot for discovery and mesh wide config + +## Discovery Settings +pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + env: {} + + cpu: + targetAverageUtilization: 80 + + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specified + # the default MCP is assumed. + configSource: + subscribedResources: [] + + plugins: [] + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + +sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] +istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" +telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + metadataExchange: + # Indicates whether to enable WebAssembly runtime for metadata exchange filter. + wasmEnabled: false + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # Indicates whether to enable WebAssembly runtime for stats filter. + wasmEnabled: false + # overrides stats EnvoyFilter configuration. + configOverride: + gateway: {} + inboundSidecar: {} + outboundSidecar: {} + # stackdriver filter settings. + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. + disableOutbound: false + # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. + + configOverride: {} + # e.g. + # disable_server_access_logging: false + # disable_host_header_fallback: true + # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. + accessLogPolicy: + enabled: false + # To reduce the number of successful logs, default log window duration is + # set to 12 hours. + logWindowDuration: "43200s" +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# Revision tags are aliases to Istio control plane revisions +revisionTags: [] + +# For Helm compatibility. +ownerName: "" + +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + enablePrometheusMerge: true + +global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.18.2 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + # whether to use autoscaling/v2 template for HPA settings + # for internal usage only, not to be configured by users. + autoscalingv2API: true + +base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # If enabled, gateway-api types will be validated using the standard upstream validation logic. + # This is an alternative to deploying the standalone validation server the project provides. + # This is disabled by default, as the cluster may already have a validation server; while technically + # it works to have multiple redundant validations, this adds complexity and operational risks. + # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. + validateGateway: false diff --git a/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml b/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml new file mode 100644 index 000000000..3e6305781 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +name: istio-operator +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio operator +keywords: + - istio + - operator +sources: + - https://github.com/istio/istio/tree/master/operator +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml b/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml new file mode 100644 index 000000000..93ac1de07 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml @@ -0,0 +1,48 @@ +# SYNC WITH manifests/charts/base/files +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml new file mode 100644 index 000000000..c7101ab6b --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml @@ -0,0 +1,117 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +rules: +# istio groups +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - replicasets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/proxy + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + - resourcequotas + verbs: + - '*' +--- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml new file mode 100644 index 000000000..a3df073ab --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +subjects: +- kind: ServiceAccount + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{.Release.Namespace}} +roleRef: + kind: ClusterRole + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + apiGroup: rbac.authorization.k8s.io +--- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml new file mode 100644 index 000000000..a37036508 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml @@ -0,0 +1,6 @@ +{{- if .Values.enableCRDTemplates -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} +--- +{{ $.Files.Get $path }} +{{- end -}} +{{- end -}} diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml new file mode 100644 index 000000000..018309564 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{.Release.Namespace}} + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +spec: + replicas: 1 + revisionHistoryLimit: {{ .Values.deploymentHistory }} + selector: + matchLabels: + name: istio-operator + template: + metadata: + labels: + name: istio-operator + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + annotations: + prometheus.io/port: "{{ .Values.operator.monitoring.port }}" + prometheus.io/scrape: "true" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + containers: + - name: istio-operator + image: {{.Values.hub}}/operator:{{.Values.tag}} + command: + - operator + - server + - --monitoring-host={{ .Values.operator.monitoring.host }} + - --monitoring-port={{ .Values.operator.monitoring.port }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true +{{- if .Values.operator.seccompProfile }} + seccompProfile: +{{ toYaml .Values.operator.seccompProfile | trim | indent 14 }} +{{- end }} +{{- if .Values.imagePullPolicy }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- end }} + resources: +{{ toYaml .Values.operator.resources | trim | indent 12 }} + env: + - name: WATCH_NAMESPACE + value: {{.Values.watchedNamespaces | quote}} + - name: LEADER_ELECTION_NAMESPACE + value: {{.Release.Namespace | quote}} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: {{.Release.Namespace | quote}} + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: {{.Values.waitForResourcesTimeout | quote}} + - name: REVISION + value: {{.Values.revision | quote}} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +--- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml new file mode 100644 index 000000000..e32e8ea0a --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: {{.Release.Namespace}} + labels: + name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +spec: + ports: + - name: http-metrics + port: 8383 + targetPort: 8383 + protocol: TCP + selector: + name: istio-operator +--- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml new file mode 100644 index 000000000..fe9d4cf2b --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{.Release.Namespace}} + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} +- name: {{ . }} +{{- end }} +{{- end }} +--- diff --git a/istio-1.18.2/manifests/charts/istio-operator/values.yaml b/istio-1.18.2/manifests/charts/istio-operator/values.yaml new file mode 100644 index 000000000..d344f093a --- /dev/null +++ b/istio-1.18.2/manifests/charts/istio-operator/values.yaml @@ -0,0 +1,51 @@ +hub: docker.io/istio +tag: 1.18.2 + +# ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace +# used to pull operator image. Must be set for any cluster configured with private docker registry. +imagePullSecrets: [] + +# Specify image pull policy if default behavior isn't desired. +# Default behavior: latest images will be Always else IfNotPresent. +imagePullPolicy: "" + +# Used to replace istioNamespace to support operator watch multiple namespaces. +watchedNamespaces: istio-system +waitForResourcesTimeout: 300s + +# Used for helm2 to add the CRDs to templates. +enableCRDTemplates: false + +# revision for the operator resources +revision: "" + +# The number of old ReplicaSets to retain in operator deployment +deploymentHistory: 10 + +# Operator resource defaults +operator: + monitoring: + host: 127.0.0.1 + port: 15014 + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + +# Node labels for pod assignment +nodeSelector: {} + +# Tolerations for pod assignment +tolerations: [] + +# Affinity for pod assignment +affinity: {} + +# Additional labels and annotations to apply on the pod level for monitoring and logging configuration. +podLabels: {} +podAnnotations: {} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml b/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml new file mode 100644 index 000000000..616ce3fca --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +name: istiod-remote +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 +tillerVersion: ">=2.7.2" +description: Helm chart for a remote cluster using an external istio control plane +keywords: + - istio + - external-istiod +sources: + - https://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt b/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt new file mode 100644 index 000000000..0230b6f86 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt @@ -0,0 +1,4 @@ +Install for a remote cluster using an external control plane. + +The templates in this directory are copies of base and istio-discovery templates. +DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml b/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml new file mode 100644 index 000000000..5002c03f8 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml @@ -0,0 +1,237 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml b/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml new file mode 100644 index 000000000..a05fd5768 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml @@ -0,0 +1,513 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - mountPath: /var/run/secrets/istio/kubernetes + name: kube-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - name: kube-ca-cert + configMap: + name: kube-root-ca.crt + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl new file mode 100644 index 000000000..ccf8a077f --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl @@ -0,0 +1,35 @@ +{{/* Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled + (not (or + .Values.telemetry.v2.prometheus.configOverride.gateway + .Values.telemetry.v2.prometheus.configOverride.inboundSidecar + .Values.telemetry.v2.prometheus.configOverride.outboundSidecar + )) }} +{{- end }} + +{{/* SD has metrics and logging split. Metrics are enabled if SD is enabled and there are no config overrides set */}} +{{ define "sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled + (not (or + .Values.telemetry.v2.stackdriver.configOverride + .Values.telemetry.v2.stackdriver.disableOutbound )) +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled + (not (or + .Values.telemetry.v2.stackdriver.configOverride + (has .Values.telemetry.v2.stackdriver.outboundAccessLogging (list "" "ERRORS_ONLY")) + (has .Values.telemetry.v2.stackdriver.inboundAccessLogging (list "" "ALL")) + .Values.telemetry.v2.stackdriver.disableOutbound )) +}} +{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml new file mode 100644 index 000000000..2550df5f7 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml @@ -0,0 +1,149 @@ +{{- if .Values.global.configCluster }} +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..932cdce02 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml @@ -0,0 +1,35 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml new file mode 100644 index 000000000..d55040477 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml @@ -0,0 +1,120 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "prometheus" . | eq "true" }} + {{ $sdMetrics := include "sd-metrics" . | eq "true" }} + {{ $sdLogs := include "sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if $sdMetrics }}- stackdriver{{ end }} + {{- end }} + {{- if $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- else }} + {} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml new file mode 100644 index 000000000..27259265f --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml @@ -0,0 +1,7201 @@ +{{- if .Values.global.configCluster }} +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + imagePullPolicy: + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: Criteria for selecting traffic by their direction. + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + type: integer + type: object + type: array + type: object + type: array + phase: + description: Determines where in the filter chain this `WasmPlugin` + is to be injected. + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + nullable: true + type: integer + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + type: string + url: + description: URL of a Wasm module or OCI container. + type: string + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + type: string + value: + description: Value for the environment variable. + type: string + valueFrom: + enum: + - INLINE + - HOST + type: string + type: object + type: array + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + type: integer + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + type: integer + type: object + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + type: integer + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + type: integer + type: object + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + type: object + proxyVersion: + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + type: integer + vhost: + properties: + name: + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service resolution mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service resolution mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + reportingInterval: + description: Optional. + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + type: string + type: object + header: + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml new file mode 100644 index 000000000..42e95ee8e --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml @@ -0,0 +1,50 @@ +{{- if .Values.global.configCluster }} +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml new file mode 100644 index 000000000..6b1d6633f --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml @@ -0,0 +1,50 @@ +{{- if .Values.global.configCluster }} +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + {{- if .Values.base.validateGateway }} + - gateway.networking.k8s.io + {{- end }} + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml new file mode 100644 index 000000000..2675b47a1 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml @@ -0,0 +1,23 @@ +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +# if the remotePilotAddress is an IP addr +apiVersion: v1 +kind: Endpoints +metadata: + {{- if .Values.pilot.enabled }} + name: istiod-remote + {{- else }} + name: istiod + {{- end }} + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..69522c674 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml @@ -0,0 +1,75 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..fbffdd652 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml @@ -0,0 +1,152 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..793b75e66 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml @@ -0,0 +1,55 @@ +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml new file mode 100644 index 000000000..c3af8c075 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml new file mode 100644 index 000000000..f65b3b122 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml new file mode 100644 index 000000000..4f8d20f6a --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.global.configCluster }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml new file mode 100644 index 000000000..2bc55e669 --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml @@ -0,0 +1,28 @@ +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.pilot.enabled }} + # when local istiod is enabled, we can't use istiod service name to reach the remote control plane + name: istiod-remote + {{- else }} + # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane + name: istiod + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +--- +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml new file mode 100644 index 000000000..8374fc05d --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml @@ -0,0 +1,616 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +{{ $prom := not (include "prometheus" . | eq "true") }} +{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} +{{ $sdLogs := not (include "sd-logs" . | eq "true") }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{/*TODO: this is broken, we do not handle the split quite right! */}} +{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.16.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml new file mode 100644 index 000000000..990d817ca --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml @@ -0,0 +1,486 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +{{ $prom := not (include "prometheus" . | eq "true") }} +{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} +{{ $sdLogs := not (include "sd-logs" . | eq "true") }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} +--- +{{- end }} +{{/*TODO: this is broken, we do not handle the split quite right! */}} +{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.17.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml new file mode 100644 index 000000000..736ed586f --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml @@ -0,0 +1,486 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +{{ $prom := not (include "prometheus" . | eq "true") }} +{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} +{{ $sdLogs := not (include "sd-logs" . | eq "true") }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/stats.PluginConfig + value: + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + {} + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} +--- +{{- end }} +{{/*TODO: this is broken, we do not handle the split quite right! */}} +{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "disable_host_header_fallback": true, + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, + "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + { + "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", + "metric_expiry_duration": "3600s" + } + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + priority: -1 + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.18.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..96c2e68ff --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,60 @@ +{{- if .Values.global.configCluster }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + {{- if .Values.base.validateGateway }} + - gateway.networking.k8s.io + {{- end }} + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/values.yaml b/istio-1.18.2/manifests/charts/istiod-remote/values.yaml new file mode 100644 index 000000000..aba10e2af --- /dev/null +++ b/istio-1.18.2/manifests/charts/istiod-remote/values.yaml @@ -0,0 +1,416 @@ +#.Values.pilot for discovery and mesh wide config + +## Discovery Settings +pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + hub: "" + tag: "" + variant: "" + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + env: {} + cpu: + targetAverageUtilization: 80 + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specified + # the default MCP is assumed. + configSource: + subscribedResources: [] + plugins: [] + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + # Additional labels to apply to the deployment. + deploymentLabels: {} + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: false + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} +sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + rewriteAppHTTPProbe: true + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] +istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" +telemetry: + enabled: false + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + metadataExchange: + # Indicates whether to enable WebAssembly runtime for metadata exchange filter. + wasmEnabled: false + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # Indicates whether to enable WebAssembly runtime for stats filter. + wasmEnabled: false + # overrides stats EnvoyFilter configuration. + configOverride: + gateway: {} + inboundSidecar: {} + outboundSidecar: {} + # stackdriver filter settings. + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. + disableOutbound: false + # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. + + configOverride: {} + # e.g. + # disable_server_access_logging: false + # disable_host_header_fallback: true + # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. + accessLogPolicy: + enabled: false + # To reduce the number of successful logs, default log window duration is + # set to 12 hours. + logWindowDuration: "43200s" +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" +# Revision tags are aliases to Istio control plane revisions +revisionTags: [] +# For Helm compatibility. +ownerName: "" +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + enablePrometheusMerge: true +global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.18.2 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + omitSidecarInjectorConfigMap: true + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + proxy: + image: proxyv2 + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + # The period between readiness probes. + readinessPeriodSeconds: 2 + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: true + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + # whether to use autoscaling/v2 template for HPA settings + # for internal usage only, not to be configured by users. + autoscalingv2API: true +base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + # If enabled, gateway-api types will be validated using the standard upstream validation logic. + # This is an alternative to deploying the standalone validation server the project provides. + # This is disabled by default, as the cluster may already have a validation server; while technically + # it works to have multiple redundant validations, this adds complexity and operational risks. + # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. + validateGateway: false diff --git a/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml b/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml new file mode 100644 index 000000000..1396a7b11 --- /dev/null +++ b/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +name: ztunnel +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.18.2 +appVersion: 1.18.2 +description: Helm chart for istio ztunnel components +keywords: + - istio-ztunnel + - istio +sources: + - https://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/ztunnel/README.md b/istio-1.18.2/manifests/charts/ztunnel/README.md new file mode 100644 index 000000000..f8887a126 --- /dev/null +++ b/istio-1.18.2/manifests/charts/ztunnel/README.md @@ -0,0 +1,36 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt b/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 000000000..93297520e --- /dev/null +++ b/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml b/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 000000000..d86deb00e --- /dev/null +++ b/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,121 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ztunnel + namespace: {{ .Release.Namespace }} + labels: + {{- .Values.labels | toYaml | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + app: ztunnel +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + cni.projectcalico.org/allowedSourcePrefixes: "[\"0.0.0.0/0\"]" + ambient.istio.io/redirection: disabled + sidecar.istio.io/inject: "false" +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + serviceAccountName: ztunnel + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - ALL + add: + - NET_ADMIN + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml b/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 000000000..5a569b647 --- /dev/null +++ b/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: ztunnel + namespace: {{ .Release.Namespace }} + labels: + {{- .Values.labels | toYaml | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +--- diff --git a/istio-1.18.2/manifests/charts/ztunnel/values.yaml b/istio-1.18.2/manifests/charts/ztunnel/values.yaml new file mode 100644 index 000000000..67967d01c --- /dev/null +++ b/istio-1.18.2/manifests/charts/ztunnel/values.yaml @@ -0,0 +1,55 @@ +# Hub to pull from. Image will be `Hub/Image:Tag-Variant` +hub: docker.io/istio +# Tag to pull from. Image will be `Hub/Image:Tag-Variant` +tag: 1.18.2 +# Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. +variant: "" + +# Image name to pull from. Image will be `Hub/Image:Tag-Variant` +# If Image contains a "/", it will replace the entire `image` in the pod. +image: ztunnel + +# Labels to apply to all top level resources +labels: {} +# Annotations to apply to all top level resources +annotations: {} + +# Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). +podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + +# Additional labels to apply on the pod level +podLabels: {} + +# Pod resource configuration +resources: + requests: + cpu: 500m + memory: 2048Mi + +# List of secret names to add to the service account as image pull secrets +imagePullSecrets: [] + +# A `key: value` mapping of environment variables to add to the pod +env: {} + +# Override for the pod imagePullPolicy +imagePullPolicy: "" + +# Settings for multicluster +multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + +# meshConfig defines runtime configuration of components. +# For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other +# components. +# TODO: https://github.com/istio/istio/issues/43248 +meshConfig: + defaultConfig: + proxyMetadata: {} + +# Ambient redirection mode: "iptables" or "ebpf" +redirectMode: "iptables" diff --git a/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml b/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml new file mode 100644 index 000000000..48303976e --- /dev/null +++ b/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system + name: example-istiocontrolplane +spec: + profile: demo +... diff --git a/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml b/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml new file mode 100644 index 000000000..c37e85b01 --- /dev/null +++ b/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + profile: empty + components: + ingressGateways: + - enabled: true + namespace: my-namespace diff --git a/istio-1.18.2/manifests/profiles/ambient.yaml b/istio-1.18.2/manifests/profiles/ambient.yaml new file mode 100644 index 000000000..9900f3759 --- /dev/null +++ b/istio-1.18.2/manifests/profiles/ambient.yaml @@ -0,0 +1,52 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + # You may override parts of meshconfig by uncommenting the following lines. + meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + # Telemetry API is used with ambient instead of EnvoyFilters + defaultProviders: + metrics: + - prometheus + extensionProviders: + - name: prometheus + prometheus: {} + + components: + cni: + enabled: true + ztunnel: + enabled: true + ingressGateways: + - name: istio-ingressgateway + enabled: false + + values: + pilot: + env: + # Setup more secure default that is off in 'default' only for backwards compatibility + VERIFY_CERTIFICATE_AT_CLIENT: "true" + ENABLE_AUTO_SNI: "true" + + PILOT_ENABLE_HBONE: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" + PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" + cni: + logLevel: info + privileged: true + ambient: + enabled: true + + # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni + excludeNamespaces: + - kube-system + + # TODO: https://github.com/istio/istio/issues/43243 + # variant: distroless + telemetry: + # Telemetry handled with Telemetry API only + enabled: false + v2: + enabled: false diff --git a/istio-1.18.2/manifests/profiles/default.yaml b/istio-1.18.2/manifests/profiles/default.yaml new file mode 100644 index 000000000..6e4439230 --- /dev/null +++ b/istio-1.18.2/manifests/profiles/default.yaml @@ -0,0 +1,177 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + hub: docker.io/istio + tag: 1.18.2 + + # You may override parts of meshconfig by uncommenting the following lines. + meshConfig: + defaultConfig: + proxyMetadata: {} + enablePrometheusMerge: true + # Opt-out of global http2 upgrades. + # Destination rule is used to opt-in. + # h2_upgrade_policy: DO_NOT_UPGRADE + + # Traffic management feature + components: + base: + enabled: true + pilot: + enabled: true + + # Istio Gateway feature + ingressGateways: + - name: istio-ingressgateway + enabled: true + egressGateways: + - name: istio-egressgateway + enabled: false + + # Istio CNI feature + cni: + enabled: false + + # Remote and config cluster configuration for an external istiod + istiodRemote: + enabled: false + + # Global values passed through to helm global.yaml. + # Please keep this in sync with manifests/charts/global.yaml + values: + defaultRevision: "" + global: + istioNamespace: istio-system + istiod: + enableAnalysis: false + logging: + level: "default:info" + logAsJson: false + pilotCertProvider: istiod + jwtPolicy: third-party-jwt + proxy: + image: proxyv2 + clusterDomain: "cluster.local" + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + logLevel: warning + componentLogLevel: "misc:error" + privileged: false + enableCoreDump: false + statusPort: 15020 + readinessInitialDelaySeconds: 1 + readinessPeriodSeconds: 2 + readinessFailureThreshold: 30 + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + excludeInboundPorts: "" + autoInject: enabled + tracer: "zipkin" + proxy_init: + image: proxyv2 + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + operatorManageWebhooks: false + tracer: + lightstep: {} + zipkin: {} + datadog: {} + stackdriver: {} + imagePullSecrets: [] + oneNamespace: false + defaultNodeSelector: {} + configValidation: true + multiCluster: + enabled: false + clusterName: "" + omitSidecarInjectorConfigMap: false + network: "" + defaultResources: + requests: + cpu: 10m + defaultPodDisruptionBudget: + enabled: true + priorityClassName: "" + useMCP: false + sds: + token: + aud: istio-ca + sts: + servicePort: 0 + meshNetworks: {} + mountMtlsCerts: false + base: + enableCRDTemplates: false + validationURL: "" + pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + image: pilot + traceSampling: 1.0 + env: {} + cpu: + targetAverageUtilization: 80 + nodeSelector: {} + keepaliveMaxServerConnectionAge: 30m + enableProtocolSniffingForOutbound: true + enableProtocolSniffingForInbound: true + deploymentLabels: + podLabels: {} + configMap: true + + telemetry: + enabled: true + v2: + enabled: true + metadataExchange: + wasmEnabled: false + prometheus: + wasmEnabled: false + enabled: true + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false + configOverride: {} + + istiodRemote: + injectionURL: "" + + gateways: + istio-egressgateway: + env: {} + autoscaleEnabled: true + type: ClusterIP + name: istio-egressgateway + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + + istio-ingressgateway: + autoscaleEnabled: true + type: LoadBalancer + name: istio-ingressgateway + env: {} + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs diff --git a/istio-1.18.2/manifests/profiles/demo.yaml b/istio-1.18.2/manifests/profiles/demo.yaml new file mode 100644 index 000000000..426615539 --- /dev/null +++ b/istio-1.18.2/manifests/profiles/demo.yaml @@ -0,0 +1,85 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.istio-system.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.otel-collector.svc.cluster.local + components: + egressGateways: + - name: istio-egressgateway + enabled: true + k8s: + resources: + requests: + cpu: 10m + memory: 40Mi + + ingressGateways: + - name: istio-ingressgateway + enabled: true + k8s: + resources: + requests: + cpu: 10m + memory: 40Mi + service: + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + + pilot: + k8s: + env: + - name: PILOT_TRACE_SAMPLING + value: "100" + resources: + requests: + cpu: 10m + memory: 100Mi + + values: + global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + + pilot: + autoscaleEnabled: false + + gateways: + istio-egressgateway: + autoscaleEnabled: false + istio-ingressgateway: + autoscaleEnabled: false diff --git a/istio-1.18.2/manifests/profiles/empty.yaml b/istio-1.18.2/manifests/profiles/empty.yaml new file mode 100644 index 000000000..07de5b1e0 --- /dev/null +++ b/istio-1.18.2/manifests/profiles/empty.yaml @@ -0,0 +1,13 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: false + pilot: + enabled: false + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/istio-1.18.2/manifests/profiles/external.yaml b/istio-1.18.2/manifests/profiles/external.yaml new file mode 100644 index 000000000..6a1c65fb3 --- /dev/null +++ b/istio-1.18.2/manifests/profiles/external.yaml @@ -0,0 +1,23 @@ +# Deprecated. Use the "remote" profile instead. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: false + pilot: + enabled: false + ingressGateways: + - name: istio-ingressgateway + enabled: false + istiodRemote: + enabled: true + values: + global: + externalIstiod: true + omitSidecarInjectorConfigMap: true + configCluster: false + pilot: + configMap: false + telemetry: + enabled: false diff --git a/istio-1.18.2/manifests/profiles/minimal.yaml b/istio-1.18.2/manifests/profiles/minimal.yaml new file mode 100644 index 000000000..075881ee0 --- /dev/null +++ b/istio-1.18.2/manifests/profiles/minimal.yaml @@ -0,0 +1,8 @@ +# The minimal profile will install just the core control plane +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/istio-1.18.2/manifests/profiles/openshift.yaml b/istio-1.18.2/manifests/profiles/openshift.yaml new file mode 100644 index 000000000..e483e346c --- /dev/null +++ b/istio-1.18.2/manifests/profiles/openshift.yaml @@ -0,0 +1,21 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + cni: + enabled: true + namespace: kube-system + values: + cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + excludeNamespaces: + - istio-system + - kube-system + logLevel: info + privileged: true + sidecarInjectorWebhook: + injectedAnnotations: + k8s.v1.cni.cncf.io/networks: istio-cni diff --git a/istio-1.18.2/manifests/profiles/preview.yaml b/istio-1.18.2/manifests/profiles/preview.yaml new file mode 100644 index 000000000..e0d9b636a --- /dev/null +++ b/istio-1.18.2/manifests/profiles/preview.yaml @@ -0,0 +1,21 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" + # Enable dynamic bootstrap generation. + BOOTSTRAP_XDS_AGENT: "true" + values: + telemetry: + v2: + metadataExchange: + wasmEnabled: true + prometheus: + wasmEnabled: true diff --git a/istio-1.18.2/manifests/profiles/remote.yaml b/istio-1.18.2/manifests/profiles/remote.yaml new file mode 100644 index 000000000..28d024c2f --- /dev/null +++ b/istio-1.18.2/manifests/profiles/remote.yaml @@ -0,0 +1,24 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: false + pilot: + enabled: false + ingressGateways: + - name: istio-ingressgateway + enabled: false + istiodRemote: + enabled: true + values: + global: + externalIstiod: true + omitSidecarInjectorConfigMap: true + configCluster: false + pilot: + configMap: false + telemetry: + enabled: false diff --git a/istio-1.18.2/samples/README.md b/istio-1.18.2/samples/README.md new file mode 100644 index 000000000..a1a140f8c --- /dev/null +++ b/istio-1.18.2/samples/README.md @@ -0,0 +1,3 @@ +# Istio Samples + +This directory contains sample applications highlighting various Istio features. diff --git a/istio-1.18.2/samples/addons/README.md b/istio-1.18.2/samples/addons/README.md new file mode 100644 index 000000000..71da0a3c4 --- /dev/null +++ b/istio-1.18.2/samples/addons/README.md @@ -0,0 +1,102 @@ +# Telemetry Addons + +This directory contains sample deployments of various addons that integrate with Istio. While these applications +are not a part of Istio, they are essential to making the most of Istio's observability features. + +The deployments here are meant to quickly get up and running, and are optimized for this case. As a result, +they may not be suitable for production. See below for more info on integrating a production grade version of each +addon. + +## Getting started + +To quickly deploy all addons: + +```shell script +kubectl apply -f samples/addons +``` + +Alternatively, you can deploy individual addons: + +```shell script +kubectl apply -f samples/addons/prometheus.yaml +``` + +## Addons + +### Prometheus + +[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database. +You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh. +You can visualize metrics using tools like [Grafana](#grafana) and [Kiali](#kiali). + +For more information about integrating with Prometheus, please see the [Prometheus integration page](https://istio.io/docs/ops/integrations/prometheus/). + +### Grafana + +[Grafana](http://grafana.com/) is an open source monitoring solution that can be used to configure dashboards for Istio. +You can use Grafana to monitor the health of Istio and of applications within the service mesh. + +This sample provides the following dashboards: + +* [Mesh Dashboard](https://grafana.com/grafana/dashboards/7639) provides an overview of all services in the mesh. +* [Service Dashboard](https://grafana.com/grafana/dashboards/7636) provides a detailed breakdown of metrics for a service. +* [Workload Dashboard](https://grafana.com/grafana/dashboards/7630) provides a detailed breakdown of metrics for a workload. +* [Performance Dashboard](https://grafana.com/grafana/dashboards/11829) monitors the resource usage of the mesh. +* [Control Plane Dashboard](https://grafana.com/grafana/dashboards/7645) monitors the health and performance of the control plane. +* [WASM Extension Dashboard](https://grafana.com/grafana/dashboards/13277) provides an overview of mesh wide WebAssembly extension runtime and loading state. + +For more information about integrating with Grafana, please see the [Grafana integration page](https://istio.io/docs/ops/integrations/grafana/). + +### Kiali + +[Kiali](https://kiali.io/) is an observability console for Istio with service mesh configuration capabilities. +It helps you to understand the structure of your service mesh by inferring the topology, and also provides the health of your mesh. +Kiali provides detailed metrics, and a basic [Grafana](#grafana) integration is available for advanced queries. +Distributed tracing is provided by integrating [Jaeger](#jaeger). + +For more information about using Kiali, see the [Visualizing Your Mesh](https://istio.io/docs/tasks/observability/kiali/) task. + +### Jaeger + +[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems. + +Jaeger helps in a variety of tasks including: + +* Distributed context propagation +* Distributed transaction monitoring +* Root cause analysis +* Service dependency analysis +* Performance / latency optimization + +For more information about integrating with Jaeger, please see the [Jaeger integration page](https://istio.io/docs/tasks/observability/distributed-tracing/jaeger/). + +### Zipkin + +[Zipkin](https://zipkin.io/) is a distributed tracing system. It helps gather timing data needed to troubleshoot latency problems in service architectures. Features include both the collection and lookup of this data. + +Zipkin is an alternative to Jaeger and is not deployed by default. To replace Jaeger with Zipkin, run `kubectl apply -f samples/addons/extras/zipkin.yaml`. +You may also want to remove the Jaeger deployment, which will not be used, with `kubectl delete deployment jaeger`, or avoid installing it +to begin with by following the selective install steps in [Getting Started](#getting-started). + +For more information about integrating with Zipkin, please see the [Zipkin integration page](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/). + +### Prometheus Operator + +The [Prometheus Operator](https://github.com/coreos/prometheus-operator) manages and operators a Prometheus instance. + +As an alternative to the standard Prometheus deployment, we provide a `ServiceMonitor` to monitor the Istio control plane and `PodMonitor` +Envoy proxies. To use these, make sure you have the Prometheus operator deployed, then run `kubectl apply -f samples/addons/extras/prometheus-operator.yaml`. + +> **Note** +> +> The example `PodMonitor` requires [metrics merging](https://istio.io/latest/docs/ops/integrations/prometheus/#option-1-metrics-merging) to be enabled. This is enabled by default. +> +> **Note** +> +> The configurations here are only for Istio deployments, and do not scrape metrics from the Kubernetes components. +> See the [Cluster Monitoring](https://coreos.com/operators/prometheus/docs/latest/user-guides/cluster-monitoring.html) documentation for configuring this. +> +> **Warning** +> +> When the example `PodMonitor` is used with OpenShift Monitoring, it must be created in all namespaces where istio-proxies exist. +> This is because `namespaceSelector` is ignored for tenancy isolation. diff --git a/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml b/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml new file mode 100644 index 000000000..73a926efd --- /dev/null +++ b/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml @@ -0,0 +1,66 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: envoy-stats-monitor + namespace: istio-system + labels: + monitoring: istio-proxies + release: istio +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + podMetricsEndpoints: + - path: /stats/prometheus + interval: 15s + relabelings: + - action: keep + sourceLabels: [__meta_kubernetes_pod_container_name] + regex: "istio-proxy" + - action: keep + sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape] + - action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + sourceLabels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + targetLabel: __address__ + - action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + sourceLabels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + targetLabel: __address__ + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: istio-system + labels: + monitoring: istio-components + release: istio +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s diff --git a/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml b/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml new file mode 100644 index 000000000..cf4039d84 --- /dev/null +++ b/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml @@ -0,0 +1,530 @@ +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + - job_name: kubernetes-file-sd-endpoints + kubernetes_sd_configs: + - role: endpoints + file_sd_configs: + - files: + - /etc/file_sd/*.json + relabel_configs: + - action: keep + regex: (.+) + source_labels: + - __meta_filepath + - replacement: /stats/prometheus + target_label: __metrics_path__ + + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get + - apiGroups: + - "networking.istio.io" + verbs: + - get + - watch + - list + resources: + - workloadentries + - apiGroups: + - "" + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + resources: + - configmaps +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: prometheus + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.5.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + - name: file-sd-volume + mountPath: /etc/file_sd + readOnly: true + + - name: prometheus-server + image: "prom/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + - name: file-sd-volume + mountPath: /etc/file_sd + - name: vm-discovery + image: "istioecosystem/vm-discovery:latest" + imagePullPolicy: "IfNotPresent" + hostNetwork: false + dnsPolicy: ClusterFirst + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus + - name: file-sd-volume + configMap: + name: file-sd-config + optional: true + - name: storage-volume + emptyDir: + {} \ No newline at end of file diff --git a/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml b/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml new file mode 100644 index 000000000..3d571b986 --- /dev/null +++ b/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml @@ -0,0 +1,548 @@ +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + - job_name: kubernetes-file-sd-endpoints + kubernetes_sd_configs: + - role: endpoints + file_sd_configs: + - files: + - /etc/file_sd/*.json + scheme: https + tls_config: + ca_file: /etc/prom-certs/root-cert.pem + cert_file: /etc/prom-certs/cert-chain.pem + key_file: /etc/prom-certs/key.pem + insecure_skip_verify: true # Prometheus does not support Istio security naming, thus skip verifying target pod ceritifcate + relabel_configs: + - action: keep + regex: (.+) + source_labels: + - __meta_filepath + - replacement: /stats/prometheus + target_label: __metrics_path__ + + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get + - apiGroups: + - "networking.istio.io" + verbs: + - get + - watch + - list + resources: + - workloadentries + - apiGroups: + - "" + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + resources: + - configmaps +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + traffic.sidecar.istio.io/includeInboundPorts: "" # do not intercept any inbound ports + traffic.sidecar.istio.io/includeOutboundIPRanges: "" # do not intercept any outbound traffic + proxy.istio.io/config: | # configure an env variable `OUTPUT_CERTS` to write certificates to the given folder + proxyMetadata: + OUTPUT_CERTS: /etc/istio-output-certs + sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]' # mount the shared volume at sidecar proxy + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + sidecar.istio.io/inject: "true" + spec: + serviceAccountName: prometheus + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.5.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + - name: file-sd-volume + mountPath: /etc/file_sd + readOnly: true + + - name: prometheus-server + image: "prom/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + - name: file-sd-volume + mountPath: /etc/file_sd + - name: istio-certs + mountPath: /etc/prom-certs/ + - name: vm-discovery + image: "istioecosystem/vm-discovery:latest" + imagePullPolicy: "IfNotPresent" + hostNetwork: false + dnsPolicy: ClusterFirst + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus + - name: file-sd-volume + configMap: + name: file-sd-config + optional: true + - name: istio-certs + emptyDir: + medium: Memory + - name: storage-volume + emptyDir: + {} \ No newline at end of file diff --git a/istio-1.18.2/samples/addons/extras/skywalking.yaml b/istio-1.18.2/samples/addons/extras/skywalking.yaml new file mode 100644 index 000000000..0633b74d0 --- /dev/null +++ b/istio-1.18.2/samples/addons/extras/skywalking.yaml @@ -0,0 +1,133 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: skywalking-oap + namespace: istio-system + labels: + app: skywalking-oap +spec: + selector: + matchLabels: + app: skywalking-oap + template: + metadata: + labels: + app: skywalking-oap + sidecar.istio.io/inject: "false" + spec: + containers: + - name: skywalking-oap + image: apache/skywalking-oap-server:9.1.0 + env: + - name: SW_HEALTH_CHECKER + value: default + readinessProbe: + exec: + command: + - /skywalking/bin/swctl + - health + initialDelaySeconds: 30 + periodSeconds: 5 + +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: skywalking-oap +spec: + type: ClusterIP + ports: + - name: grpc + port: 11800 + protocol: TCP + targetPort: 11800 + - name: http-query + port: 12800 + protocol: TCP + targetPort: 12800 + selector: + app: skywalking-oap +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: skywalking-oap + name: skywalking-oap + namespace: istio-system +spec: + ports: + - port: 11800 + targetPort: 11800 + name: grpc + - port: 12800 + targetPort: 12800 + name: http-query + selector: + app: skywalking-oap +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: skywalking-ui + namespace: istio-system + labels: + app: skywalking-ui +spec: + selector: + matchLabels: + app: skywalking-ui + template: + metadata: + labels: + app: skywalking-ui + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: skywalking-ui + image: apache/skywalking-ui:9.1.0 + env: + - name: SW_OAP_ADDRESS + value: http://skywalking-oap:12800 + readinessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing-ui + namespace: istio-system + labels: + app: skywalking-ui +spec: + type: ClusterIP + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: skywalking-ui +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: skywalking-ui + name: skywalking-ui + namespace: istio-system +spec: + ports: + - port: 8080 + targetPort: 8080 + name: http + selector: + app: skywalking-ui diff --git a/istio-1.18.2/samples/addons/extras/zipkin.yaml b/istio-1.18.2/samples/addons/extras/zipkin.yaml new file mode 100644 index 000000000..b9bced3d9 --- /dev/null +++ b/istio-1.18.2/samples/addons/extras/zipkin.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zipkin + namespace: istio-system + labels: + app: zipkin +spec: + selector: + matchLabels: + app: zipkin + template: + metadata: + labels: + app: zipkin + sidecar.istio.io/inject: "false" + spec: + containers: + - name: zipkin + image: openzipkin/zipkin-slim:2.23.14 + env: + - name: STORAGE_METHOD + value: "mem" + readinessProbe: + httpGet: + path: /health + port: 9411 + initialDelaySeconds: 5 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: zipkin +spec: + type: ClusterIP + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 9411 + selector: + app: zipkin +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: zipkin + name: zipkin + namespace: istio-system +spec: + ports: + - port: 9411 + targetPort: 9411 + name: http-query + selector: + app: zipkin diff --git a/istio-1.18.2/samples/addons/grafana.yaml b/istio-1.18.2/samples/addons/grafana.yaml new file mode 100644 index 000000000..0cebcf49a --- /dev/null +++ b/istio-1.18.2/samples/addons/grafana.yaml @@ -0,0 +1,1129 @@ +--- +# Source: grafana/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: grafana-6.31.1 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "9.0.1" + app.kubernetes.io/managed-by: Helm + name: grafana + namespace: istio-system +--- +# Source: grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.31.1 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "9.0.1" + app.kubernetes.io/managed-by: Helm +data: + allow-snippet-annotations: "false" + grafana.ini: | + [analytics] + check_for_updates = true + [grafana_net] + url = https://grafana.net + [log] + mode = console + [paths] + data = /var/lib/grafana/ + logs = /var/log/grafana + plugins = /var/lib/grafana/plugins + provisioning = /etc/grafana/provisioning + + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 5s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + - access: proxy + editable: true + isDefault: false + jsonData: + timeInterval: 5s + name: Loki + orgId: 1 + type: loki + url: http://loki:3100 + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + - disableDeletion: false + folder: istio + name: istio-services + options: + path: /var/lib/grafana/dashboards/istio-services + orgId: 1 + type: file +--- +# Source: grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.31.1 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "9.0.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: service + port: 3000 + protocol: TCP + targetPort: 3000 + + selector: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana +--- +# Source: grafana/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.31.1 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "9.0.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + strategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app: grafana + sidecar.istio.io/inject: "false" + annotations: + checksum/config: 21013edd24d239f48f0228579d13d44411baf698367879ae68290467749f6dcf + checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + spec: + + serviceAccountName: grafana + automountServiceAccountToken: true + securityContext: + fsGroup: 472 + runAsGroup: 472 + runAsUser: 472 + enableServiceLinks: true + containers: + - name: grafana + image: "grafana/grafana:9.0.1" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + - name: storage + mountPath: "/var/lib/grafana" + - name: dashboards-istio + mountPath: "/var/lib/grafana/dashboards/istio" + - name: dashboards-istio-services + mountPath: "/var/lib/grafana/dashboards/istio-services" + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: "datasources.yaml" + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: "dashboardproviders.yaml" + ports: + - name: service + containerPort: 3000 + protocol: TCP + - name: grafana + containerPort: 3000 + protocol: TCP + env: + - name: GF_PATHS_DATA + value: /var/lib/grafana/ + - name: GF_PATHS_LOGS + value: /var/log/grafana + - name: GF_PATHS_PLUGINS + value: /var/lib/grafana/plugins + - name: GF_PATHS_PROVISIONING + value: /etc/grafana/provisioning + - name: "GF_AUTH_ANONYMOUS_ENABLED" + value: "true" + - name: "GF_AUTH_ANONYMOUS_ORG_ROLE" + value: "Admin" + - name: "GF_AUTH_BASIC_ENABLED" + value: "false" + - name: "GF_SECURITY_ADMIN_PASSWORD" + value: "-" + - name: "GF_SECURITY_ADMIN_USER" + value: "-" + livenessProbe: + failureThreshold: 10 + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + readinessProbe: + httpGet: + path: /api/health + port: 3000 + resources: + {} + volumes: + - name: config + configMap: + name: grafana + + - name: dashboards-istio + configMap: + name: istio-grafana-dashboards + - name: dashboards-istio-services + configMap: + name: istio-services-grafana-dashboards + - name: storage + emptyDir: {} + +--- + +apiVersion: v1 +data: + istio-performance-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":true,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":21,"panels":[{"content":"The charts on this dashboard are intended to show Istio main components cost in terms of resources utilization under steady load.\n\n- **vCPU / 1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred / sec:** shows the number of bytes flowing through each Istio component.\n\n\n","gridPos":{"h":6,"w":24,"x":0,"y":1},"id":19,"links":[],"mode":"markdown","timeFrom":null,"timeShift":null,"title":"Performance Dashboard README","transparent":true,"type":"text"}],"title":"Performance Dashboard Notes","type":"row"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":1},"id":6,"panels":[],"title":"vCPU Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":2},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU / 1k rps","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":2},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":10},"id":13,"panels":[],"title":"Memory and Data Rates","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":11},"id":902,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio-ingressgateway","refId":"A"},{"expr":"sum(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"}) / count(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory Usage","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":11},"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Bytes transferred / sec","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":19},"id":17,"panels":[],"title":"Istio Component Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":24,"x":0,"y":20},"id":15,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":32},"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":32},"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":32},"id":702,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_fs_usage_bytes{container=\"istio-proxy\"})","format":"time_series","intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":39},"id":69,"panels":[],"title":"Istiod Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":40},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"sum(container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"C","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":40},"id":602,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2},{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m])) by (container)","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"pilot (self-reported)","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":40},"id":74,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_open_fds{app=\"istiod\"}","format":"time_series","hide":true,"instant":false,"interval":"","intervalFactor":2,"legendFormat":"Open FDs (pilot)","refId":"A"},{"expr":"container_fs_usage_bytes{ container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"{{ container }}","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":40},"id":402,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"10s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Istio Performance Dashboard","uid":"vu8e0VWZk","version":22} + pilot-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":1,"links":[],"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":60,"panels":[],"title":"Deployed Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":5,"w":24,"x":0,"y":1},"id":56,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build{component=\"pilot\"}) by (tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Versions","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":6},"id":62,"panels":[],"title":"Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":7},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (container)","refId":"B","step":2},{"expr":"container_memory_working_set_bytes{container=~\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar (container)","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":7},"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Discovery (container)","refId":"A"},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (process)","refId":"C","step":2},{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Sidecar (container)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"CPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":7},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"container_fs_usage_bytes{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"Discovery","refId":"B","step":2},{"expr":"container_fs_usage_bytes{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":7},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":14},"id":58,"panels":[],"title":"Pilot Push Information","type":"row"},{"aliasColors":{},"bars":true,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the rate of pilot pushes","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":15},"id":622,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":false,"linewidth":1,"links":[],"nullPointMode":"null as zero","paceLength":10,"percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":true,"steppedLine":false,"targets":[{"expr":"sum(irate(pilot_xds_pushes{type=\"cds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Cluster","refId":"C"},{"expr":"sum(irate(pilot_xds_pushes{type=\"eds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Endpoints","refId":"D"},{"expr":"sum(irate(pilot_xds_pushes{type=\"lds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Listeners","refId":"A"},{"expr":"sum(irate(pilot_xds_pushes{type=\"rds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Routes","refId":"E"},{"expr":"sum(irate(pilot_xds_pushes{type=\"sds\"}[1m]))","interval":"","legendFormat":"Secrets","refId":"B"},{"expr":"sum(irate(pilot_xds_pushes{type=\"nds\"}[1m]))","interval":"","legendFormat":"Nametables","refId":"F"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Pushes","tooltip":{"shared":false,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":["total"]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":"0","show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Captures a variety of pilot errors","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":15},"id":67,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(pilot_xds_cds_reject{app=\"istiod\"}) or (absent(pilot_xds_cds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected CDS Configs","refId":"C"},{"expr":"sum(pilot_xds_eds_reject{app=\"istiod\"}) or (absent(pilot_xds_eds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected EDS Configs","refId":"D"},{"expr":"sum(pilot_xds_rds_reject{app=\"istiod\"}) or (absent(pilot_xds_rds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected RDS Configs","refId":"A"},{"expr":"sum(pilot_xds_lds_reject{app=\"istiod\"}) or (absent(pilot_xds_lds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected LDS Configs","refId":"B"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Write Timeouts","refId":"F"},{"expr":"sum(rate(pilot_total_xds_internal_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Internal Errors","refId":"H"},{"expr":"sum(rate(pilot_total_xds_rejects{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Config Rejection Rate","refId":"E"},{"expr":"sum(rate(pilot_xds_push_context_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Push Context Errors","refId":"K"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Push Timeouts","refId":"G"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Errors","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the total time it takes to push a config update to a proxy","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":15},"id":624,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"histogram_quantile(0.5, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p50 ","refId":"A"},{"expr":"histogram_quantile(0.9, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p90","refId":"B"},{"expr":"histogram_quantile(0.99, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99","refId":"C"},{"expr":"histogram_quantile(0.999, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99.9","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Proxy Push Time","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"s","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":23},"id":45,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null as zero","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"pilot_conflict_inbound_listener{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Inbound Listeners","refId":"B"},{"expr":"pilot_conflict_outbound_listener_http_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (http over current tcp)","refId":"A"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current tcp)","refId":"C"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_http{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current http)","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Conflicts","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":23},"id":47,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(pilot_virt_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Virtual Services","refId":"A"},{"expr":"avg(pilot_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Services","refId":"B"},{"expr":"sum(pilot_xds{app=\"istiod\"}) by (pod)","format":"time_series","intervalFactor":1,"legendFormat":"Connected Endpoints {{pod}}","refId":"E"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"ADS Monitoring","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":64,"panels":[],"title":"Envoy Information","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows details about Envoy proxies in the mesh","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":32},"id":40,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(envoy_cluster_upstream_cx_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connections","refId":"C"},{"expr":"sum(irate(envoy_cluster_upstream_cx_connect_fail{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connection Failures","refId":"A"},{"expr":"sum(increase(envoy_server_hot_restart_epoch[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Envoy Restarts","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Envoy Details","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":32},"id":41,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})","format":"time_series","intervalFactor":2,"legendFormat":"XDS Active Connections","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Active Connections","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the size of XDS requests and responses","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":32},"id":42,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"max(rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Max","refId":"D"},{"expr":"quantile(0.5, rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Average","refId":"B"},{"expr":"max(rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Max","refId":"A"},{"expr":"quantile(.5, rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Average","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Requests Size","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":null,"gridPos":{"h":1,"w":24,"x":0,"y":40},"id":626,"panels":[],"title":"Webhooks","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":41},"hiddenSeries":false,"id":629,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(galley_validation_passed[1m]))","interval":"","legendFormat":"Validations (Success)","refId":"A"},{"expr":"sum(rate(galley_validation_failed[1m]))","interval":"","legendFormat":"Validation (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Configuration Validation","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"description":"","fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":41},"hiddenSeries":false,"id":630,"legend":{"avg":false,"current":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(sidecar_injection_success_total[1m]))","interval":"","legendFormat":"Injections (Success)","refId":"A"},{"expr":"sum(rate(sidecar_injection_failure_total[1m]))","interval":"","legendFormat":"Injections (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Sidecar Injection","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Control Plane Dashboard","uid":"3--MLVZZk","version":11} +kind: ConfigMap +metadata: + creationTimestamp: null + name: istio-grafana-dashboards + namespace: istio-system + +--- + +apiVersion: v1 +data: + istio-extension-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":0},"id":3,"panels":[],"title":"Wasm VMs","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"","fieldConfig":{"defaults":{"custom":{"align":null},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":1},"hiddenSeries":false,"id":2,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_active)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_active)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Active","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:123","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:124","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":1},"hiddenSeries":false,"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_created)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_created)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Created","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:68","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:69","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":9},"id":7,"panels":[],"title":"Wasm Module Remote Load","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":0,"y":10},"hiddenSeries":false,"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_entries)","interval":"","legendFormat":"entries","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Entry","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:178","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:179","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":8,"y":10},"hiddenSeries":false,"id":8,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_hits)","interval":"","legendFormat":"hits","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_cache_misses)","interval":"","legendFormat":"misses","refId":"B"},{"expr":"avg(envoy_wasm_remote_load_cache_negative_hits)","interval":"","legendFormat":"negative hits","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Visit","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:233","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:234","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":16,"y":10},"hiddenSeries":false,"id":10,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_fetch_failures)","interval":"","legendFormat":"failures","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_fetch_successes)","interval":"","legendFormat":"successes","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Remote Fetch","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:288","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:289","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":18},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":19},"hiddenSeries":false,"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:396","format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:397","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":19},"hiddenSeries":false,"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:447","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:448","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":false,"schemaVersion":26,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["10s","30s","1m","5m","15m","30m","1h","2h","1d"]},"timezone":"","title":"Istio Wasm Extension Dashboard","uid":"7PAV7ctGz","version":17} + istio-mesh-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[{"content":"
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to secure,\n connect, and \n monitor microservices.\n
\n Need help? Join the Istio community.\n
\n
","gridPos":{"h":3,"w":24,"x":0,"y":0},"height":"50px","id":13,"links":[],"mode":"html","style":{"font-size":"18pt"},"title":"","transparent":true,"type":"text"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":3},"id":20,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"round(sum(irate(istio_requests_total{reporter=\"source\"}[1m])), 0.001)","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"Global Request Volume","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"percentunit","gauge":{"maxValue":100,"minValue":80,"show":false,"thresholdLabels":false,"thresholdMarkers":false},"gridPos":{"h":3,"w":6,"x":6,"y":3},"id":21,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"95, 99, 99.5","title":"Global Success Rate (non-5xx responses)","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":3},"id":22,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"4.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"4xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":3},"id":23,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"5.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"5xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":113,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Virtual Services","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":114,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Destination Rules","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":115,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Gateways","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":116,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Workload Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":117,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Service Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":90,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"PeerAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":91,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"RequestAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":92,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Authorization Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":21,"w":24,"x":0,"y":9},"hideTimeOverride":false,"id":73,"links":[],"pageSize":null,"repeat":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"Workload dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Requests","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[],"type":"number","unit":"ops"},{"alias":"P50 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"s"},{"alias":"P90 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #C","thresholds":[],"type":"number","unit":"s"},{"alias":"P99 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #D","thresholds":[],"type":"number","unit":"s"},{"alias":"Success Rate","colorMode":"cell","colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #E","thresholds":[".95"," 1.00"],"type":"number","unit":"percentunit"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-workload=${__cell_2:raw}&var-namespace=${__cell_3:raw}","pattern":"destination_workload_var","thresholds":[],"type":"number","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_requests_total{reporter=\"source\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"A"},{"expr":"label_join((histogram_quantile(0.50, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"B"},{"expr":"label_join((histogram_quantile(0.90, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"C"},{"expr":"label_join((histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"D"},{"expr":"label_join((sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"interval":"","intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"E"}],"timeFrom":null,"title":"HTTP/GRPC Workloads","transform":"table","type":"table"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":18,"w":24,"x":0,"y":30},"hideTimeOverride":false,"id":109,"links":[],"pageSize":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"Bytes Sent","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[""],"type":"number","unit":"Bps"},{"alias":"Bytes Received","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"Bps"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload_var","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"number","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"A"},{"expr":"label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"B"}],"timeFrom":null,"title":"TCP Workloads","transform":"table","type":"table"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":9,"w":24,"x":0,"y":48},"id":111,"legend":{"alignAsTable":false,"avg":false,"current":false,"max":false,"min":false,"rightSide":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Mesh Dashboard","uid":"G8wLrJIZk","version":5} + istio-service-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- + Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations + & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1595591291797,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":106,\"panels\":[{\"content\":\"
\\nSERVICE: $service\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE: $service\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Client + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Client Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Client + Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":4},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Received Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":8},\"id\":97,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Server + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":8},\"id\":98,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Server Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":8},\"hiddenSeries\":false,\"id\":99,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Server + Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":8},\"id\":100,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Sent Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":104,\"panels\":[{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":2},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":5},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=~\\\"$qrep\\\",source_workload=~\\\"$srcwl\\\",source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace, + response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":5},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":11},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":11},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":11},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Client + Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":102,\"panels\":[{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":3},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":6},\"hiddenSeries\":false,\"id\":90,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=\\\"destination\\\",destination_workload=~\\\"$dstwl\\\",destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} : {{ response_code + }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", reporter=\\\"destination\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[5m])) by (destination_workload, + destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} : {{ response_code + }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Destination Workload And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":6},\"hiddenSeries\":false,\"id\":91,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Destination Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":12},\"hiddenSeries\":false,\"id\":94,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":12},\"hiddenSeries\":false,\"id\":95,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":12},\"hiddenSeries\":false,\"id\":96,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":18},\"hiddenSeries\":false,\"id\":92,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":18},\"hiddenSeries\":false,\"id\":93,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, + destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, + destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Service + Workloads\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Service\",\"multi\":false,\"name\":\"service\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{}) + by (destination_service) or sum(istio_tcp_sent_bytes_total{}) by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Cluster\",\"multi\":true,\"name\":\"srccluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=\\\"$service\\\"}) by (source_cluster) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}) by (source_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=\\\"$service\\\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}) by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) + by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) + by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload Cluster\",\"multi\":true,\"name\":\"dstcluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", + destination_service=\\\"$service\\\"}) by (destination_cluster) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", + destination_service=~\\\"$service\\\"}) by (destination_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload Namespace\",\"multi\":true,\"name\":\"dstns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", + destination_service=\\\"$service\\\"}) by (destination_workload_namespace) or + sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\"}) + by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload\",\"multi\":true,\"name\":\"dstwl\",\"options\":[],\"query\":\"query_result( + sum(istio_requests_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", + destination_cluster=~\\\"$dstcluster\\\", destination_workload_namespace=~\\\"$dstns\\\"}) + by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", + destination_service=~\\\"$service\\\", destination_cluster=~\\\"$dstcluster\\\", + destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio + Service Dashboard\",\"uid\":\"LJ_uJAvmk\",\"version\":1}\n" + istio-workload-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- + Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations + & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1531345461465,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":95,\"panels\":[{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":8,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Incoming + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":8,\"x\":8,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Incoming Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":8,\"x\":16,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Request + Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":0,\"y\":8},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\"}[1m])) + + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Server Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":12,\"y\":8},\"id\":85,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\"}[1m])) + + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Client Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":93,\"panels\":[{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Inbound + Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":91,\"panels\":[{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":14},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":70,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal=~\\\"spiffe.*\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, + response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal!~\\\"spiffe.*\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, + response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Requests By Destination And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":71,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Success Rate (non-5xx responses) By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":23},\"hiddenSeries\":false,\"id\":72,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Request Duration By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":23},\"hiddenSeries\":false,\"id\":73,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Request Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":23},\"hiddenSeries\":false,\"id\":74,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":29},\"hiddenSeries\":false,\"id\":76,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent on Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":29},\"hiddenSeries\":false,\"id\":78,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Outbound + Services\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Namespace\",\"multi\":false,\"name\":\"namespace\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total) + by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*_namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Workload\",\"multi\":false,\"name\":\"workload\",\"options\":[],\"query\":\"query_result((sum(istio_requests_total{destination_workload_namespace=~\\\"$namespace\\\"}) + by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\\\"$namespace\\\"}) + by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload)))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound + Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound + Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Destination + Service\",\"multi\":true,\"name\":\"dstsvc\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"source\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) + by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) + by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio + Workload Dashboard\",\"uid\":\"UbsSZTDik\",\"version\":1}\n" +kind: ConfigMap +metadata: + creationTimestamp: null + name: istio-services-grafana-dashboards + namespace: istio-system diff --git a/istio-1.18.2/samples/addons/jaeger.yaml b/istio-1.18.2/samples/addons/jaeger.yaml new file mode 100644 index 000000000..41896ee19 --- /dev/null +++ b/istio-1.18.2/samples/addons/jaeger.yaml @@ -0,0 +1,117 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jaeger + namespace: istio-system + labels: + app: jaeger +spec: + selector: + matchLabels: + app: jaeger + template: + metadata: + labels: + app: jaeger + sidecar.istio.io/inject: "false" + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "14269" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.35" + env: + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: ":9411" + - name: MEMORY_MAX_TRACES + value: "50000" + - name: QUERY_BASE_PATH + value: /jaeger + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 + volumeMounts: + - name: data + mountPath: /badger + resources: + requests: + cpu: 10m + volumes: + - name: data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: jaeger +spec: + type: ClusterIP + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 16686 + # Note: Change port name if you add '--query.grpc.tls.enabled=true' + - name: grpc-query + port: 16685 + protocol: TCP + targetPort: 16685 + selector: + app: jaeger +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + labels: + name: zipkin + name: zipkin + namespace: istio-system +spec: + ports: + - port: 9411 + targetPort: 9411 + name: http-query + selector: + app: jaeger +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: istio-system + labels: + app: jaeger +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + selector: + app: jaeger diff --git a/istio-1.18.2/samples/addons/kiali.yaml b/istio-1.18.2/samples/addons/kiali.yaml new file mode 100644 index 000000000..41ab9672d --- /dev/null +++ b/istio-1.18.2/samples/addons/kiali.yaml @@ -0,0 +1,551 @@ +--- +# Source: kiali-server/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +... +--- +# Source: kiali-server/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +data: + config.yaml: | + auth: + openid: {} + openshift: + client_id_prefix: kiali + strategy: anonymous + deployment: + accessible_namespaces: + - '**' + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + configmap_annotations: {} + custom_secrets: [] + host_aliases: [] + hpa: + api_version: autoscaling/v2beta2 + spec: {} + image_digest: "" + image_name: quay.io/kiali/kiali + image_pull_policy: Always + image_pull_secrets: [] + image_version: v1.67 + ingress: + additional_labels: {} + class_name: nginx + override_yaml: + metadata: {} + ingress_enabled: false + instance_name: kiali + logger: + log_format: text + log_level: info + sampler_rate: "1" + time_field_format: 2006-01-02T15:04:05Z07:00 + namespace: istio-system + node_selector: {} + pod_annotations: {} + pod_labels: + sidecar.istio.io/inject: "false" + priority_class_name: "" + replicas: 1 + resources: + limits: + memory: 1Gi + requests: + cpu: 10m + memory: 64Mi + secret_name: kiali + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v1.67.0 + view_only_mode: false + external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: istio-system + identity: + cert_file: "" + private_key_file: "" + istio_namespace: istio-system + kiali_feature_flags: + certificates_information_indicators: + enabled: true + secrets: + - cacerts + - istio-ca-secret + clustering: + autodetect_secrets: + enabled: true + label: kiali.io/multiCluster=true + clusters: [] + disabled_features: [] + validations: + ignore: + - KIA1201 + login_token: + signing_key: CHANGEME00000000 + server: + metrics_enabled: true + metrics_port: 9090 + port: 20001 + web_root: /kiali +... +--- +# Source: kiali-server/templates/role-viewer.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +... +--- +# Source: kiali-server/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +... +--- +# Source: kiali-server/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali +subjects: +- kind: ServiceAccount + name: kiali + namespace: istio-system +... +--- +# Source: kiali-server/templates/role-controlplane.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kiali-controlplane + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resourceNames: + - cacerts + - istio-ca-secret + resources: + - secrets + verbs: + - get + - list + - watch +... +--- +# Source: kiali-server/templates/rolebinding-controlplane.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kiali-controlplane + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kiali-controlplane +subjects: +- kind: ServiceAccount + name: kiali + namespace: istio-system +... +--- +# Source: kiali-server/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" + annotations: +spec: + ports: + - name: http + appProtocol: http + protocol: TCP + port: 20001 + - name: http-metrics + appProtocol: http + protocol: TCP + port: 9090 + selector: + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali +... +--- +# Source: kiali-server/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.67.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.67.0" + app.kubernetes.io/version: "v1.67.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" + sidecar.istio.io/inject: "false" + annotations: + checksum/config: 88419f205248a3fdba75ba592ce095a39000318ed6056baaa08ea19d716e94c1 + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + kiali.io/dashboards: go,kiali + spec: + serviceAccountName: kiali + containers: + - image: "quay.io/kiali/kiali:v1.67" + imagePullPolicy: Always + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + ports: + - name: api-port + containerPort: 20001 + - name: http-metrics + containerPort: 9090 + readinessProbe: + httpGet: + path: /kiali/healthz + port: api-port + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: /kiali/healthz + port: api-port + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "info" + - name: LOG_FORMAT + value: "text" + - name: LOG_TIME_FIELD_FORMAT + value: "2006-01-02T15:04:05Z07:00" + - name: LOG_SAMPLER_RATE + value: "1" + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + - name: kiali-cert + mountPath: "/kiali-cert" + - name: kiali-secret + mountPath: "/kiali-secret" + - name: kiali-cabundle + mountPath: "/kiali-cabundle" + resources: + limits: + memory: 1Gi + requests: + cpu: 10m + memory: 64Mi + volumes: + - name: kiali-configuration + configMap: + name: kiali + - name: kiali-cert + secret: + secretName: istio.kiali-service-account + optional: true + - name: kiali-secret + secret: + secretName: kiali + optional: true + - name: kiali-cabundle + configMap: + name: kiali-cabundle + optional: true +... diff --git a/istio-1.18.2/samples/addons/loki.yaml b/istio-1.18.2/samples/addons/loki.yaml new file mode 100644 index 000000000..edabc36a0 --- /dev/null +++ b/istio-1.18.2/samples/addons/loki.yaml @@ -0,0 +1,283 @@ +--- +# Source: loki/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: loki + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: loki/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +data: + config.yaml: | + auth_enabled: false + common: + compactor_address: 'loki' + path_prefix: /var/loki + replication_factor: 1 + storage: + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules + limits_config: + enforce_metric_name: false + max_cache_freshness_per_query: 10m + reject_old_samples: true + reject_old_samples_max_age: 168h + split_queries_by_interval: 15m + memberlist: + join_members: + - loki-memberlist + query_range: + align_queries_with_step: true + ruler: + storage: + type: local + runtime_config: + file: /etc/loki/runtime-config/runtime-config.yaml + schema_config: + configs: + - from: "2022-01-11" + index: + period: 24h + prefix: loki_index_ + object_store: filesystem + schema: v12 + store: boltdb-shipper + server: + grpc_listen_port: 9095 + http_listen_port: 3100 + storage_config: + hedging: + at: 250ms + max_per_second: 20 + up_to: 3 + table_manager: + retention_deletes_enabled: false + retention_period: 0 +--- +# Source: loki/templates/runtime-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki-runtime + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +data: + runtime-config.yaml: | + + {} +--- +# Source: loki/templates/service-memberlist.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki-memberlist + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp + port: 7946 + targetPort: http-memberlist + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/part-of: memberlist +--- +# Source: loki/templates/single-binary/service-headless.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki-headless + namespace: istio-system + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm + variant: headless + prometheus.io/service-monitor: "false" +spec: + clusterIP: None + ports: + - name: http-metrics + port: 3100 + targetPort: http-metrics + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki +--- +# Source: loki/templates/single-binary/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: http-metrics + port: 3100 + targetPort: http-metrics + protocol: TCP + - name: grpc + port: 9095 + targetPort: grpc + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary +--- +# Source: loki/templates/single-binary/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: loki + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: single-binary + app.kubernetes.io/part-of: memberlist +spec: + replicas: 1 + podManagementPolicy: Parallel + updateStrategy: + rollingUpdate: + partition: 0 + serviceName: loki-headless + revisionHistoryLimit: 10 + + persistentVolumeClaimRetentionPolicy: + whenDeleted: Delete + whenScaled: Delete + selector: + matchLabels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary + template: + metadata: + annotations: + checksum/config: a9239b6352e34bbfc748669ed46cb24211fc3491ee7f2c6381af805f8f08fe29 + labels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary + app.kubernetes.io/part-of: memberlist + spec: + serviceAccountName: loki + automountServiceAccountToken: true + enableServiceLinks: true + + securityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + terminationGracePeriodSeconds: 30 + containers: + - name: loki + image: docker.io/grafana/loki:2.7.3 + imagePullPolicy: IfNotPresent + args: + - -config.file=/etc/loki/config/config.yaml + - -target=all + ports: + - name: http-metrics + containerPort: 3100 + protocol: TCP + - name: grpc + containerPort: 9095 + protocol: TCP + - name: http-memberlist + containerPort: 7946 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 30 + timeoutSeconds: 1 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: config + mountPath: /etc/loki/config + - name: runtime-config + mountPath: /etc/loki/runtime-config + - name: storage + mountPath: /var/loki + resources: + {} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary + topologyKey: kubernetes.io/hostname + + volumes: + - name: tmp + emptyDir: {} + - name: config + configMap: + name: loki + - name: runtime-config + configMap: + name: loki-runtime + volumeClaimTemplates: + - metadata: + name: storage + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "10Gi" diff --git a/istio-1.18.2/samples/addons/prometheus.yaml b/istio-1.18.2/samples/addons/prometheus.yaml new file mode 100644 index 000000000..f11e794a5 --- /dev/null +++ b/istio-1.18.2/samples/addons/prometheus.yaml @@ -0,0 +1,531 @@ +--- +# Source: prometheus/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus + namespace: istio-system + annotations: + {} +--- +# Source: prometheus/templates/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus + namespace: istio-system +data: + allow-snippet-annotations: "false" + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - honor_labels: true + job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: drop + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: service + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node + - honor_labels: true + job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: service + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - honor_labels: true + job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: service + - honor_labels: true + job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: drop + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: drop + regex: Pending|Succeeded|Failed|Completed + source_labels: + - __meta_kubernetes_pod_phase + - honor_labels: true + job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: drop + regex: Pending|Succeeded|Failed|Completed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +--- +# Source: prometheus/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + strategy: + type: Recreate + rollingUpdate: null + template: + metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + + sidecar.istio.io/inject: "false" + spec: + enableServiceLinks: true + serviceAccountName: prometheus + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.8.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "prom/prometheus:v2.41.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + dnsPolicy: ClusterFirst + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus + - name: storage-volume + emptyDir: + {} diff --git a/istio-1.18.2/samples/bookinfo/README.md b/istio-1.18.2/samples/bookinfo/README.md new file mode 100644 index 000000000..7683b21b0 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/README.md @@ -0,0 +1,100 @@ +# Bookinfo Sample + +See . + +**Note**: We need the owner of the PR to perform the appropriate testing with built/pushed images to their own docker repository before we would build/push images to the official Istio repository. + +## Build docker images + +```bash +cd samples/bookinfo +src/build-services.sh +``` + +Where `` is the tag and `` is the docker registry to tag the images. + +For example: + +```bash +$ src/build-services.sh 1.16.3 docker.io/shamsher31 +Sending build context to Docker daemon 1.218MB +Step 1/16 : FROM python:3.7.7-slim +3.7.7-slim: Pulling from library/python +8559a31e96f4: Pull complete +... +Successfully built 1b293582cc2e +Successfully tagged shamsher31/examples-bookinfo-ratings-v2:1.16.3 +Successfully tagged shamsher31/examples-bookinfo-ratings-v2:latest +``` + +The bookinfo versions are different from Istio versions since the sample should work with any version of Istio. + +## Push docker images to docker hub + +After the local build is successful, you need to update the YAML file with the latest tag that you used during the build eg: `1.16.3`. + +Run the following script to build the docker images, push them to docker hub, and to update the YAML files in one step. + +```bash +./build_push_update_images.sh +``` + +For example: + +```bash +$ ./build_push_update_images.sh 1.16.3 --prefix=shamsher31 +... +1.16.3: digest: sha256:70634d3847a190b9826975c8 size: 3883 +Pushing: shamsher31/examples-bookinfo-reviews-v2:1.16.3 +The push refers to a repository [docker.io/shamsher31/examples-bookinfo-reviews-v2] +... +``` + +Verify that expected tag eg: `1.16.3` is updated in `platform/kube/bookinfo*.yaml` files. + +## Tests + +Test that the bookinfo samples work with the latest tag eg: `1.16.3` that you pushed. + +```bash +$ cd ../../ +$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml +serviceaccount/bookinfo-details created +deployment.apps/details-v1 created +serviceaccount/bookinfo-ratings created +... +``` + +Wait for all the pods to be in `Running` start. + +```bash +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +details-v1-7f556f5c6b-485l2 2/2 Running 0 10m +productpage-v1-84c8f95c8d-tlml2 2/2 Running 0 10m +ratings-v1-66777f856b-2ls78 2/2 Running 0 10m +reviews-v1-64c47f4f44-rx642 2/2 Running 0 10m +reviews-v2-66b6b95f44-s5nt6 2/2 Running 0 10m +reviews-v3-7f69dd7fd4-zjvc8 2/2 Running 0 10m +``` + +Once all the pods are in the `Running` state. Test if the bookinfo works through cli. + +```bash +$ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o ".*" +Simple Bookstore App +``` + +You can also test it by hitting productpage in the browser. + +```bash +http://192.168.39.116:31395/productpage +``` + +You should see the following in the browser. + +![star](https://user-images.githubusercontent.com/2920003/86032538-212ff900-ba55-11ea-9492-d4bc90656a02.png) + +**Note**: If everything works as mentioned above, request a new official set of images be built and pushed from the reviewer, and add another commit to the original PR with the version changes. + +Bookinfo is tested by istio.io integration tests. You can find them under [tests](https://github.com/istio/istio.io/tree/master/tests) in the [istio/istio.io](https://github.com/istio/istio.io) repository. diff --git a/istio-1.18.2/samples/bookinfo/build_push_update_images.sh b/istio-1.18.2/samples/bookinfo/build_push_update_images.sh new file mode 100755 index 000000000..dfdff985a --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/build_push_update_images.sh @@ -0,0 +1,130 @@ +#!/bin/bash +# +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit + +display_usage() { + echo + echo "USAGE: ./build_push_update_images.sh [-h|--help] [--prefix=value] [--scan-images] [--multiarch-images]" + echo " version: Version of the sample app images (Required)" + echo " -h|--help: Prints usage information" + echo " --prefix: Use the value as the prefix for image names. By default, 'istio' is used" + echo -e " --scan-images: Enable security vulnerability scans for docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled." + echo -e " --multiarch-images : Enables building and pushing multiarch docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled." +} + +# Print usage information for help +if [[ "$1" == "-h" || "$1" == "--help" ]]; then + display_usage + exit 0 +fi + +# Check if there is at least one input argument +if [[ -z "$1" ]] ; then + echo "Missing version parameter" + display_usage + exit 1 +else + VERSION="$1" + shift +fi + +# Process the input arguments. By default, image scanning is disabled. +PREFIX=istio +ENABLE_IMAGE_SCAN=false +ENABLE_MULTIARCH_IMAGES=false +echo "$@" +for i in "$@" +do + case "$i" in + --prefix=* ) + PREFIX="${i#--prefix=}" ;; + --scan-images ) + ENABLE_IMAGE_SCAN=true ;; + --multiarch-images ) + ENABLE_MULTIARCH_IMAGES=true ;; + -h|--help ) + echo + echo "Build the docker images for bookinfo sample apps, push them to docker hub and update the yaml files." + display_usage + exit 0 ;; + * ) + echo "Unknown argument: $i" + display_usage + exit 1 ;; + esac +done + +# Build docker images +ENABLE_MULTIARCH_IMAGES="${ENABLE_MULTIARCH_IMAGES}" src/build-services.sh "${VERSION}" "${PREFIX}" + +# Currently the `--load` argument does not work for multi arch images +# Remove this once https://github.com/docker/buildx/issues/59 is addressed. +if [[ "${ENABLE_MULTIARCH_IMAGES}" == "false" ]]; then + # Get all the new image names and tags + for v in ${VERSION} "latest" + do + IMAGES+=$(docker images -f reference="${PREFIX}/examples-bookinfo*:$v" --format "{{.Repository}}:$v") + IMAGES+=" " + done + + # Check that $IMAGES contains the images we've just built + if [[ "${IMAGES}" =~ ^\ +$ ]] ; then + echo "Found no images matching prefix \"${PREFIX}/examples-bookinfo\"." + echo "Try running the script without specifying the image registry in --prefix (e.g. --prefix=/foo instead of --prefix=docker.io/foo)." + exit 1 + fi +fi + +# +# Run security vulnerability scanning on bookinfo sample app images using +# trivy. If the image has vulnerabilities, the file will have a .failed +# suffix. A successful scan will have a .passed suffix. +function run_vulnerability_scanning() { + RESULT_DIR="vulnerability_scan_results" + mkdir -p "$RESULT_DIR" + # skip-dir added to prevent timeout of review images + set +e + trivy image --ignore-unfixed --no-progress --exit-code 2 --skip-dirs /opt/ol/wlp --output "$RESULT_DIR/$1_$VERSION.failed" "$2" + test $? -ne 0 || mv "$RESULT_DIR/$1_$VERSION.failed" "$RESULT_DIR/$1_$VERSION.passed" + set -e +} + +# Push images. Scan images if ENABLE_IMAGE_SCAN is true. +for IMAGE in ${IMAGES}; +do + # Multiarch images have already been pushed using buildx build + if [[ "${ENABLE_MULTIARCH_IMAGES}" == "false" ]]; then + echo "Pushing: ${IMAGE}" + docker push "${IMAGE}"; + fi + + # $IMAGE has the following format: istio/examples-bookinfo*:"$v". + # We want to get the sample app name from $IMAGE (the examples-bookinfo* portion) + # to create the file to store the results of the scan for that image. The first + # part of the $IMAGE_NAME gets examples-bookinfo*:"$v", and the second part gets + # 'examples-bookinfo*'. + if [[ "$ENABLE_IMAGE_SCAN" == "true" ]]; then + echo "Scanning ${IMAGE} for security vulnerabilities" + IMAGE_NAME=${IMAGE#*/} + IMAGE_NAME=${IMAGE_NAME%:*} + run_vulnerability_scanning "${IMAGE_NAME}" "${IMAGE}" + fi +done + +# Update image references in the yaml files +find ./platform -name "*bookinfo*.yaml" -exec sed -i.bak "s#image:.*\\(\\/examples-bookinfo-.*\\):.*#image: ${PREFIX//\//\\/}\\1:$VERSION#g" {} + + diff --git a/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml b/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml new file mode 100644 index 000000000..4edaba404 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml @@ -0,0 +1,12 @@ +# IOP configuration used to install the demo profile without gateways. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + profile: demo + components: + ingressGateways: + - name: istio-ingressgateway + enabled: false + egressGateways: + - name: istio-egressgateway + enabled: false diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml new file mode 100644 index 000000000..3870a4cc3 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml @@ -0,0 +1,41 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: bookinfo-gateway +spec: + gatewayClassName: istio + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: bookinfo +spec: + parentRefs: + - name: bookinfo-gateway + rules: + - matches: + - path: + type: Exact + value: /productpage + - path: + type: PathPrefix + value: /static + - path: + type: Exact + value: /login + - path: + type: Exact + value: /logout + - path: + type: PathPrefix + value: /api/v1/products + backendRefs: + - name: productpage + port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml new file mode 100644 index 000000000..9496ed2e5 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml @@ -0,0 +1,56 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: productpage +spec: + parentRefs: + - kind: Service + name: productpage + port: 9080 + rules: + - backendRefs: + - name: productpage-v1 + port: 9080 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: ratings +spec: + parentRefs: + - kind: Service + name: ratings + port: 9080 + rules: + - backendRefs: + - name: ratings-v1 + port: 9080 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: details +spec: + parentRefs: + - kind: Service + name: details + port: 9080 + rules: + - backendRefs: + - name: details-v1 + port: 9080 +--- diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml new file mode 100644 index 000000000..76bbea8f7 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 + weight: 50 + - name: reviews-v3 + port: 9080 + weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml new file mode 100644 index 000000000..f74349fe4 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml @@ -0,0 +1,17 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 + weight: 90 + - name: reviews-v2 + port: 9080 + weight: 10 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml new file mode 100644 index 000000000..8e11bcd92 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml @@ -0,0 +1,13 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v1 + port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml new file mode 100644 index 000000000..b5515fd1b --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml @@ -0,0 +1,13 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: reviews +spec: + parentRefs: + - kind: Service + name: reviews + port: 9080 + rules: + - backendRefs: + - name: reviews-v3 + port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml b/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml new file mode 100644 index 000000000..948682dc5 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml @@ -0,0 +1,43 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: bookinfo-gateway +spec: + # The selector matches the ingress gateway pod labels. + # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: bookinfo +spec: + hosts: + - "*" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 diff --git a/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml b/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml new file mode 100644 index 000000000..3fa653780 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml @@ -0,0 +1,35 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: cert-manager-gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: cert-manager + namespace: istio-system +spec: + hosts: + - "*" + gateways: + - cert-manager-gateway + http: + - match: + - uri: + prefix: /.well-known/acme-challenge/ + route: + - destination: + host: cert-manager-resolver + port: + number: 8089 diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml new file mode 100644 index 000000000..2a19c3fb4 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml @@ -0,0 +1,74 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v2-mysql + labels: + version: v2-mysql + - name: v2-mysql-vm + labels: + version: v2-mysql-vm +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml new file mode 100644 index 000000000..96be6993a --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml @@ -0,0 +1,62 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v2-mysql + labels: + version: v2-mysql + - name: v2-mysql-vm + labels: + version: v2-mysql-vm +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml new file mode 100644 index 000000000..69f30f1d9 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + trafficPolicy: + loadBalancer: + simple: RANDOM + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 diff --git a/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml b/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml new file mode 100644 index 000000000..d35e3ac1d --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml @@ -0,0 +1,46 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: googleapis +spec: + hosts: + - www.googleapis.com + ports: + - number: 80 + name: http + protocol: HTTP + - number: 443 + name: https + protocol: HTTPS + resolution: DNS +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: rewrite-port-for-googleapis +spec: + hosts: + - www.googleapis.com + http: + - match: + - port: 80 + route: + - destination: + host: www.googleapis.com + port: + number: 443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: originate-tls-for-googleapis +spec: + host: www.googleapis.com + trafficPolicy: + loadBalancer: + simple: ROUND_ROBIN + portLevelSettings: + - port: + number: 443 + tls: + mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com diff --git a/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml b/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml new file mode 100644 index 000000000..c45509256 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - fault: + abort: + httpStatus: 555 + percentage: + value: 100 + route: + - destination: + host: details + subset: v1 + - route: + - destination: + host: details + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details + subsets: + - name: v1 + labels: + version: v1 \ No newline at end of file diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml new file mode 100644 index 000000000..6811e31d9 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml @@ -0,0 +1,52 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: productpage +spec: + hosts: + - productpage + http: + - route: + - destination: + host: productpage + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - route: + - destination: + host: details + subset: v1 +--- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml new file mode 100644 index 000000000..5f21fa530 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - route: + - destination: + host: details + subset: v2 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml new file mode 100644 index 000000000..1698ec247 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2 +--- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml new file mode 100644 index 000000000..fdf882702 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2-mysql-vm +--- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml new file mode 100644 index 000000000..03a700ead --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2-mysql +--- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml new file mode 100644 index 000000000..51c6fe9c6 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - match: + - headers: + end-user: + exact: jason + fault: + abort: + percentage: + value: 100.0 + httpStatus: 500 + route: + - destination: + host: ratings + subset: v1 + - route: + - destination: + host: ratings + subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml new file mode 100644 index 000000000..6c4e19dad --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - match: + - headers: + end-user: + exact: jason + fault: + delay: + percentage: + value: 100.0 + fixedDelay: 7s + route: + - destination: + host: ratings + subset: v1 + - route: + - destination: + host: ratings + subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml new file mode 100644 index 000000000..aad8c3175 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 50 + - destination: + host: reviews + subset: v3 + weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml new file mode 100644 index 000000000..7304d867d --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 80 + - destination: + host: reviews + subset: v2 + weight: 20 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml new file mode 100644 index 000000000..d211dd16a --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 90 + - destination: + host: reviews + subset: v2 + weight: 10 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml new file mode 100644 index 000000000..fb3571368 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews + subset: v2 + - route: + - destination: + host: reviews + subset: v3 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml new file mode 100644 index 000000000..ea07efb29 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews + subset: v2 + - route: + - destination: + host: reviews + subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml new file mode 100644 index 000000000..7ae7b8042 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v2 + weight: 50 + - destination: + host: reviews + subset: v3 + weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml new file mode 100644 index 000000000..5da999d4f --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/README.md b/istio-1.18.2/samples/bookinfo/platform/kube/README.md new file mode 100644 index 000000000..d1189bec3 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/README.md @@ -0,0 +1,2 @@ +See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio +docs for instructions on how to run this demo application. diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml new file mode 100644 index 000000000..bce874dcd --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: istio-system +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: stage@istio.io + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + # Enable the HTTP-01 challenge provider + http01: {} +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: istio-ingressgateway-certs + namespace: istio-system +spec: + secretName: istio-ingressgateway-certs + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: bookinfo.example.com + dnsNames: + - bookinfo.example.com + acme: + config: + - http01: + ingressClass: none + domains: + - bookinfo.example.com diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml new file mode 100644 index 000000000..474410c8c --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml @@ -0,0 +1,60 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: mongodb + labels: + app: mongodb + service: mongodb +spec: + ports: + - port: 27017 + name: mongo + selector: + app: mongodb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mongodb-v1 + labels: + app: mongodb + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: mongodb + version: v1 + template: + metadata: + labels: + app: mongodb + version: v1 + spec: + containers: + - name: mongodb + image: docker.io/istio/examples-bookinfo-mongodb:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 27017 + volumeMounts: + - name: data-db + mountPath: /data/db + volumes: + - name: data-db + emptyDir: {} +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml new file mode 100644 index 000000000..e5a0e73c2 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml @@ -0,0 +1,48 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service v2 +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v2 + labels: + app: details + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v2 + template: + metadata: + labels: + app: details + version: v2 + spec: + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v2:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + env: + - name: DO_NOT_ENCRYPT + value: "true" + securityContext: + runAsUser: 1000 +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml new file mode 100644 index 000000000..6cb7db364 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml @@ -0,0 +1,59 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml new file mode 100644 index 000000000..e2143399f --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml @@ -0,0 +1,63 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +########################################################################### +# Ingress resource (gateway) +########################################################################## +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gateway + annotations: + kubernetes.io/ingress.class: "istio" +spec: + rules: + - http: + paths: + - path: /productpage + pathType: Exact + backend: + service: + name: productpage + port: + number: 9080 + - path: /static/ + pathType: Prefix + backend: + service: + name: productpage + port: + number: 9080 + - path: /login + pathType: Exact + backend: + service: + name: productpage + port: + number: 9080 + - path: /logout + pathType: Exact + backend: + service: + name: productpage + port: + number: 9080 + - path: /api/v1/products + pathType: Prefix + backend: + service: + name: productpage + port: + number: 9080 +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml new file mode 100644 index 000000000..073fee460 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml @@ -0,0 +1,79 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Mysql db services +# credentials: root/password +################################################################################################## +apiVersion: v1 +kind: Secret +metadata: + name: mysql-credentials +type: Opaque +data: + rootpasswd: cGFzc3dvcmQ= +--- +apiVersion: v1 +kind: Service +metadata: + name: mysqldb + labels: + app: mysqldb + service: mysqldb +spec: + ports: + - port: 3306 + name: tcp + selector: + app: mysqldb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysqldb-v1 + labels: + app: mysqldb + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: mysqldb + version: v1 + template: + metadata: + labels: + app: mysqldb + version: v1 + spec: + containers: + - name: mysqldb + image: docker.io/istio/examples-bookinfo-mysqldb:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3306 + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mysql-credentials + key: rootpasswd + args: ["--default-authentication-plugin","mysql_native_password"] + volumeMounts: + - name: var-lib-mysql + mountPath: /var/lib/mysql + volumes: + - name: var-lib-mysql + emptyDir: {} +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml new file mode 100644 index 000000000..5b65de634 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml @@ -0,0 +1,369 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# This file defines the same services, service accounts, and deployments as bookinfo.yaml with +# added securityContext fields to allow the bookinfo demo to run on a PodSecurityAdmission +# enabled cluster that enforces the baseline policy. +################################################################################################## + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-details + labels: + account: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + serviceAccountName: bookinfo-details + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true +--- +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings + labels: + account: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + serviceAccountName: bookinfo-ratings + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true +--- +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews + service: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-reviews + labels: + account: reviews +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v1 + labels: + app: reviews + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v3 + labels: + app: reviews + version: v3 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v3 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-productpage + labels: + account: productpage +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productpage-v1 + labels: + app: productpage + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9080" + prometheus.io/path: "/metrics" + labels: + app: productpage + version: v1 + spec: + serviceAccountName: bookinfo-productpage + containers: + - name: productpage + image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsNonRoot: true + volumes: + - name: tmp + emptyDir: {} +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml new file mode 100644 index 000000000..61c4b7f10 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml @@ -0,0 +1,31 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml new file mode 100644 index 000000000..1024c75c9 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml @@ -0,0 +1,55 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2-mysql-vm + labels: + app: ratings + version: v2-mysql-vm +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2-mysql-vm + template: + metadata: + labels: + app: ratings + version: v2-mysql-vm + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 + imagePullPolicy: IfNotPresent + env: + # This assumes you registered your mysql vm as + # istioctl register -n vm mysqldb 1.2.3.4 3306 + - name: DB_TYPE + value: "mysql" + - name: MYSQL_DB_HOST + value: mysqldb.vm.svc.cluster.local + - name: MYSQL_DB_PORT + value: "3306" + - name: MYSQL_DB_USER + value: root + - name: MYSQL_DB_PASSWORD + value: password + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml new file mode 100644 index 000000000..09c4610a2 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml @@ -0,0 +1,58 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2-mysql + labels: + app: ratings + version: v2-mysql +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2-mysql + template: + metadata: + labels: + app: ratings + version: v2-mysql + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 + imagePullPolicy: IfNotPresent + env: + # ratings-v2 will use mongodb as the default db backend. + # if you would like to use mysqldb then you can use this file + # which sets DB_TYPE = 'mysql' and the rest of the parameters shown + # here and also create the # mysqldb service using bookinfo-mysql.yaml + # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml + - name: DB_TYPE + value: "mysql" + - name: MYSQL_DB_HOST + value: mysqldb + - name: MYSQL_DB_PORT + value: "3306" + - name: MYSQL_DB_USER + value: root + - name: MYSQL_DB_PASSWORD + value: password + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml new file mode 100644 index 000000000..a645d19ac --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml @@ -0,0 +1,65 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings-v2 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2 + labels: + app: ratings + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2 + template: + metadata: + labels: + app: ratings + version: v2 + spec: + serviceAccountName: bookinfo-ratings-v2 + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 + imagePullPolicy: IfNotPresent + env: + # ratings-v2 will use mongodb as the default db backend. + # if you would like to use mysqldb then set DB_TYPE = 'mysql', set + # the rest of the parameters shown here and also create the + # mysqldb service using bookinfo-mysql.yaml + # - name: DB_TYPE #default to + # value: "mysql" + # - name: MYSQL_DB_HOST + # value: mysqldb + # - name: MYSQL_DB_PORT + # value: "3306" + # - name: MYSQL_DB_USER + # value: root + # - name: MYSQL_DB_PASSWORD + # value: password + - name: MONGO_DB_URL + value: mongodb://mongodb:27017/test + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml new file mode 100644 index 000000000..08c9040d8 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml @@ -0,0 +1,59 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml new file mode 100644 index 000000000..4acc6b264 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml @@ -0,0 +1,58 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Reviews service v2 +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml new file mode 100644 index 000000000..c374bbee7 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: Service +metadata: + name: reviews-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: reviews-v2 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v2 +--- +apiVersion: v1 +kind: Service +metadata: + name: reviews-v3 +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews + version: v3 +--- +apiVersion: v1 +kind: Service +metadata: + name: productpage-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: ratings-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: details-v1 +spec: + ports: + - port: 9080 + name: http + selector: + app: details + version: v1 +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml new file mode 100644 index 000000000..4699e3e79 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml @@ -0,0 +1,347 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# This file defines the services, service accounts, and deployments for the Bookinfo sample. +# +# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: +# +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml +# +# Alternatively, you can deploy any resource separately: +# +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment +################################################################################################## + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-details + labels: + account: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + serviceAccountName: bookinfo-details + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings + labels: + account: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + serviceAccountName: bookinfo-ratings + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews + service: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-reviews + labels: + account: reviews +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v1 + labels: + app: reviews + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v3 + labels: + app: reviews + version: v3 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v3 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-productpage + labels: + account: productpage +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productpage-v1 + labels: + app: productpage + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9080" + prometheus.io/path: "/metrics" + labels: + app: productpage + version: v1 + spec: + serviceAccountName: bookinfo-productpage + containers: + - name: productpage + image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + runAsUser: 1000 + volumes: + - name: tmp + emptyDir: {} +--- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh b/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh new file mode 100755 index 000000000..bdf700d11 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +# only ask if in interactive mode +if [[ -t 0 && -z ${NAMESPACE} ]];then + echo -n "namespace ? [default] " + read -r NAMESPACE +fi + +# verify if the namespace exists, otherwise use default namespace +if [[ -n ${NAMESPACE} ]];then + ns=$(kubectl get namespace "${NAMESPACE}" --no-headers --output=go-template="{{.metadata.name}}" 2>/dev/null) + if [[ -z ${ns} ]];then + echo "NAMESPACE ${NAMESPACE} not found." + NAMESPACE=default + fi +fi + +# if no namespace is provided, use default namespace +if [[ -z ${NAMESPACE} ]];then + NAMESPACE=default +fi + +echo "using NAMESPACE=${NAMESPACE}" + +# clean up Istio traffic management resources that may have been used +protos=( destinationrules virtualservices gateways ) +for proto in "${protos[@]}"; do + for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do + kubectl delete -n "${NAMESPACE}" "$resource"; + done +done + +# clean up Gateway API resources that may have been used +if kubectl get crd gateways.gateway.networking.k8s.io >/dev/null 2>&1; then + protos=( httproutes gateways.gateway.networking.k8s.io ) + for proto in "${protos[@]}"; do + for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do + kubectl delete -n "${NAMESPACE}" "$resource"; + done + done + kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo-versions.yaml" >/dev/null 2>&1 +fi + +OUTPUT=$(mktemp) +export OUTPUT +echo "Application cleanup may take up to one minute" +kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo.yaml" > "${OUTPUT}" 2>&1 +ret=$? +function cleanup() { + rm -f "${OUTPUT}" +} + +trap cleanup EXIT + +if [[ ${ret} -eq 0 ]];then + cat "${OUTPUT}" +else + # ignore NotFound errors + OUT2=$(grep -v NotFound "${OUTPUT}") + if [[ -n ${OUT2} ]];then + cat "${OUTPUT}" + exit ${ret} + fi +fi + +# wait for 30 sec for bookinfo to clean up +sleep 30 + +echo "Application cleanup successful" diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml new file mode 100644 index 000000000..aadba2e0c --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml @@ -0,0 +1,32 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + type: NodePort + ports: + - port: 9080 + name: http + selector: + app: productpage +--- diff --git a/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml b/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml new file mode 100644 index 000000000..ef96dc56b --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml @@ -0,0 +1,88 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: filter-ratelimit + namespace: istio-system +spec: + workloadSelector: + # select by label in the same namespace + labels: + istio: ingressgateway + configPatches: + # The Envoy config you want to modify + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.ratelimit + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + # domain can be anything! Match it to the ratelimter service config + domain: productpage-ratelimit + failure_mode_deny: true + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate_limit_cluster + timeout: 10s + - applyTo: CLUSTER + match: + cluster: + service: ratelimit.default.svc.cluster.local + patch: + operation: ADD + value: + name: rate_limit_cluster + type: STRICT_DNS + connect_timeout: 10s + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + load_assignment: + cluster_name: rate_limit_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ratelimit.default.svc.cluster.local + port_value: 8081 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: filter-ratelimit-svc + namespace: istio-system +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: VIRTUAL_HOST + match: + context: GATEWAY + routeConfiguration: + vhost: + name: "" + route: + action: ANY + patch: + operation: MERGE + value: + rate_limits: + - actions: # any actions in here + # Multiple actions nest the descriptors + # - generic_key: + # descriptor_value: "test" + - request_headers: + header_name: ":path" + descriptor_key: "PATH" + # - remote_address: {} + # - destination_cluster: {} \ No newline at end of file diff --git a/istio-1.18.2/samples/bookinfo/src/build-services.sh b/istio-1.18.2/samples/bookinfo/src/build-services.sh new file mode 100755 index 000000000..aa3d64325 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/src/build-services.sh @@ -0,0 +1,103 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ox errexit + +display_usage() { + echo + echo "USAGE: ./build-services.sh [-h|--help]" + echo " -h|--help: Prints usage information" + echo " version: Version of the sample app images (Required)" + echo " prefix: Use the value as the prefix for image names (Required)" +} + +if [ "$#" -ne 2 ]; then + if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then + display_usage + exit 0 + else + echo "Incorrect parameters" "$@" + display_usage + exit 1 + fi +fi + +VERSION=$1 +PREFIX=$2 +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +# Docker build variables +ENABLE_MULTIARCH_IMAGES=${ENABLE_MULTIARCH_IMAGES:-"false"} + +if [ "${ENABLE_MULTIARCH_IMAGES}" == "true" ]; then + PLATFORMS="linux/arm64,linux/amd64" + DOCKER_BUILD_ARGS="docker buildx build --platform ${PLATFORMS} --push" + # Install QEMU emulators + docker run --rm --privileged tonistiigi/binfmt --install all + docker buildx rm multi-builder || : + docker buildx create --use --name multi-builder --platform ${PLATFORMS} + docker buildx use multi-builder +else + DOCKER_BUILD_ARGS="docker build" +fi + +pushd "$SCRIPTDIR/productpage" + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-productpage-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v1:latest" . + # flooding + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:latest" --build-arg flood_factor=100 . +popd + +pushd "$SCRIPTDIR/details" + # plain build -- no calling external book service to fetch topics + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-details-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v1:latest" --build-arg service_version=v1 . + # with calling external book service to fetch topic for the book + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-details-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v2:latest" --build-arg service_version=v2 \ + --build-arg enable_external_book_service=true . +popd + + +pushd "$SCRIPTDIR/reviews" + # java build the app. + docker run --rm -u root -v "$(pwd)":/home/gradle/project -w /home/gradle/project gradle:4.8.1 gradle clean build + + pushd reviews-wlpcfg + # plain build -- no ratings + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v1:latest" --build-arg service_version=v1 . + # with ratings black stars + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v2:latest" --build-arg service_version=v2 \ + --build-arg enable_ratings=true . + # with ratings red stars + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v3:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v3:latest" --build-arg service_version=v3 \ + --build-arg enable_ratings=true --build-arg star_color=red . + popd +popd + +pushd "$SCRIPTDIR/ratings" + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v1:latest" --build-arg service_version=v1 . + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v2:latest" --build-arg service_version=v2 . + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:latest" --build-arg service_version=v-faulty . + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:latest" --build-arg service_version=v-delayed . + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:latest" --build-arg service_version=v-unavailable . + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:latest" --build-arg service_version=v-unhealthy . +popd + +pushd "$SCRIPTDIR/mysql" + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-mysqldb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mysqldb:latest" . +popd + +pushd "$SCRIPTDIR/mongodb" + ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-mongodb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mongodb:latest" . +popd diff --git a/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json b/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json new file mode 100644 index 000000000..b4563b50c --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json @@ -0,0 +1,2 @@ +{rating: 5} +{rating: 4} diff --git a/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh b/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh new file mode 100644 index 000000000..7e230ee5a --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +mongoimport --host localhost --db test --collection ratings --drop --file /app/data/ratings_data.json diff --git a/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt b/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt new file mode 100644 index 000000000..5e5ddf224 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt @@ -0,0 +1,32 @@ +certifi==2022.12.7 +chardet==3.0.4 +Click==7.0 +contextlib2==0.5.5 +dominate==2.3.5 +Flask==2.1.1 +Flask-Bootstrap==3.3.7.1 +Flask-JSON==0.3.3 +future==0.17.1 +futures==3.1.1 +gevent==21.12.0 +greenlet==1.1.2 +idna==2.8 +itsdangerous==1.1.0 +jaeger-client==3.13.0 +Jinja2==2.11.3 +json2html==1.2.1 +MarkupSafe==0.23 +nose==1.3.7 +opentracing==1.2.2 +opentracing-instrumentation==2.4.3 +prometheus-client==0.15.0 +requests==2.28.1 +simplejson==3.16.0 +six==1.12.0 +threadloop==1.0.2 +thrift==0.11.0 +tornado==5.1 +urllib3==1.26.5 +visitor==0.1.3 +Werkzeug==2.2.3 +wrapt==1.11.1 diff --git a/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt b/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt new file mode 100644 index 000000000..f756640f2 --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt @@ -0,0 +1 @@ +requests-mock==1.5.2 diff --git a/istio-1.18.2/samples/bookinfo/src/ratings/package.json b/istio-1.18.2/samples/bookinfo/src/ratings/package.json new file mode 100644 index 000000000..f0498224c --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/src/ratings/package.json @@ -0,0 +1,11 @@ +{ + "scripts": { + "start": "node ratings.js" + }, + "dependencies": { + "httpdispatcher": "1.0.0", + "mongodb": "^3.6.0", + "mysql": "^2.15.0" + }, + "private": true +} diff --git a/istio-1.18.2/samples/bookinfo/swagger.yaml b/istio-1.18.2/samples/bookinfo/swagger.yaml new file mode 100644 index 000000000..6782e732f --- /dev/null +++ b/istio-1.18.2/samples/bookinfo/swagger.yaml @@ -0,0 +1,248 @@ +swagger: "2.0" +info: + description: "This is the API of the Istio BookInfo sample application." + version: "1.0.0" + title: "BookInfo API" + termsOfService: "https://istio.io/" + license: + name: "Apache 2.0" + url: "http://www.apache.org/licenses/LICENSE-2.0.html" +basePath: "/api/v1" +tags: +- name: "product" + description: "Information about a product (in this case a book)" +- name: "review" + description: "Review information for a product" +- name: "rating" + description: "Rating information for a product" +externalDocs: + description: "Learn more about the Istio BookInfo application" + url: "https://istio.io/docs/samples/bookinfo.html" +paths: + /products: + get: + tags: + - "product" + summary: "List all products" + description: "List all products available in the application with a minimum amount of information." + operationId: "getProducts" + consumes: + - "application/json" + produces: + - "application/json" + responses: + 200: + description: "successful operation" + schema: + type: "array" + items: + $ref: "#/definitions/Product" + /products/{id}: + get: + tags: + - "product" + summary: "Get individual product" + description: "Get detailed information about an individual product with the given id." + operationId: "getProduct" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductDetails" + 400: + description: "Invalid product id" + /products/{id}/reviews: + get: + tags: + - "review" + summary: "Get reviews for a product" + description: "Get reviews for a product, including review text and possibly ratings information." + operationId: "getProductReviews" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductReviews" + 400: + description: "Invalid product id" + /products/{id}/ratings: + get: + tags: + - "rating" + summary: "Get ratings for a product" + description: "Get ratings for a product, including stars and their color." + operationId: "getProductRatings" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductRatings" + 400: + description: "Invalid product id" + + +definitions: + Product: + type: "object" + description: "Basic information about a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + title: + type: "string" + description: "Title of the book" + descriptionHtml: + type: "string" + description: "Description of the book - may contain HTML tags" + required: + - "id" + - "title" + - "descriptionHtml" + ProductDetails: + type: "object" + description: "Detailed information about a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + publisher: + type: "string" + description: "Publisher of the book" + language: + type: "string" + description: "Language of the book" + author: + type: "string" + description: "Author of the book" + ISBN-10: + type: "string" + description: "ISBN-10 of the book" + ISBN-13: + type: "string" + description: "ISBN-13 of the book" + year: + type: "integer" + format: "int32" + description: "Year the book was first published in" + type: + type: "string" + enum: + - "paperback" + - "hardcover" + description: "Type of the book" + pages: + type: "integer" + format: "int32" + description: "Number of pages of the book" + required: + - "id" + - "publisher" + - "language" + - "author" + - "ISBN-10" + - "ISBN-13" + - "year" + - "type" + - "pages" + ProductReviews: + type: "object" + description: "Object containing reviews for a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + reviews: + type: "array" + description: "List of reviews" + items: + $ref: "#/definitions/Review" + required: + - "id" + - "reviews" + Review: + type: "object" + description: "Review of a product" + properties: + reviewer: + type: "string" + description: "Name of the reviewer" + text: + type: "string" + description: "Review text" + rating: + $ref: "#/definitions/Rating" + required: + - "reviewer" + - "text" + Rating: + type: "object" + description: "Rating of a product" + properties: + stars: + type: "integer" + format: "int32" + minimum: 1 + maximum: 5 + description: "Number of stars" + color: + type: "string" + enum: + - "red" + - "black" + description: "Color in which stars should be displayed" + required: + - "stars" + - "color" + ProductRatings: + type: "object" + description: "Object containing ratings of a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + ratings: + type: "object" + description: "A hashmap where keys are reviewer names, values are number of stars" + additionalProperties: + type: "string" + required: + - "id" + - "ratings" \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/README.md b/istio-1.18.2/samples/certs/README.md new file mode 100644 index 000000000..6daeaab48 --- /dev/null +++ b/istio-1.18.2/samples/certs/README.md @@ -0,0 +1,34 @@ +# Istio plugin CA sample certificates + +This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such +a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. +Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/). + +The included sample files are: + +- `root-cert.pem`: root CA certificate. +- `root-cert-alt.pem`: alterative CA certificate. +- `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. +- `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key. +- `cert-chain.pem`: certificate trust chain. +- `cert-chain-alt.pem`: alternative certificate chain. +- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. +- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. +- `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate. +- `workload-bar-root-certs.pem`: root and intermediate CA certificates for bar workload certificate. +- `leaf-workload-foo-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo`. +- `leaf-workload-bar-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar`. + +The workload cert and key are generated by: + +```shell script + ./generate-workload.sh foo + ./generate-workload.sh bar +``` + +To generate certs signed by the alternative root `root-cert-alt.pem` + +```shell script +./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root +./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root +``` diff --git a/istio-1.18.2/samples/certs/ca-cert-alt.pem b/istio-1.18.2/samples/certs/ca-cert-alt.pem new file mode 100644 index 000000000..b790d1d21 --- /dev/null +++ b/istio-1.18.2/samples/certs/ca-cert-alt.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFVjCCAz6gAwIBAgIUPTPKZWcaC54iCXmHXS7VUFrQpJswDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw +MDM1NjM3WhcNMzMwMjE3MDM1NjM3WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE +AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAJcfHGT0wipRUckkWR1GXs51+Tl017K1Yza4 +eExg+iEFFmzGW/qpH+g2uUk8g/fqEOQrFbtQsFZgH/PtqJDM19tM+sVj9MWVNHTu +f8yb9pjP2Y6O6xTySAYfnZFwfdOt7ewFRBXu+vHKpPzXrrJdJWQG+NoPuYLany5a +I2hgHxPOCKxYlwbyjwdN8PgUlcj7m/bEW3rhwkyWBIw/Cp+/YZIwxCSWl1MBDrjw +srzrVmM+76BJO4twKjqtJR7+j6PSNk7NDjSCItfmtCNDSiSfaPWPwmhTkGPov6Bd +PopnkoGgqDtSBqBRMuS0sEMhjsI2/e2+X6+musRYdTgxSSy2LEg3//nETbC4c+q5 +TrgOTerjO0J28i3iBSS5PVDYr63v02C35Tyn38TRgmp/QETkYAfITrcSnZnTQoR4 +4Nnd8d5qw6XN3cRR/R9A4cccaTAmNVDm+iZk1jNiV6sJ/P1fDHDQACPpyYntduy0 +UCUHeaasbFdfl4eST9/uPALZygS9se7tjm7xTFZcQ7wGqu2DOMWw6ocPL/Mv6nX9 +NJpY98qCAwhE29LUqq+ptDhSQZCVh5dfrrx9nA3UmANylO6AXNc3oxerS6izJLe5 +bQA4FHIZQeqyWqPR+wEpyEUgO1N6+uMlviwMvchAHGYXbzH3o6Z/mOuunn/MVbGW +f0wU2+9lAgMBAAGjaTBnMB0GA1UdDgQWBBTfaZR3DtzO/E6WWIgn2snHJL/BRzAS +BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdp +c3Rpb2QuaXN0aW8tc3lzdGVtLnN2YzANBgkqhkiG9w0BAQsFAAOCAgEAPxOeQAxC +dEkFQgdmUl/6g6PbqNardN63rzt3el3gVC27RtctI9RgyAOS9Yw/GodQTfao2k1a +WcdqdmK12/eTBccuoJCDuHQx5NgCnIciaOcjE/IdCkNAtZY8T3mRJ0avnm0nxVwo +A3o313NzpJJuZAco8RlaIeM6o7jxD3Z9Pi70xegYwMdopGgm1eVg3kL/TzGhVHty +tFHIuc8LZijQmxFcez28o/eDc5obCRjTOJOe0LYF7CmpkiGiEU0VmfG+iW3rZBKw +JM9/P0dWZZMzaSeDHVWBJPeEZJmKmp2SVtL+4flTj2cQjaboFYINggIO7MzUufcr +xeJ/A2sR2z4zJxBWtiTo5wB7uZju09l6Be4r8p/4OtAxBr/4zSo1iZ7rEyP5wS+k +KevhhHfsnZ/YVEFUcaNqSgJddXjM1RSIssJywvIwQh/6VlUlLNYW/89nEcd+agYz +kBazZIQOUefnvMnEWWlZovabqwVEPBhJ74zTtOn1Z333GnomjJK2vHh5cVMbqxD1 +sTgFx1W+RICgctPWAJxbxOhWunX6edXY1q0pb/dMnAqyIxRg32TEHrHXMCVEP5Hk +Vf6HHDDV7UKhq+S3PVOdo6MHimz6OZenA8cgjyf4jrkd25MrXXL4ergzMEliRg2D +wa4gQqdWzPHE8uCBSAWEAxZCMJ2l2vULltU= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/ca-cert.pem b/istio-1.18.2/samples/certs/ca-cert.pem new file mode 100644 index 000000000..a460e036b --- /dev/null +++ b/istio-1.18.2/samples/certs/ca-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/ca-key-alt.pem b/istio-1.18.2/samples/certs/ca-key-alt.pem new file mode 100644 index 000000000..872543dd4 --- /dev/null +++ b/istio-1.18.2/samples/certs/ca-key-alt.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAlx8cZPTCKlFRySRZHUZeznX5OXTXsrVjNrh4TGD6IQUWbMZb ++qkf6Da5STyD9+oQ5CsVu1CwVmAf8+2okMzX20z6xWP0xZU0dO5/zJv2mM/Zjo7r +FPJIBh+dkXB9063t7AVEFe768cqk/Neusl0lZAb42g+5gtqfLlojaGAfE84IrFiX +BvKPB03w+BSVyPub9sRbeuHCTJYEjD8Kn79hkjDEJJaXUwEOuPCyvOtWYz7voEk7 +i3AqOq0lHv6Po9I2Ts0ONIIi1+a0I0NKJJ9o9Y/CaFOQY+i/oF0+imeSgaCoO1IG +oFEy5LSwQyGOwjb97b5fr6a6xFh1ODFJLLYsSDf/+cRNsLhz6rlOuA5N6uM7Qnby +LeIFJLk9UNivre/TYLflPKffxNGCan9ARORgB8hOtxKdmdNChHjg2d3x3mrDpc3d +xFH9H0DhxxxpMCY1UOb6JmTWM2JXqwn8/V8McNAAI+nJie127LRQJQd5pqxsV1+X +h5JP3+48AtnKBL2x7u2ObvFMVlxDvAaq7YM4xbDqhw8v8y/qdf00mlj3yoIDCETb +0tSqr6m0OFJBkJWHl1+uvH2cDdSYA3KU7oBc1zejF6tLqLMkt7ltADgUchlB6rJa +o9H7ASnIRSA7U3r64yW+LAy9yEAcZhdvMfejpn+Y666ef8xVsZZ/TBTb72UCAwEA +AQKCAgAkT5pf+5uH1YBER1KOQTFYhGo8zwFg9EqBhHOLTqXrNzC7NDI3mVmMT1HX +8g13jSs/18Zh+rJUHsaussUU/dND40xCD5FpxD8VdZUJkdP/xbltkpOTtd9ucTxI +DPJ+4UTQuDcy2fg8Dsfz5NMaEl2AmlhC9RJLCcLDvW7Sjn4JITFeT+8CAVgylhy3 +TyLqZuKDuYyNix9HjahMFn20AqUsHkGS1QhJLnDeKR+ZWyantCCZr9750xqifKX1 +u47B+ymHZ6fpH/fFTq6r5mgzQoZSspcwwBtqlistGhqD4P0H3pVto3jqHniPEYdk +qfSGX/ZFoL+XEgXAVczckqMVdjRPS3eq23xLlp3kkSN7I1JVGxfEbatVUSy+WBT6 +IatSXUenbloD9NTcE2v08OTLG2xgAFNl6gC4kTxEnJuXAccFIMXMrbcmiZh4xZxq +SLv/HwRENy3MjE3WMocAZ7ypfUbKEIsVYMaTvyQzXEr7yyTT9qpL2gJRCqaimUbb +YoUXc/RreGgDY3S5S6OETdFXHeps2ObTXUqMWU1pF+X1lKA5c2H7bl5PBRu0KJ9s +uPEln0tmZ02299S1ropCeqjA7YQcrqQnEsbIwt64pynRnFCUJyTSYmUX1C/ewYIa +2AC7CiMQf7eBUZlTuR9G6zqhimEqgd0ZIPvOvDzkBWG51WrMJQKCAQEAxWgZ4jzQ +RBTfXRIpjFZ93KM2Jy8RCDPesTnXvPK73h7AyvMx32ygm6j0m6yUHV8RN75CE2rM +Vb1ogeL1LHgFjZLsM+3SrQUSfW7uZZ4+Fkm/JYF4Qmflch4jJH4MnPy/HgO75nRs +ai2xMil8YnR8QZFpvTrutRkTRK6bSm8N98vjV+bbVw8eFL/dVgLHpdHTLoFBo4Zd +o7CaA4Aje8AabeWd7Yp0cjTGWHWLHFzxDnD9gfWN5eL8ay1QZwW3BFUw+eLuIrRu +UbC54e8RK0lXSAwbGCbof8+nfd7i+vh4lwM5D0HLMmmvpRs5+2BVuOI8gwtxxrwn +T4SFlIEdRRjxDwKCAQEAw/oLsYDrVPzATQkQ6Kec7ayGBWf9+G209MKOHkRNJdC0 +kms7yMckqTWEs5tMgBD8V0BrajmB8cbjR0g6Fe2M2W+mFZ+x55Lw8j/qNEbHKNor +p3W50leiSlWbntuaIAnzKDR2QamtEToz6IhMG3mtpxVZBf+fRRoaB/dK098BGHQ9 +J7uTeydf19kwGZoaVZ1EGSsVZTGMQEsNhZzFHbqOUaxiD3+UykyIZ1hO8jNlTdB0 +6yqBbgdetcb1Op6vFVVWswxMeJzDUc5S1ehGYXkthHHbIAXAy4iBEo+fVdxFs5nZ +zk3uauyyKZQ7qM2Cu8sa5TrsRd4GncKNdubNO/2wSwKCAQEAspMiXxMuP3g2OsZU +SXxwbOhD85xTJv1tJRszOtzF8AAX3T+0TO3COC3V4QF0F0HJnIiC03fYEnO+F0lN +CoYkV9ahz7QC0bt153wzMj+84IKj5HTDaib8W4hBuCBCnrzQ0oEEOEv3SvG8iqkW +uSWwxcuaQLEQAUkGsinVlrbxhsitBvZyUsX9Kz4JJmZrXmh6RmZtD1VcXdhC6om/ +D5JPFj0R6TFHd4ygJKNoTScSdULnQOn2DBCS0Q1z304/Ki86l8KeM0zPQxzAek6+ +VE8LIsS4uddwmTYqyOWYpPmidNFYi6G0BA2w84W2pNyXjyExJkZzDRll4jv6bsWB +yeDvJwKCAQEAvp/CrgbLYaB0YLpX0yXudBUjS7DqjbIQmR+BY5lmPUkzy1Q5E8P5 +OgnPqXB+yfc7rJcBpJKJfibKPjTYIyosnfeG4nOydaEtc0WORwktgeQtIDdX52zM +dGeu9qd+1Hk5JrtY5+fmauJlSWMCPJtvuRz/ueD6CBoqheMZytqY0zOFpNdEzj7v +cCJXMh/+S5asfZq1tferB4K5hWSHK7Kh6nm17INZtCkbaQKxz88EU9tXTsPKn77V +dhUvxbRCc4rNyV1GKO+64SDC3ESR6RAYoUKqNQzDinadrfM7tiWLOvaEsLKHHURc +zCremQRFjOsznxNgbVlYsC1ksuovaZIK3wKCAQAHEUZJwbsr1FJ0qmBOjY6ZbssG +icHEweWdXlxaFKjXj+iRdUWRRnmZRhNB1jMCub1jqXweoAnhq3xq3DyVMe0oZMrh +7C5zzsiJYdOuv+PKw0jm+/jylyVxS9FYv++gBZvAwMUt1NFgNgSb2Que+hVPXfwW +MVaVRCKaA38e18WjNeILOTVD0+NeViAaxhBZPz3kTIuLEPiRJxxeC9XQbjPkUz6k +iDxGSc+Epi+TcOqtYjCC/jQiHExcZD3vlIcnXH3tX/mnPdnM8rPnVoEmx/VUHnq1 +/4JPVP8XBMQABRG3BWgn2OqJiPssLk5DukomAWGxSXzGVjUIaxWzwyFD+ZTR +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/ca-key.pem b/istio-1.18.2/samples/certs/ca-key.pem new file mode 100644 index 000000000..faa77f388 --- /dev/null +++ b/istio-1.18.2/samples/certs/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1 +3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd +Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd +PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs +ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ +t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B +C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN +ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU +8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg +oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf +QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w +J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp +FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/ +CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e +DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE +Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN +cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt +yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO +wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY +qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D +Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5 +cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7 +mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa +8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+ +lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw== +-----END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/cert-chain-alt.pem b/istio-1.18.2/samples/certs/cert-chain-alt.pem new file mode 100644 index 000000000..dbbd50396 --- /dev/null +++ b/istio-1.18.2/samples/certs/cert-chain-alt.pem @@ -0,0 +1,61 @@ +-----BEGIN CERTIFICATE----- +MIIFVjCCAz6gAwIBAgIUPTPKZWcaC54iCXmHXS7VUFrQpJswDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw +MDM1NjM3WhcNMzMwMjE3MDM1NjM3WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE +AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAJcfHGT0wipRUckkWR1GXs51+Tl017K1Yza4 +eExg+iEFFmzGW/qpH+g2uUk8g/fqEOQrFbtQsFZgH/PtqJDM19tM+sVj9MWVNHTu +f8yb9pjP2Y6O6xTySAYfnZFwfdOt7ewFRBXu+vHKpPzXrrJdJWQG+NoPuYLany5a +I2hgHxPOCKxYlwbyjwdN8PgUlcj7m/bEW3rhwkyWBIw/Cp+/YZIwxCSWl1MBDrjw +srzrVmM+76BJO4twKjqtJR7+j6PSNk7NDjSCItfmtCNDSiSfaPWPwmhTkGPov6Bd +PopnkoGgqDtSBqBRMuS0sEMhjsI2/e2+X6+musRYdTgxSSy2LEg3//nETbC4c+q5 +TrgOTerjO0J28i3iBSS5PVDYr63v02C35Tyn38TRgmp/QETkYAfITrcSnZnTQoR4 +4Nnd8d5qw6XN3cRR/R9A4cccaTAmNVDm+iZk1jNiV6sJ/P1fDHDQACPpyYntduy0 +UCUHeaasbFdfl4eST9/uPALZygS9se7tjm7xTFZcQ7wGqu2DOMWw6ocPL/Mv6nX9 +NJpY98qCAwhE29LUqq+ptDhSQZCVh5dfrrx9nA3UmANylO6AXNc3oxerS6izJLe5 +bQA4FHIZQeqyWqPR+wEpyEUgO1N6+uMlviwMvchAHGYXbzH3o6Z/mOuunn/MVbGW +f0wU2+9lAgMBAAGjaTBnMB0GA1UdDgQWBBTfaZR3DtzO/E6WWIgn2snHJL/BRzAS +BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdp +c3Rpb2QuaXN0aW8tc3lzdGVtLnN2YzANBgkqhkiG9w0BAQsFAAOCAgEAPxOeQAxC +dEkFQgdmUl/6g6PbqNardN63rzt3el3gVC27RtctI9RgyAOS9Yw/GodQTfao2k1a +WcdqdmK12/eTBccuoJCDuHQx5NgCnIciaOcjE/IdCkNAtZY8T3mRJ0avnm0nxVwo +A3o313NzpJJuZAco8RlaIeM6o7jxD3Z9Pi70xegYwMdopGgm1eVg3kL/TzGhVHty +tFHIuc8LZijQmxFcez28o/eDc5obCRjTOJOe0LYF7CmpkiGiEU0VmfG+iW3rZBKw +JM9/P0dWZZMzaSeDHVWBJPeEZJmKmp2SVtL+4flTj2cQjaboFYINggIO7MzUufcr +xeJ/A2sR2z4zJxBWtiTo5wB7uZju09l6Be4r8p/4OtAxBr/4zSo1iZ7rEyP5wS+k +KevhhHfsnZ/YVEFUcaNqSgJddXjM1RSIssJywvIwQh/6VlUlLNYW/89nEcd+agYz +kBazZIQOUefnvMnEWWlZovabqwVEPBhJ74zTtOn1Z333GnomjJK2vHh5cVMbqxD1 +sTgFx1W+RICgctPWAJxbxOhWunX6edXY1q0pb/dMnAqyIxRg32TEHrHXMCVEP5Hk +Vf6HHDDV7UKhq+S3PVOdo6MHimz6OZenA8cgjyf4jrkd25MrXXL4ergzMEliRg2D +wa4gQqdWzPHE8uCBSAWEAxZCMJ2l2vULltU= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFFDCCAvygAwIBAgIUXl9kIYp2G+37cwt+ruWqmKHpFVkwDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw +MDM1NjI2WhcNMzMwMjE3MDM1NjI2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE +AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMS9oq7l +OR+vqj+99FcquCZiZB9d3AGmn4CUIzUsHLKwG/H4OZucHNaI+C/2IE+cHpqHq1RV +XqOdE5fMoBsHTjRN24K/WMHVr76IiTdla3e5OGvb8XtFTqH80bPcahWU6J5SKaP5 +nuj6D0OCDuPgV5fDNkMBp6qH3b+zbSBLDKLyepMeHUdfUXKuUjAFCRzPuKuCzJy+ +xNHu61OuRzILSUL7O8kTSK/1iz0mIFAqSxeS6AFDGsQIJRhKEhQSbmH924dGGQ5p +7bm8mFEYPYzyEw7l6zqaEKYEzoVhQrulJzUEVITVK9npW/GAREQK8KcabCakJf6L +wiTMZkWzrY2h7d7U/4Ib/7N3/1HREG6rLjZy08owaf09PNhKE1eqc32rwcJUdbsq +PiRqPRuIuGtNG69/CT+4I7liKoErJrxy4GfAxLRcFrkTA9Smo8lHsShbW/RvCEdr +2eXHolxmfgogDr3kYkrG3jYgUyYqaNIdasVQwRkfQByQpxp3ItL66NLLd1jn9ImO +IHAfWF2CCXdJtXKzksswOs/UW8gu8Y33YzfHZMxRQu5MlDEgKR6TJMDymYVedFAf +BeqpJepIN4zhpV/DnfC4qfhKf5KWCPWHkZgOKwl6sxOVk25ozDeiatXMfHFztTJI +1hWRF9cQNWdmHwVx19Yi2VfMwpgsnLDbeb+/AgMBAAGjQjBAMB0GA1UdDgQWBBQV +XzlSBYPXo+qiYX/1gUkx+t9GrTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAQj5EFGuY8jnXsvrcDEyo3kl+GAar60p3 +OB8BvMQzywYzmalztRluQr77dsTCDo9w+SL7/AKsJqljNJmzQg0Yst0YzPFAFUgt +8PdCFDgjuSfzlrKukcRj7yd2rzs+MQP3amOuWIj5gq7lUWAPNMp0bhU1lIS2eAk7 +Ew8s4BkgMI2fW8z22uEw49j+720n9q3xIpmfGA7SISe32Z3bu10fXrsIii++Zo9p +ItX7B5pKaLCwANjUejzC3NZ5HdL+yV9dXWXrVZrTvdFxRiqhNJtV64YTsSH+kVp8 +cCYyNA90CBVQU8ZyomNnOxqOsrBL1NvZllBmX1f3SnVa2Kw+RxJLtEx9lmKT3aiX +v0kPPhoU+qpA3eOVvbT0CbSBEl56wclPMd7xYMykkNU/AVc3lZ7YFcjb19YNxzff +AKktnJrFx3FHf03aeAnvJ35FxitrcpV4NvLvq5ViCHVw6IMO5h274Z/HoGHVvcle +OPtLRiI5Fkaexa6Y/+SPMDFsCfQJzL4ZWmnGSA+Z6YMD5atviQGEbSP4bCwIgOax +dsSyRo1cTRaOVCGVxed/s+ChbRnvljPd35zl79o+1zOOxJ2ttswYJRkjSsvn+BCL +GZj8c/5MkLtTwvL62wZVhCIHtZoS4LNUqdkyYvRJMZTV72YuEPTfl8NKhmMislqR +5LPKUi9adm4= +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/cert-chain.pem b/istio-1.18.2/samples/certs/cert-chain.pem new file mode 100644 index 000000000..a460e036b --- /dev/null +++ b/istio-1.18.2/samples/certs/cert-chain.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/generate-workload.sh b/istio-1.18.2/samples/certs/generate-workload.sh new file mode 100755 index 000000000..2ff08c8e9 --- /dev/null +++ b/istio-1.18.2/samples/certs/generate-workload.sh @@ -0,0 +1,111 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +name=${1:-foo} +ns=${2:-$name} +sa=${3:-$name} +tmp=${4:-""} +rootselect=${5:-""} +san="spiffe://trust-domain-$name/ns/$ns/sa/$sa" + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +FINAL_DIR=$DIR +if [ -n "$tmp" ]; then + if [ -d "$tmp" ]; then + FINAL_DIR=$tmp + cp "$DIR"/root-cert.pem "$FINAL_DIR" + cp "$DIR"/ca-cert.pem "$FINAL_DIR" + cp "$DIR"/ca-key.pem "$FINAL_DIR" + cp "$DIR"/cert-chain.pem "$FINAL_DIR" + + cp "$DIR"/root-cert-alt.pem "$FINAL_DIR" + cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR" + cp "$DIR"/ca-key-alt.pem "$FINAL_DIR" + cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR" + + else + echo "tmp argument is not a directory: $tmp" + exit 1 + fi +fi + +function cleanup() { + if [ -f "$FINAL_DIR"/.srl ]; then + rm "$FINAL_DIR"/.srl + fi + if [ -f "$FINAL_DIR"/ca-cert.srl ]; then + rm "$FINAL_DIR"/ca-cert.srl + fi + if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then + rm "$FINAL_DIR"/ca-cert-alt.srl + fi + if [ -f "$FINAL_DIR"/workload.cfg ]; then + rm "$FINAL_DIR"/workload.cfg + fi + if [ -f "$FINAL_DIR"/workload.csr ]; then + rm "$FINAL_DIR"/workload.csr + fi +} + +trap cleanup EXIT + +openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048 + +cat > "$FINAL_DIR"/workload.cfg <> "$FINAL_DIR/workload-$sa-cert.pem" +cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem" +cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem" + +echo "Generated workload-$sa-[cert|key].pem with URI SAN $san" +openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem" + diff --git a/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem b/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem new file mode 100644 index 000000000..b5f4752c6 --- /dev/null +++ b/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd +GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR +91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI +j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE +OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw +Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv +bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre +gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C +FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ +4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT +ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE +JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 +8w== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem b/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem new file mode 100644 index 000000000..fee6dcf87 --- /dev/null +++ b/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp +tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er +3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh +MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 +IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG ++PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v +bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV +WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC +FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ +q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og +MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE +Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT +bw== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/root-cert-alt.pem b/istio-1.18.2/samples/certs/root-cert-alt.pem new file mode 100644 index 000000000..8dc20f9dc --- /dev/null +++ b/istio-1.18.2/samples/certs/root-cert-alt.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFFDCCAvygAwIBAgIUXl9kIYp2G+37cwt+ruWqmKHpFVkwDQYJKoZIhvcNAQEL +BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw +MDM1NjI2WhcNMzMwMjE3MDM1NjI2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE +AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMS9oq7l +OR+vqj+99FcquCZiZB9d3AGmn4CUIzUsHLKwG/H4OZucHNaI+C/2IE+cHpqHq1RV +XqOdE5fMoBsHTjRN24K/WMHVr76IiTdla3e5OGvb8XtFTqH80bPcahWU6J5SKaP5 +nuj6D0OCDuPgV5fDNkMBp6qH3b+zbSBLDKLyepMeHUdfUXKuUjAFCRzPuKuCzJy+ +xNHu61OuRzILSUL7O8kTSK/1iz0mIFAqSxeS6AFDGsQIJRhKEhQSbmH924dGGQ5p +7bm8mFEYPYzyEw7l6zqaEKYEzoVhQrulJzUEVITVK9npW/GAREQK8KcabCakJf6L +wiTMZkWzrY2h7d7U/4Ib/7N3/1HREG6rLjZy08owaf09PNhKE1eqc32rwcJUdbsq +PiRqPRuIuGtNG69/CT+4I7liKoErJrxy4GfAxLRcFrkTA9Smo8lHsShbW/RvCEdr +2eXHolxmfgogDr3kYkrG3jYgUyYqaNIdasVQwRkfQByQpxp3ItL66NLLd1jn9ImO +IHAfWF2CCXdJtXKzksswOs/UW8gu8Y33YzfHZMxRQu5MlDEgKR6TJMDymYVedFAf +BeqpJepIN4zhpV/DnfC4qfhKf5KWCPWHkZgOKwl6sxOVk25ozDeiatXMfHFztTJI +1hWRF9cQNWdmHwVx19Yi2VfMwpgsnLDbeb+/AgMBAAGjQjBAMB0GA1UdDgQWBBQV +XzlSBYPXo+qiYX/1gUkx+t9GrTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAQj5EFGuY8jnXsvrcDEyo3kl+GAar60p3 +OB8BvMQzywYzmalztRluQr77dsTCDo9w+SL7/AKsJqljNJmzQg0Yst0YzPFAFUgt +8PdCFDgjuSfzlrKukcRj7yd2rzs+MQP3amOuWIj5gq7lUWAPNMp0bhU1lIS2eAk7 +Ew8s4BkgMI2fW8z22uEw49j+720n9q3xIpmfGA7SISe32Z3bu10fXrsIii++Zo9p +ItX7B5pKaLCwANjUejzC3NZ5HdL+yV9dXWXrVZrTvdFxRiqhNJtV64YTsSH+kVp8 +cCYyNA90CBVQU8ZyomNnOxqOsrBL1NvZllBmX1f3SnVa2Kw+RxJLtEx9lmKT3aiX +v0kPPhoU+qpA3eOVvbT0CbSBEl56wclPMd7xYMykkNU/AVc3lZ7YFcjb19YNxzff +AKktnJrFx3FHf03aeAnvJ35FxitrcpV4NvLvq5ViCHVw6IMO5h274Z/HoGHVvcle +OPtLRiI5Fkaexa6Y/+SPMDFsCfQJzL4ZWmnGSA+Z6YMD5atviQGEbSP4bCwIgOax +dsSyRo1cTRaOVCGVxed/s+ChbRnvljPd35zl79o+1zOOxJ2ttswYJRkjSsvn+BCL +GZj8c/5MkLtTwvL62wZVhCIHtZoS4LNUqdkyYvRJMZTV72YuEPTfl8NKhmMislqR +5LPKUi9adm4= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/root-cert.pem b/istio-1.18.2/samples/certs/root-cert.pem new file mode 100644 index 000000000..64c3fd50c --- /dev/null +++ b/istio-1.18.2/samples/certs/root-cert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-bar-cert.pem b/istio-1.18.2/samples/certs/workload-bar-cert.pem new file mode 100644 index 000000000..1b59e9c5b --- /dev/null +++ b/istio-1.18.2/samples/certs/workload-bar-cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd +GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR +91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI +j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE +OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw +Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv +bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre +gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C +FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ +4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT +ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE +JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 +8w== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-bar-key.pem b/istio-1.18.2/samples/certs/workload-bar-key.pem new file mode 100644 index 000000000..1b7889a95 --- /dev/null +++ b/istio-1.18.2/samples/certs/workload-bar-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA6p867UZ0Fc1u8L2Jayoc5YgRB4pM7xRNJg7N+VcpAd0YILjZ +NK765FEfzTxCfLPwJ7p4knVTA/6btLbNl81tjUvZUm9ZuhC0ULt6BvGnZ5H3WsnZ +aZGJA7pmgCZAb5RVpUyOpa2s7In+2TONdKyRldxtSRaSs88CTGxIFFagJciPbfR1 +EqCC/NmAiAGbg18OOt2PsCbARkDS3OI8XL/mH7pckSoPxwU7MqPRKinzQYQ7NIHz +MOdkKiYXPwJm/ZZSQmOeCPus4P5ygLUuhYmJSVMUx0CeDBJY+zJqqlm0MPAK34Kz +nWWGRBBcLpve30P1sdtcDFiwRwdqpH50pVUciwIDAQABAoIBABVjCmYSpAZQwaok +POCN6DBsJNFBJB4vBZFQjCoMbeqDku14rCQHR0uEsZdtxMnFRUD52H/RPg4BKYRh +nYAW88OLhHXlPJKfbzBkxozXfmEMhzW5bJ4Y7Bpw5WMNGZaSOPRmdCJaIIc3VQnL +jztxd5vnifa9ngXR+u2oeTGRa+vFncwtf+lDjid6KOsclFEOVRquT9e3BgccwWJL +O7k8GZzHCWj+jxeExrcoD5NMulHZGDTc49ZZeqpVIwQnhFEe+e6LcZ7jaHs1AgUK +v3cHVQUoeHa+NYATeoyXWUJzD0vW6fTgxUrf+GNrtdmbwaoGW4+FmsYKB0YD2FO3 +bQ5cQWECgYEA+sXSllaDmrwFhX7Tga7nHN74maGk0V4eUnVQ2rkwRXgwaUh+V3K7 +5jJ1ZTZuWYbAWup+rVt0cAb0Ja8zBnnkHRdwe0gQqtoj+5YdD8RAluBJePFigp77 +pK+JfdiYnA0JC3Z+7gkeWM/uY9ojDuasX83yVf7Kgm+7HMUrh5dGaDMCgYEA74M5 +Q32oM8zxGm9ck82rh7ox0NwTeIrwr5U42QFqT0h26nR3m51l8odj3rz0WnRtOfAl +sjJ3y5tygdVLMzwpuHzpA/iq7YRY04+g7Q5MoVAImLKzKJzIxZra+6eo2ctcQCBO +U90+jY4C4/YgvTYKnndFvlVXcXXNyhPJKlfLAkkCgYEA8yOWmHjtRLuERvi+rYAd +SJrPQnW9TdoJYD2q1Ua0jMaJear2BGeT0w+dTzLFLzw9iGjPxdlkPbIgSeFigabx +C1vMjVtD/cNfG/Fh4AWR8jcoRYEU2Dy5E+W2UzQMU1E4McsEKlrg948zPdEkKLBy +9LjDe6l8Q5d9PdnV6LM9ao0CgYAnY7NVMCMrcbbtHAdjn11oUuzCZo8lMeRnW+kf +dyYep9I2uLS6+OW9PxrjlLuy7JbSAnaQmdAtwgDQ7V0SrgBGgPRpXMnvieZ51JMo +qUNc/CaNxkXElhRGuzLsVCRmvRUMzsNS833IFeTPzLiRpYOVkBP+O1bIKBGR/DMH +La0LUQKBgQD0Jea309Qr3CZIDp8IYnthYHIezDPmRBbyMKK5kTj/GC19JIXJoonw +nUw9vpVp+WdBy+ZP/567eUp9RrG9xP+OrirWeUT8UFdmpc+JbI54b2tX0UgUePKm +oKXf/DlOM5K2gDaIL+wlFYuxdrLtFCxvFP+7ihueivunjbtENQqdGA== +-----END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/workload-bar-root-certs.pem b/istio-1.18.2/samples/certs/workload-bar-root-certs.pem new file mode 100644 index 000000000..9a43073e2 --- /dev/null +++ b/istio-1.18.2/samples/certs/workload-bar-root-certs.pem @@ -0,0 +1,46 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-foo-cert.pem b/istio-1.18.2/samples/certs/workload-foo-cert.pem new file mode 100644 index 000000000..50197b987 --- /dev/null +++ b/istio-1.18.2/samples/certs/workload-foo-cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp +tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er +3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh +MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 +IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG ++PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v +bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV +WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC +FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ +q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og +MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE +Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT +bw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-foo-key.pem b/istio-1.18.2/samples/certs/workload-foo-key.pem new file mode 100644 index 000000000..bac90f1ed --- /dev/null +++ b/istio-1.18.2/samples/certs/workload-foo-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAxEV57zKbR02IsRorjqvdrEeZJo8S77zB5iyrknP76mm2ktit +HFXv1Q8rMqowuZ9xrUpSzo9iQKKl/+Gy82MvCRB/VFGl1JweTXtUr8BrQSveZogP +DlPNF6p3sx+CwhRK2bLpPRZXLMwdUCMNX9pGRPDNbCnb1smB+S8jb9DL0yEw4005 +nf6b5RwgriimCDsaY3DKd+s/GFZ9SyC1gSlpNcRsk6OpCH/wijnogrgBtLki80V8 +3ZEouLTCD1jOB36h2iJ+m6ZpM/qK4mmiFLIKCmGvxreNfkO5Q1d2696LAwb48RJz +RBIbMBYDXX89YLW/SdTjmhZMHfWJt24ZZ6ebZwIDAQABAoIBAQC+W0vZrFFhpFcw +vVsFcrb6Qi7NcPJCxeWhIi39SrRHM+Q5JCExXD/RenbBGsNLJNMR6QXLBNGcMqOh +OvtehxG1TuTPmKinPgs9xqHqG0tq1+tJsig4ExrVGyYg+izNovS9k4IXFzXRYt4D +PRvZnU+NyabSgv6OoL2IOim6Zt1olBIHK0u57bNEFLoLJBHi+/qxVo1H1ZxW4eg/ +/hCkg8IlT7G1wrT9uwAU5ld6wpG6OYub4uHLPsoyWB4E2vl1/liZq4MnUJG0M5m5 +QWHy9wL3jow/LtjVvcn/I09YIJKI9BocUi6/ze/Boy1zo4cL+cryLpfplIhZ0u/N +a/S/222BAoGBAPPXTLJyfSEt70+H2iYPKEBMVo8UBAW2rSICOCMvKZJuCuqccB75 +Jy6h+BQtIJZf+rnNzlG4EH6Vjb4mC/YYBf0U1inpCsdKcw96hv7+EYzBtKf/lK9N +au+AEAgngr1xgA+M84jMWnosFMNw88pO6j260y1aMUmLD8onrnglPcEHAoGBAM4O +79WMqTXipgvQzx66KeQQs6Gf1nwh4Ut9NYs2nk4KQrkAHd4zuURFlxdnqr/mC4wb +nsLCdFOOZaiWIIG93lp0Ox0dLar2jJK88WfCzzerUBljMRv8xJZBLOe7rv5iawVC +mBnZE606m1kTrj6wY5M7TsZiIIeYQcmlJNmW9ZqhAoGBAMY+iqqiDj2FfQTp7F/4 +/r6X0d/tY//JLyVxLHbehyv3r4Riv31PD54ILQsqTU40pkGdo1opDa/8owqvIBZq +HaRO5neYchzo2HcDJPH3WglYCypyzk1f4crqER6wEMk4l+cMr4rOqdieMhtbn7kh +Q6wAUmSS6XNjTekLLfucO4LNAoGBAIjIgYxQg0Kx4WeWhObwzT4HmDaB0+8yzks+ +Inz3FL7ZMNF9slX+H82iJFn1BvO70Y6ABzNhwbZ1oCX5Ajsdvqxs25DH/bivUUFX +CyjFuKhLoDA6GC9r61OSkCyD+fYDfudO/YirANTNQrIuzkvu6yqhA/nMyas49vLU +HVITU5YBAoGBANJVeCLwpjoK2ROM6mIQrHtBR5Ft0a5DhjQWT/6FrsUXGYH3nsdt +cEUCJsBU7z46GcByRIT25xGimoitQppsw6Wcf0gtjNyqbF56aejjEkd5LNtm77gz +9wNya77NzyrtiAjG9TCnDPJUX7satEoXgEGMxmtoiQ+pbD3nvJsFjkZQ +-----END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/workload-foo-root-certs.pem b/istio-1.18.2/samples/certs/workload-foo-root-certs.pem new file mode 100644 index 000000000..9a43073e2 --- /dev/null +++ b/istio-1.18.2/samples/certs/workload-foo-root-certs.pem @@ -0,0 +1,46 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- diff --git a/istio-1.18.2/samples/cicd/skaffold/README.md b/istio-1.18.2/samples/cicd/skaffold/README.md new file mode 100644 index 000000000..a8fa19abb --- /dev/null +++ b/istio-1.18.2/samples/cicd/skaffold/README.md @@ -0,0 +1,45 @@ +# Skaffold + +This is intended for demonstration only, and is not tuned for performance or security. + +skaffold is a tool that enables fast development iteration and controls deployment to local or remote clusters + +If running `skaffold run` for deployment, manifests are pulled from remote charts, if running `skaffold dev` for development and hot reload, manifests are pulled from current branch. + +## Quick Start + +skaffold is built around modules and profiles + +1) istio-base + istio + + ```bash + skaffold run -m istiod + ``` + +2) istio-base + istio + ingress + + ```bash + skaffold run -m ingress + ``` + +3) istio-base + istio + ingress + kiali + + ```bash + skaffold run -m ingress,kiali + ``` + +4) istio-base + istio + ingress + kiali + bookinfo + + ```bash + skaffold run -m ingress,kiali,bookinfo + ``` + +## References + +- Github: [github.com/GoogleContainerTools/skaffold](https://github.com/GoogleContainerTools/skaffold) +- Site: [skaffold.dev](https://skaffold.dev/) + +### TODO + +- Add build and test stage for images in istiod (pilot and proxy) +- Addons diff --git a/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml b/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml new file mode 100644 index 000000000..b67aa2891 --- /dev/null +++ b/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml @@ -0,0 +1,145 @@ +# Skaffold - https://skaffold.dev/ +# ------------------------------------------------ # +# This is for illustration purposes only +# ------------------------------------------------ # +# Installation options & modules +# ------------------------------------------------ # +# istio - `skaffold run -m istiod` +# ingress - `skaffold run -m ingress` +# Addons: +# - kiali - `skaffold run -m kiali` +# - prometheus - `skaffold run -m prometheus` +# Demos: +# - bookinfo - `skaffold run -m bookinfo` +# ------------------------------------------------ # +# Development mode - skaffold dev # +# ------------------------------------------------- # +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: istio-base +profiles: + - name: dev + activation: + - command: dev + deploy: + helm: + releases: + - name: istio-base + chartPath: ../../../manifests/charts/base + namespace: istio-system + createNamespace: true + - name: run + activation: + - command: run + deploy: + helm: + releases: + - name: istio-base + remoteChart: base + repo: https://istio-release.storage.googleapis.com/charts + namespace: istio-system + createNamespace: true +--- +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: istiod +requires: + - configs: [istio-base] +profiles: + - name: dev + activation: + - command: dev + deploy: + helm: + releases: + - name: istiod + chartPath: ../../../manifests/charts/istio-control/istio-discovery + namespace: istio-system + - name: run + activation: + - command: run + deploy: + helm: + releases: + - name: istiod + remoteChart: istiod + repo: https://istio-release.storage.googleapis.com/charts + namespace: istio-system +--- +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: ingress +requires: + - configs: [istiod] +profiles: + - name: dev + activation: + - command: dev + deploy: + helm: + releases: + - name: istio-ingressgateway + chartPath: ../../../manifests/charts/gateway + namespace: istio-system + - name: run + activation: + - command: run + deploy: + helm: + releases: + - name: istio-ingressgateway + remoteChart: gateway + repo: https://istio-release.storage.googleapis.com/charts + namespace: istio-system +--- +# https://istio.io/latest/docs/ops/integrations/prometheus/ +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: prometheus +requires: + - configs: [istiod] +deploy: + kubectl: + manifests: ["../../../samples/addons/prometheus.yaml"] +--- +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: kiali +requires: + - configs: [prometheus] +deploy: + helm: + releases: + - name: kiali-server + remoteChart: kiali-server + repo: https://kiali.org/helm-charts + namespace: istio-system + version: v1.44.0 + valuesFiles: [../../../manifests/addons/values-kiali.yaml] +--- +# Config for https://istio.io/latest/docs/examples/bookinfo/ +apiVersion: skaffold/v2beta22 +kind: Config +metadata: + name: bookinfo +requires: + - configs: [ingress] +deploy: + kubectl: + hooks: + before: + - host: + command: ["sh", "-c", "kubectl label namespace default istio-injection=enabled --overwrite"] + os: [darwin, linux] + - host: + command: ["cmd.exe", "/C", "kubectl label namespace default istio-injection=enabled --overwrite"] + os: [windows] + manifests: + - "../../../samples/bookinfo/platform/kube/bookinfo.yaml" + - "../../../samples/bookinfo/networking/bookinfo-gateway.yaml" + - "../../../samples/bookinfo/networking/destination-rule-all.yaml" diff --git a/istio-1.18.2/samples/custom-bootstrap/README.md b/istio-1.18.2/samples/custom-bootstrap/README.md new file mode 100644 index 000000000..814e7dcc2 --- /dev/null +++ b/istio-1.18.2/samples/custom-bootstrap/README.md @@ -0,0 +1,52 @@ +# Custom Envoy Bootstrap Configuration + +This sample creates a simple helloworld service that bootstraps the Envoy proxy with a custom configuration file. + +## Starting the service + +First, we need to create a `ConfigMap` resource with our bootstrap configuration. + +```bash +kubectl apply -f custom-bootstrap.yaml +``` + +Next, we can create a service that uses this bootstrap configuration. + +To do this, we need to add an annotation, `sidecar.istio.io/bootstrapOverride`, with the name of our ConfigMap as the value. + +We can create our helloworld app, using the custom config, with: + +```bash +kubectl apply -f example-app.yaml +``` + +If you don't have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) +set in your cluster you will need to manually inject it to the services instead: + +```bash +istioctl kube-inject -f example-app.yaml -o example-app-istio.yaml +kubectl apply -f example-app-istio.yaml +``` + +## Checking the Bootstrap Configuration + +To see what bootstrap configuration a pod is using: + +```bash +istioctl proxy-config bootstrap +``` + +## Customizing the Bootstrap + +The configuration provided will be passed to envoy using the [`--config-yaml`](https://www.envoyproxy.io/docs/envoy/v1.7.1/operations/cli#cmdoption-config-yaml) flag. + +This will merge the passed in configuration with the default configuration. Singular values will replace the default values, while repeated values will be appended. + +For reference, [the default bootstrap configuration](../../tools/packaging/common/envoy_bootstrap.json) and Envoy's [configuration reference](https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration#config) may be useful + +## Cleanup + +```bash +kubectl delete -f custom-bootstrap.yaml +kubectl delete -f example-app.yaml +``` diff --git a/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml b/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml new file mode 100644 index 000000000..5f4069762 --- /dev/null +++ b/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-custom-bootstrap-config + namespace: default +data: + custom_bootstrap.json: | + "tracing": { + "http": { + "name": "envoy.tracers.zipkin", + "typed_config": { + "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig", + "collector_cluster": "zipkin", + "collector_endpoint": "/api/v1/spans/custom", + "collector_endpoint_version": "HTTP_JSON", + "trace_id_128bit": true, + "shared_span_context": false + } + } + } diff --git a/istio-1.18.2/samples/custom-bootstrap/example-app.yaml b/istio-1.18.2/samples/custom-bootstrap/example-app.yaml new file mode 100644 index 000000000..3a351a318 --- /dev/null +++ b/istio-1.18.2/samples/custom-bootstrap/example-app.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-v1 + labels: + app: helloworld + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + version: v1 + template: + metadata: + annotations: + sidecar.istio.io/bootstrapOverride: "istio-custom-bootstrap-config" + labels: + app: helloworld + version: v1 + spec: + containers: + - name: helloworld + image: docker.io/istio/examples-helloworld-v1 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 5000 diff --git a/istio-1.18.2/samples/extauthz/README.md b/istio-1.18.2/samples/extauthz/README.md new file mode 100644 index 000000000..1aba62b63 --- /dev/null +++ b/istio-1.18.2/samples/extauthz/README.md @@ -0,0 +1,99 @@ +# Ext Authz Service + +[Ext Authz server](cmd/extauthz) implements the external server for the [Envoy ext_authz filter](https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/security/ext_authz_filter) +as an example of integrating custom authorization system into Istio. + +The Ext Authz server supports authorization check request using either HTTP (port 8000) or gRPC v2/v3 (port 9000) API and +will allow the request if it includes the header `x-ext-authz: allow` or if the service account of the source workload is `a`. +Note that `a` is just a default value for testing. It can be changed with the flag `-allow_service_account` when running the ext authz server. + +## Usage + +1. Deploy the Ext Authz service in a dedicated pod: + + ```console + $ kubectl apply -f ext-authz.yaml + service/ext-authz created + deployment.apps/ext-authz created + ``` + + Note, you can also deploy the Ext Authz service locally with the application container in the same pod, see the example in `local-ext-authz.yaml`. + +1. Verify the Ext Authz server is up and running: + + Deploy a sleep pod to send the request: + + ```console + $ kubectl apply -f ../sleep/sleep.yaml + ``` + + Send a check request with header `x-ext-authz: allow` to the Ext Authz server: + + ```console + $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: allow" + * Trying 10.97.88.183:8000... + * Connected to ext-authz-server (10.97.88.183) port 8000 (#0) + > GET / HTTP/1.1 + > Host: ext-authz-server:8000 + > User-Agent: curl/7.73.0-DEV + > Accept: */* + > x-ext-authz: allow + > + * Mark bundle as not supporting multiuse + < HTTP/1.1 200 OK + < x-ext-authz-result: allowed + < date: Tue, 03 Nov 2020 03:06:11 GMT + < content-length: 0 + < x-envoy-upstream-service-time: 19 + < server: envoy + < + * Connection #0 to host ext-authz-server left intact + ``` + + As you observe, the check request with header `x-ext-authz: allow` is allowed by the Ext Authz server. + + Send another check request with `x-ext-authz: blabla` to the Ext Authz server: + + ```console + $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: bla" + > GET / HTTP/1.1 + > Host: ext-authz-server:8000 + > User-Agent: curl/7.73.0-DEV + > Accept: */* + > x-ext-authz: allowx + > + * Mark bundle as not supporting multiuse + < HTTP/1.1 403 Forbidden + < x-ext-authz-check-result: denied + < date: Tue, 03 Nov 2020 03:14:02 GMT + < content-length: 76 + < content-type: text/plain; charset=utf-8 + < x-envoy-upstream-service-time: 44 + < server: envoy + < + * Connection #0 to host ext-authz-server left intact + denied by ext_authz for not found header `x-ext-authz: allow` in the request + ``` + + As you observe, the check request with header `x-ext-authz: bla` is denied by the Ext Authz server. + +1. To clean up, execute the following commands: + + ```console + $ kubectl delete -f ../sleep/sleep.yaml + $ kubectl delete -f ext-authz.yaml + ``` + +## Advanced features + +The Ext Authz server supports the following advanced features that are useful for testing: + +- The ext authz server will add the `x-ext-authz-check-received` header to the user request. The content is the dump of + the check request it received from the ext-authz filter. This header is useful in verifying the ext-authz filter sending + the expected request to the ext authz server. + +- The ext authz server will add (or override if it already exists) the header `x-ext-authz-additional-header-override` to + the user request. The value of the header depends on the type of ext-authz server. + The ext authz HTTP server will set it to the value of the same `x-ext-authz-additional-header-override` header in the + check request. The ext authz gRPC server will set it to the constant value `grpc-additional-header-override-value`. + This header is useful in verifying the header override behavior in the ext-authz filter. diff --git a/istio-1.18.2/samples/extauthz/ext-authz.yaml b/istio-1.18.2/samples/extauthz/ext-authz.yaml new file mode 100644 index 000000000..0860df5c0 --- /dev/null +++ b/istio-1.18.2/samples/extauthz/ext-authz.yaml @@ -0,0 +1,55 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Example configurations for deploying ext-authz server separately in the mesh. + +apiVersion: v1 +kind: Service +metadata: + name: ext-authz + labels: + app: ext-authz +spec: + ports: + - name: http + port: 8000 + targetPort: 8000 + - name: grpc + port: 9000 + targetPort: 9000 + selector: + app: ext-authz +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ext-authz +spec: + replicas: 1 + selector: + matchLabels: + app: ext-authz + template: + metadata: + labels: + app: ext-authz + spec: + containers: + - image: gcr.io/istio-testing/ext-authz:latest + imagePullPolicy: IfNotPresent + name: ext-authz + ports: + - containerPort: 8000 + - containerPort: 9000 +--- diff --git a/istio-1.18.2/samples/extauthz/local-ext-authz.yaml b/istio-1.18.2/samples/extauthz/local-ext-authz.yaml new file mode 100644 index 000000000..60a9bf85b --- /dev/null +++ b/istio-1.18.2/samples/extauthz/local-ext-authz.yaml @@ -0,0 +1,99 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Example configurations for deploying ext-authz server locally with the application container in the same pod. + +# Define the service entry for the local ext-authz service on port 8000. +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: httpbin-ext-authz-http +spec: + hosts: + - "ext-authz-http.local" + endpoints: + - address: "127.0.0.1" + ports: + - name: http + number: 8000 + protocol: HTTP + resolution: STATIC +--- +# Define the service entry for the local ext-authz service on port 9000. +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: httpbin-ext-authz-grpc +spec: + hosts: + - "ext-authz-grpc.local" + endpoints: + - address: "127.0.0.1" + ports: + - name: grpc + number: 9000 + protocol: GRPC + resolution: STATIC +--- +# Deploy the ext-authz server locally with the application container in the same pod. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin +spec: + replicas: 1 + selector: + matchLabels: + app: httpbin + version: v1 + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + serviceAccountName: httpbin + containers: + - image: docker.io/kong/httpbin + imagePullPolicy: IfNotPresent + name: httpbin + ports: + - containerPort: 80 + - image: gcr.io/istio-testing/ext-authz:latest + imagePullPolicy: IfNotPresent + name: ext-authz + ports: + - containerPort: 8000 + - containerPort: 9000 +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin + labels: + app: httpbin + service: httpbin +spec: + ports: + - name: http + port: 8000 + targetPort: 80 + selector: + app: httpbin +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: httpbin +--- diff --git a/istio-1.18.2/samples/external/README.md b/istio-1.18.2/samples/external/README.md new file mode 100644 index 000000000..e17198b8d --- /dev/null +++ b/istio-1.18.2/samples/external/README.md @@ -0,0 +1,34 @@ +# External Services + +By default Istio-enabled services are unable to access services and URLs outside of the cluster. Pods use iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations. + +See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for +information on configuring Istio to contact external services. + +This directory contains samples showing how to enable pods to contact a few well +known services. + +If Istio is not configured to allow pods to contact external services, the pods will +see errors such as 404s, HTTPS connection problems, and TCP connection problems. If +ServiceEntries are misconfigured pods may see problems with server names. + +## Try it out + +After an operator runs `kubectl create -f aptget.yaml` pods will be able to +succeed with `apt-get update` and `apt-get install`. + +After an operator runs `kubectl create -f github.yaml` pods will be able to +succeed with `git clone https://github.com/fortio/fortio.git`. + +Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`. + +It is not a best practice to enable pods to update libraries dynamically. +We are providing these samples +because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud +services. + +### Enable communication by default + +Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique +discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will +allow external communication for ports 80 and 22. diff --git a/istio-1.18.2/samples/external/aptget.yaml b/istio-1.18.2/samples/external/aptget.yaml new file mode 100644 index 000000000..fa24fa451 --- /dev/null +++ b/istio-1.18.2/samples/external/aptget.yaml @@ -0,0 +1,20 @@ +# This ServiceEntry exposes the hosts needed for installing packages with apt-get. +# After applying this file, Istio-enabled pods (configured apt-get) be able to execute +# `apt-get upgrade` and `apt-get install`. If this is not installed you may get +# "404 Not Found" + +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: make-aptget-work +spec: + hosts: + - deb.debian.org + - cdn-fastly.deb.debian.org + - security.debian.org + - archive.ubuntu.com + - security.ubuntu.com + ports: + - number: 80 + name: http + protocol: HTTP diff --git a/istio-1.18.2/samples/external/github.yaml b/istio-1.18.2/samples/external/github.yaml new file mode 100644 index 000000000..832cbc379 --- /dev/null +++ b/istio-1.18.2/samples/external/github.yaml @@ -0,0 +1,53 @@ +# This ServiceEntry exposes the hosts needed for github.com. +# After applying this file, Istio-enabled pods will be able to execute +# `git clone https://github.com/istio/api.git` and (with local identification +# config and certificate) `git clone git@github.com:istio/api.git` + +# HTTP and TLS, the host must be specified +# See https://istio.io/docs/tasks/traffic-management/egress/ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: github-https +spec: + hosts: + - github.com + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# For TCP services the IP ranges SHOULD be specified to avoid problems +# if multiple SEs use the same port number. +# See https://istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: github-tcp +spec: + hosts: + - dummy.github.com # not used + addresses: # from https://help.github.com/articles/about-github-s-ip-addresses/ + - "13.229.188.59/32" + - "13.250.177.223/32" + - "140.82.112.0/20" + - "18.194.104.89/32" + - "18.195.85.27/32" + - "185.199.108.0/22" + - "185.199.108.153/32" + - "185.199.109.153/32" + - "185.199.110.153/32" + - "185.199.111.153/32" + - "192.30.252.0/22" + - "192.30.252.153/32" + - "192.30.252.154/32" + - "23.20.92.3/32" + - "35.159.8.160/32" + - "52.74.223.119/32" + - "54.166.52.62/32" + - "54.87.5.173/32" + ports: + - name: tcp + number: 22 + protocol: tcp + location: MESH_EXTERNAL diff --git a/istio-1.18.2/samples/external/pypi.yaml b/istio-1.18.2/samples/external/pypi.yaml new file mode 100644 index 000000000..7f457a5af --- /dev/null +++ b/istio-1.18.2/samples/external/pypi.yaml @@ -0,0 +1,44 @@ +# This ServiceEntry exposes the hosts needed for Python `pip`. +# After applying this file, Istio-enabled pods will be able to execute +# `pip search istio`. + +# HTTP and TLS, the host must be specified +# See https://istio.io/docs/tasks/traffic-management/egress/ + +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: python-https +spec: + hosts: + - pypi.python.org + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# pypi.python.org may 301 redirect to pypi.org, so we need this too. +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: pypi-https +spec: + hosts: + - pypi.org + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# pip install may fetch files from files.pythonhosted.org +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: pythonhosted-https +spec: + hosts: + - files.pythonhosted.org + ports: + - number: 443 + name: https + protocol: HTTPS diff --git a/istio-1.18.2/samples/grpc-echo/README.md b/istio-1.18.2/samples/grpc-echo/README.md new file mode 100644 index 000000000..466316988 --- /dev/null +++ b/istio-1.18.2/samples/grpc-echo/README.md @@ -0,0 +1,7 @@ +# grpc-echo + +This sample demonstrates Istio's Proxyless gRPC support with a special injection template `grpc-agent`. +The template injects the `istio-proxy` sidecar, but the sidecar will only run `pilot-agent` and not envoy. + +See the [gRPC xDS feature status](https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md) for more +information. diff --git a/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml b/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml new file mode 100644 index 000000000..fb3899c36 --- /dev/null +++ b/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml @@ -0,0 +1,197 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: echo + name: echo + namespace: echo-grpc +spec: + selector: + app: echo + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 18080 + - name: grpc + port: 7070 + targetPort: 17070 + - name: tcp + port: 9090 + targetPort: 19090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: echo-v1 + namespace: echo-grpc +spec: + replicas: 1 + selector: + matchLabels: + app: echo + version: v1 + template: + metadata: + annotations: + inject.istio.io/templates: grpc-agent + proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' + labels: + app: echo + version: v1 + spec: + containers: + - args: + - --metrics=15014 + - --port + - "18080" + - --tcp + - "19090" + - --xds-grpc-server=17070 + - --grpc + - "17070" + - --grpc + - "17171" + - --port + - "3333" + - --port + - "8080" + - --version + - v1 + - --crt=/cert.crt + - --key=/cert.key + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: gcr.io/istio-testing/app:latest + imagePullPolicy: Always + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: tcp-health-port + timeoutSeconds: 1 + name: app + ports: + - containerPort: 17070 + protocol: TCP + - containerPort: 17171 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 3333 + name: tcp-health-port + protocol: TCP + readinessProbe: + failureThreshold: 10 + httpGet: + path: / + port: 8080 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + runAsGroup: 1338 + runAsUser: 1338 + startupProbe: + failureThreshold: 10 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: tcp-health-port + timeoutSeconds: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: echo-v2 + namespace: echo-grpc +spec: + replicas: 1 + selector: + matchLabels: + app: echo + version: v2 + template: + metadata: + annotations: + inject.istio.io/templates: grpc-agent + proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' + labels: + app: echo + version: v2 + spec: + containers: + - args: + - --metrics=15014 + - --xds-grpc-server=17070 + - --port + - "18080" + - --tcp + - "19090" + - --grpc + - "17070" + - --grpc + - "17171" + - --port + - "3333" + - --port + - "8080" + - --version + - v2 + - --crt=/cert.crt + - --key=/cert.key + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: gcr.io/istio-testing/app:latest + imagePullPolicy: Always + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: tcp-health-port + timeoutSeconds: 1 + name: app + ports: + - containerPort: 17070 + protocol: TCP + - containerPort: 17171 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 3333 + name: tcp-health-port + protocol: TCP + readinessProbe: + failureThreshold: 10 + httpGet: + path: / + port: 8080 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + runAsGroup: 1338 + runAsUser: 1338 + startupProbe: + failureThreshold: 10 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: tcp-health-port + timeoutSeconds: 1 diff --git a/istio-1.18.2/samples/health-check/liveness-command.yaml b/istio-1.18.2/samples/health-check/liveness-command.yaml new file mode 100644 index 000000000..247b55e5a --- /dev/null +++ b/istio-1.18.2/samples/health-check/liveness-command.yaml @@ -0,0 +1,58 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Liveness service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: liveness + labels: + app: liveness + service: liveness +spec: + ports: + - port: 80 + name: http + selector: + app: liveness +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: liveness +spec: + selector: + matchLabels: + app: liveness + template: + metadata: + labels: + app: liveness + spec: + containers: + - name: liveness + image: registry.k8s.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 3600 + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml b/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml new file mode 100644 index 000000000..a39a3ff11 --- /dev/null +++ b/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Service +metadata: + name: liveness-http + labels: + app: liveness-http + service: liveness-http +spec: + ports: + - name: http + port: 8001 + selector: + app: liveness-http +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: liveness-http +spec: + selector: + matchLabels: + app: liveness-http + version: v1 + template: + metadata: + labels: + app: liveness-http + version: v1 + spec: + containers: + - name: liveness-http + image: docker.io/istio/health:example + ports: + - containerPort: 8001 + livenessProbe: + httpGet: + path: /foo + port: 8001 + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/istio-1.18.2/samples/helloworld/README.md b/istio-1.18.2/samples/helloworld/README.md new file mode 100644 index 000000000..e41bd1679 --- /dev/null +++ b/istio-1.18.2/samples/helloworld/README.md @@ -0,0 +1,110 @@ +# Helloworld service + +This sample includes two versions of a simple helloworld service that returns its version +and instance (hostname) when called. +It can be used as a test service when experimenting with version routing. + +This service is also used to demonstrate canary deployments working in conjunction with autoscaling. +See [Canary deployments using Istio](https://istio.io/blog/2017/0.1-canary). + +## Start the helloworld service + +The following commands assume you have +[automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) +enabled in your cluster. +If not, you'll need to modify them to include +[manual sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection). + +To run both versions of the helloworld service, use the following command: + +```bash +kubectl apply -f helloworld.yaml +``` + +Alternatively, you can run just one version at a time by first defining the service: + +```bash +kubectl apply -f helloworld.yaml -l service=helloworld +``` + +and then deploying version v1, v2, or both: + +```bash +kubectl apply -f helloworld.yaml -l version=v1 +kubectl apply -f helloworld.yaml -l version=v2 +``` + +For even more flexibility, there is also a script, `gen-helloworld.sh`, that will +generate YAML for the helloworld service. This script takes the following +arguments: + +Argument | Default | Description +-------- | ------- | ----------- +`-h`,`--help` | | Prints usage information. +`--version` | `v1` | Specifies the version that will be returned by the helloworld service. +`--includeService` | `true` | If `true` the service will be included in the YAML. +`--includeDeployment` | `true` | If `true` the deployment will be included in the YAML. + +You can use this script to deploy a custom version: + +```bash +./gen-helloworld.sh --version customversion | \ + kubectl apply -f - +``` + +## Configure the helloworld gateway + +*___Note:___ Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). You can use the Gateway API to configure the helloworld service, instead of the classic Istio configuration model, by following the instructions in [./gateway-api/README.md](./gateway-api/README.md), instead of the instructions below.* + +Apply the helloworld gateway configuration: + +```bash +kubectl apply -f helloworld-gateway.yaml +``` + +Follow [these instructions](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) +to set the INGRESS_HOST and INGRESS_PORT variables and then confirm the sample is running using curl: + +```bash +export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT +curl http://$GATEWAY_URL/hello +``` + +## Autoscale the services + +Note that a Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) +only works if all containers in the pods request cpu. In this sample the deployment +containers in `helloworld.yaml` are configured with the request. +The injected istio-proxy containers also include cpu requests, +making the helloworld service ready for autoscaling. + +Enable autoscaling on both versions of the service: + +```bash +kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10 +kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10 +kubectl get hpa +``` + +## Generate load + +```bash +./loadgen.sh & +./loadgen.sh & # run it twice to generate lots of load +``` + +Wait for about 2 minutes and then check the number of replicas: + +```bash +kubectl get hpa +``` + +If the autoscaler is functioning correctly, the `REPLICAS` column should have a value > 1. + +## Cleanup + +```bash +kubectl delete -f helloworld.yaml +kubectl delete -f helloworld-gateway.yaml +kubectl delete hpa helloworld-v1 helloworld-v2 +``` diff --git a/istio-1.18.2/samples/helloworld/gateway-api/README.md b/istio-1.18.2/samples/helloworld/gateway-api/README.md new file mode 100644 index 000000000..ee37810e0 --- /dev/null +++ b/istio-1.18.2/samples/helloworld/gateway-api/README.md @@ -0,0 +1,74 @@ +# Configure helloworld using the Kubernetes Gateway API + +Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). +You can use the following instructions to configure the ingress gateway and routing for the helloworld sample. + +## Before you begin + +The Gateway API CRDs do not come installed by default on most Kubernetes clusters, so install them if not present: + +```bash +kubectl get crd gateways.gateway.networking.k8s.io || \ + { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; } +``` + +Also make sure you are running two versions (v1 and v2) of the helloworld service: + +```bash +kubectl apply -f ../helloworld.yaml +``` + +## Configure the helloworld gateway + +Apply the helloworld gateway configuration: + +```bash +kubectl apply -f ./helloworld-gateway.yaml +``` + +Note that unlike an Istio `Gateway`, creating a Kubernetes `Gateway` resource will, by default, also [deploy an associated controller](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment). + +Set the INGRESS_HOST environment variables to the address of the helloworld gateway: + +```bash +kubectl wait --for=condition=ready gtw helloworld-gateway +export INGRESS_HOST=$(kubectl get gtw helloworld-gateway -o jsonpath='{.status.addresses[*].value}') +``` + +Confirm the sample is running using curl: + +```bash +for run in {1..10}; do curl http://$INGRESS_HOST/hello; done +``` + +Since no version routing has been configured, you should see an equal split of traffic, about half handled by helloworld-v1 and the other half handled by helloworld-v2. + +## Configure weight-based routing + +Declare the helloworld versions (Gateway API requires backend service definitions, unlike the Istio API which uses DestinationRule subsets for this): + +```bash +kubectl apply -f ./helloworld-versions.yaml +``` + +Apply the following route rule to distribute the helloworld traffic 90% to v1, 10% to v2: + +```bash +kubectl apply -f ./helloworld-route.yaml +``` + +Run the previous curl commands again: + +```bash +for run in {1..10}; do curl http://$INGRESS_HOST/hello; done +``` + +Now you should see about 9 out of 10 requests handled by helloworld-v1 and only about 1 in 10 handled by helloworld-v2. + +## Cleanup + +```bash +kubectl delete -f ./helloworld-gateway.yaml +kubectl delete -f ./helloworld-versions.yaml +kubectl delete -f ../helloworld.yaml +``` diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml new file mode 100644 index 000000000..c4c8a8a63 --- /dev/null +++ b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml @@ -0,0 +1,29 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + gatewayClassName: istio + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: helloworld +spec: + parentRefs: + - name: helloworld-gateway + rules: + - matches: + - path: + type: Exact + value: /hello + backendRefs: + - name: helloworld + port: 5000 diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml new file mode 100644 index 000000000..1e316f958 --- /dev/null +++ b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml @@ -0,0 +1,19 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: helloworld +spec: + parentRefs: + - name: helloworld-gateway + rules: + - matches: + - path: + type: Exact + value: /hello + backendRefs: + - name: helloworld-v1 + port: 5000 + weight: 90 + - name: helloworld-v2 + port: 5000 + weight: 10 diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml new file mode 100644 index 000000000..fc218515b --- /dev/null +++ b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld-v1 +spec: + ports: + - port: 5000 + name: http + selector: + app: helloworld + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: helloworld-v2 +spec: + ports: + - port: 5000 + name: http + selector: + app: helloworld + version: v2 diff --git a/istio-1.18.2/samples/helloworld/gen-helloworld.sh b/istio-1.18.2/samples/helloworld/gen-helloworld.sh new file mode 100755 index 000000000..8634ddc7b --- /dev/null +++ b/istio-1.18.2/samples/helloworld/gen-helloworld.sh @@ -0,0 +1,131 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +display_usage() { + echo + echo "USAGE: ./gen-helloworld.sh [--version] [--includeService value] [--includeDeployment value]" + echo " -h|--help: Prints usage information" + echo " --version: Specifies the version that will be returned by the helloworld service, default: 'v1'" + echo " --includeService: If 'true' the service will be included in the YAML, default: 'true'" + echo " --includeDeployment: If 'true' the deployment will be included in the YAML, default: 'true'" +} + +INCLUDE_SERVICE=${INCLUDE_SERVICE:-"true"} +INCLUDE_DEPLOYMENT=${INCLUDE_DEPLOYMENT:-"true"} +SERVICE_VERSION=${SERVICE_VERSION:-"v1"} +while (( "$#" )); do + case "$1" in + -h|--help) + display_usage + exit 0 + ;; + + --version) + SERVICE_VERSION=$2 + shift 2 + ;; + + --includeService) + INCLUDE_SERVICE=$2 + shift 2 + ;; + + --includeDeployment) + INCLUDE_DEPLOYMENT=$2 + shift 2 + ;; + + *) + echo "Error: Unsupported flag $1" >&2 + display_usage + exit 1 + ;; + esac +done + +SERVICE_YAML=$(cat </dev/null || true) +if [[ "${ENVOS}" != "Linux" ]]; then + echo "Your system is not supported by this script. Only Linux is supported" + exit 1 +fi + +# Check prerequisites +REQUISITES=("kubectl" "kind" "docker") +for item in "${REQUISITES[@]}"; do + if [[ -z $(which "${item}") ]]; then + echo "${item} cannot be found on your system, please install ${item}" + exit 1 + fi +done + +# Function to print the usage message +function printHelp() { + echo "Usage: " + echo " $0 --cluster-name cluster1 --k8s-release 1.22.1 --ip-space 255" + echo "" + echo "Where:" + echo " -n|--cluster-name - name of the k8s cluster to be created" + echo " -r|--k8s-release - the release of the k8s to setup, latest available if not given" + echo " -s|--ip-space - the 2rd to the last part for public ip addresses, 255 if not given, valid range: 0-255" + echo " -i|--ip-family - ip family to be supported, default is ipv4 only. Value should be ipv4, ipv6, or dual" + echo " -h|--help - print the usage of this script" +} + +# Setup default values +CLUSTERNAME="cluster1" +K8SRELEASE="" +IPSPACE=255 +IPFAMILY="ipv4" + +# Handling parameters +while [[ $# -gt 0 ]]; do + optkey="$1" + case $optkey in + -h|--help) + printHelp; exit 0;; + -n|--cluster-name) + CLUSTERNAME="$2"; shift 2;; + -r|--k8s-release) + K8SRELEASE="--image=kindest/node:v$2"; shift 2;; + -s|--ip-space) + IPSPACE="$2"; shift 2;; + -i|--ip-family) + IPFAMILY="${2,,}";shift 2;; + -m|--mode) + MODE="$2"; shift 2;; + *) # unknown option + echo "parameter $1 is not supported"; printHelp; exit 1;; + esac +done + +# This block is to setup kind to have a local image repo to push +# images using localhost:5000, to use this feature, start up +# a registry container such as gcr.io/istio-testing/registry, then +# connect it to the docker network where kind nodes are running on +# which normally will be called kind +FEATURES=$(cat << EOF +featureGates: + MixedProtocolLBService: true + GRPCContainerProbe: true +kubeadmConfigPatches: + - | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: ClusterConfiguration + metadata: + name: config + etcd: + local: + # Run etcd in a tmpfs (in RAM) for performance improvements + dataDir: /tmp/kind-cluster-etcd + # We run single node, drop leader election to reduce overhead + controllerManagerExtraArgs: + leader-elect: "false" + schedulerExtraArgs: + leader-elect: "false" + apiServer: + extraArgs: + "service-account-issuer": "kubernetes.default.svc" + "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" +containerdConfigPatches: + - |- + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] + endpoint = ["http://kind-registry:5000"] +EOF +) + +validIPFamilies=("ipv4" "ipv6" "dual") +# Validate if the ip family value is correct. +isValid="false" +for family in "${validIPFamilies[@]}"; do + if [[ "$family" == "${IPFAMILY}" ]]; then + isValid="true" + break + fi +done + +if [[ "${isValid}" == "false" ]]; then + echo "${IPFAMILY} is not valid ip family, valid values are ipv4, ipv6 or dual" + exit 1 +fi + +if [[ "${MODE}" == "ambient" ]]; then +NODES=$(cat << EOF +nodes: +- role: control-plane +- role: worker +- role: worker +EOF +) +else +NODES=$(cat << EOF +nodes: +- role: control-plane +EOF +) +fi + + +# Create k8s cluster using the giving release and name +if [[ -z "${K8SRELEASE}" ]]; then + cat << EOF | kind create cluster --config - +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +${FEATURES} +name: ${CLUSTERNAME} +${NODES} +networking: + ipFamily: ${IPFAMILY} +EOF +else + cat << EOF | kind create cluster "${K8SRELEASE}" --config - +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +${FEATURES} +name: ${CLUSTERNAME} +${NODES} +networking: + ipFamily: ${IPFAMILY} +EOF +fi + +# Setup cluster context +kubectl cluster-info --context "kind-${CLUSTERNAME}" + +# Setup metallb using v0.13.6 +kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.6/config/manifests/metallb-native.yaml + +addrName="IPAddress" +ipv4Prefix="" +ipv6Prefix="" + +# Get both ipv4 and ipv6 gateway for the cluster +gatewaystr=$(docker network inspect -f '{{range .IPAM.Config }}{{ .Gateway }} {{end}}' kind | cut -f1,2) +read -r -a gateways <<< "${gatewaystr}" +for gateway in "${gateways[@]}"; do + if [[ "$gateway" == *"."* ]]; then + ipv4Prefix=$(echo "${gateway}" |cut -d'.' -f1,2) + else + ipv6Prefix=$(echo "${gateway}" |cut -d':' -f1,2,3,4) + fi +done + +if [[ "${IPFAMILY}" == "ipv4" ]]; then + addrName="IPAddress" + ipv4Range="- ${ipv4Prefix}.$IPSPACE.200-${ipv4Prefix}.$IPSPACE.240" + ipv6Range="" +elif [[ "${IPFAMILY}" == "ipv6" ]]; then + ipv4Range="" + ipv6Range="- ${ipv6Prefix}::$IPSPACE:200-${ipv6Prefix}::$IPSPACE:240" + addrName="GlobalIPv6Address" +else + ipv4Range="- ${ipv4Prefix}.$IPSPACE.200-${ipv4Prefix}.$IPSPACE.240" + ipv6Range="- ${ipv6Prefix}::$IPSPACE:200-${ipv6Prefix}::$IPSPACE:240" +fi + +# utility function to wait for pods to be ready +function waitForPods() { + ns=$1 + lb=$2 + waittime=$3 + # Wait for the pods to be ready in the given namespace with lable + while : ; do + res=$(kubectl wait --context "kind-${CLUSTERNAME}" -n "${ns}" pod \ + -l "${lb}" --for=condition=Ready --timeout="${waittime}s" 2>/dev/null ||true) + if [[ "${res}" == *"condition met"* ]]; then + break + fi + echo "Waiting for pods in namespace ${ns} with label ${lb} to be ready..." + sleep "${waittime}" + done +} + +waitForPods metallb-system app=metallb 10 + +# Now configure the loadbalancer public IP range +cat <&2 + exit 1 + ;; + esac +done + + +# single-cluster installations may need this gateway to allow VMs to get discovery +# for non-single cluster, we add additional topology information +SINGLE_CLUSTER="${SINGLE_CLUSTER:-0}" +if [[ "${SINGLE_CLUSTER}" -eq 0 ]]; then + if [[ -z "${NETWORK:-}" ]]; then + echo "Must specify either --single-cluster or --network." + exit 1 + fi +fi + +# base +IOP=$(cat < apply -f ../otel.yaml +``` + +In this example, we use `otel-collector` as the namespace to deploy the `otel-collector` backend: + +```ba +kubectl -n otel-collector apply -f ../otel.yaml +``` + +The otel-collector will create a grpc receiver on port `4317`, and later the sidecars will report trace information to this grpc port. You can find more details from [here](https://github.com/open-telemetry/opentelemetry-collector). + +Below is the configuration: + +```yaml +receivers: + otlp: + protocols: + grpc: + http: +processors: + batch: +exporters: + logging: + loglevel: debug +service: + pipelines: + logs: + receivers: [otlp] + processors: [batch] + exporters: [logging] +``` + +In this example, `Jaeger` is the exporter for gathering the traces. Assuming you have already deployed Jaeger as your tracing system with [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation, you are good to go to the next steps. If you already have your own `Jaeger` deployed, you may need to modify the otel collector config. The configmap name is `opentelemetry-collector-conf` in the namespace you deployed the otel collector, and the related config is defined as: + +```yaml +exporters: + jaeger: + endpoint: jaeger-collector.istio-system.svc.cluster.local:14250 + tls: + insecure: true + sending_queue: + enabled: true + retry_on_failure: + enabled: true +service: + pipelines: + traces: + exporters: + - jaeger +``` + +You need to modify the jaeger exporter endpoint with the one you deployed, in this case it's `jaeger-collector.istio-system.svc.cluster.local:14250`. + +If you have not deployed the `Jaeger` service, you can follow [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation to install the service. + +You may also choose any existing tracing system if you have, and you should change the exporter settings in the configmap mentioned above. + +You may also choose to use your own otel collector if you have, and the key part is to have the `otlp` grpc protocol receiver to receive the traces. One important thing is to make sure your otel collector service's grpc port starts with `grpc-` prefix, which is like: + +```ya +spec: + ports: + - name: grpc-otlp + port: 4317 + protocol: TCP + targetPort: 4317 +``` + +Otherwise the traces may not be reported. + +## Update mesh config + +Install or update Istio with the `demo` profile to make sure you have the OpenTelemetry tracing provider enabled: + +```bash +istioctl install --set profile=demo -y +``` + +Or ensure you have the following additional mesh config set in your Istio: + +```yaml +mesh: |- + extensionProviders: + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.otel-collector.svc.cluster.local +``` + +Make sure the service name matches the one you deployed if you select a different namespace. + +## Apply the Telemetry resource to report traces + +Next, add a Telemetry resource that tells Istio to send trace records to the OpenTelemetry collector. + +```yaml +kubectl -n otel-collector apply -f ./telemetry.yaml +``` + +The core config is: + +```yaml +tracing: +- providers: + - name: otel-tracing + randomSamplingPercentage: 0 +``` + +As you see, the `randomSamplingPercentage` is 0, which means the tracing is still not enabled because of `0` sampling percentage. The tracing can be opt-on by increasing the `randomSamplingPercentage` value to `1-100`. The `Telemetry` resource can also be manipulated in workload/namespace/global levels, you can check [here](https://istio.io/latest/docs/reference/config/telemetry/) for more config examples. + +## Check tracing results + +If you have followed [this](https://istio.io/latest/docs/setup/getting-started/) getting started steps, you have the sample bookinfo applications installed. Try to make some requests to the productpage to generate some traces. + +Then open up the `Jaeger` dashboard with: + +```bash +istioctl dashboard jaeger +``` + +You will see the requests' trace records. + +## Cleanup + +```bash +kubectl -n otel-collector delete -f ./telemetry.yaml +kubectl -n otel-collector delete -f ../otel.yaml +``` diff --git a/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml b/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml new file mode 100644 index 000000000..fd831a2b4 --- /dev/null +++ b/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml @@ -0,0 +1,9 @@ +apiVersion: telemetry.istio.io/v1alpha1 +kind: Telemetry +metadata: + name: otel-demo +spec: + tracing: + - providers: + - name: otel-tracing + randomSamplingPercentage: 0 diff --git a/istio-1.18.2/samples/operator/cni-on.yaml b/istio-1.18.2/samples/operator/cni-on.yaml new file mode 100644 index 000000000..ae850b4d2 --- /dev/null +++ b/istio-1.18.2/samples/operator/cni-on.yaml @@ -0,0 +1,6 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + cni: + enabled: true diff --git a/istio-1.18.2/samples/operator/default-install.yaml b/istio-1.18.2/samples/operator/default-install.yaml new file mode 100644 index 000000000..65a4d9b66 --- /dev/null +++ b/istio-1.18.2/samples/operator/default-install.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system + name: istio-operator +spec: + profile: default + diff --git a/istio-1.18.2/samples/operator/pilot-advanced-override.yaml b/istio-1.18.2/samples/operator/pilot-advanced-override.yaml new file mode 100644 index 000000000..4b57fd846 --- /dev/null +++ b/istio-1.18.2/samples/operator/pilot-advanced-override.yaml @@ -0,0 +1,19 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + pilot: + k8s: + overlays: + - kind: Deployment + name: istiod + patches: + - path: spec.template.spec.containers.[name:discovery].args.[30m] + value: "60m" # OVERRIDDEN + - path: spec.template.spec.containers.[name:discovery].ports.[containerPort:8080].containerPort + value: 8090 # OVERRIDDEN + - kind: Service + name: istiod + patches: + - path: spec.ports.[name:grpc-xds].port + value: 15099 # OVERRIDDEN diff --git a/istio-1.18.2/samples/operator/pilot-k8s.yaml b/istio-1.18.2/samples/operator/pilot-k8s.yaml new file mode 100644 index 000000000..081f55ed5 --- /dev/null +++ b/istio-1.18.2/samples/operator/pilot-k8s.yaml @@ -0,0 +1,13 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + pilot: + k8s: + resources: + requests: + cpu: 1000m # override from default 500m + memory: 4096Mi # ... default 2048Mi + hpaSpec: + maxReplicas: 10 # ... default 5 + minReplicas: 2 # ... default 1 diff --git a/istio-1.18.2/samples/operator/values-global.yaml b/istio-1.18.2/samples/operator/values-global.yaml new file mode 100644 index 000000000..8726f27e1 --- /dev/null +++ b/istio-1.18.2/samples/operator/values-global.yaml @@ -0,0 +1,7 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + values: + global: + logging: + level: "default:warning" # override from info diff --git a/istio-1.18.2/samples/operator/values-pilot.yaml b/istio-1.18.2/samples/operator/values-pilot.yaml new file mode 100644 index 000000000..bca6c2eea --- /dev/null +++ b/istio-1.18.2/samples/operator/values-pilot.yaml @@ -0,0 +1,6 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + values: + pilot: + traceSampling: 0.1 # override from 1.0 diff --git a/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml b/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml new file mode 100644 index 000000000..cfda9c76a --- /dev/null +++ b/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml @@ -0,0 +1,151 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Redis service and deployment +# Ratelimit service and deployment + +# Note: a configmap is needed to make the rate limit deployment work properly, for example: +# +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: ratelimit-config +# data: +# config.yaml: | +# domain: echo-ratelimit +# descriptors: +# - key: PATH +# value: "/" +# rate_limit: +# unit: minute +# requests_per_unit: 1 +# - key: PATH +# rate_limit: +# unit: minute +# requests_per_unit: 100 +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: redis + labels: + app: redis +spec: + ports: + - name: redis + port: 6379 + selector: + app: redis +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis +spec: + replicas: 1 + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + containers: + - image: redis:alpine + imagePullPolicy: Always + name: redis + ports: + - name: redis + containerPort: 6379 + restartPolicy: Always + serviceAccountName: "" +--- +apiVersion: v1 +kind: Service +metadata: + name: ratelimit + labels: + app: ratelimit +spec: + ports: + - name: http-port + port: 8080 + targetPort: 8080 + protocol: TCP + - name: grpc-port + port: 8081 + targetPort: 8081 + protocol: TCP + - name: http-debug + port: 6070 + targetPort: 6070 + protocol: TCP + selector: + app: ratelimit +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratelimit +spec: + replicas: 1 + selector: + matchLabels: + app: ratelimit + strategy: + type: Recreate + template: + metadata: + labels: + app: ratelimit + spec: + containers: + - image: envoyproxy/ratelimit:9d8d70a8 # 2022/08/16 + imagePullPolicy: Always + name: ratelimit + command: ["/bin/ratelimit"] + env: + - name: LOG_LEVEL + value: debug + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis:6379 + - name: USE_STATSD + value: "false" + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: HOST + value: "::" + - name: GRPC_HOST + value: "::" + ports: + - containerPort: 8080 + - containerPort: 8081 + - containerPort: 6070 + volumeMounts: + - name: config-volume + mountPath: /data/ratelimit/config + volumes: + - name: config-volume + configMap: + name: ratelimit-config diff --git a/istio-1.18.2/samples/security/psp/sidecar-psp.yaml b/istio-1.18.2/samples/security/psp/sidecar-psp.yaml new file mode 100644 index 000000000..f9612d6b0 --- /dev/null +++ b/istio-1.18.2/samples/security/psp/sidecar-psp.yaml @@ -0,0 +1,46 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-sidecar +spec: + # Allow the istio sidecar injector to work + allowedCapabilities: + - NET_ADMIN + - NET_RAW + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-sidecar-psp +rules: + - apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + - istio-sidecar + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-psp +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-psp +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts diff --git a/istio-1.18.2/samples/security/spire/README.md b/istio-1.18.2/samples/security/spire/README.md new file mode 100644 index 000000000..b3e1978ff --- /dev/null +++ b/istio-1.18.2/samples/security/spire/README.md @@ -0,0 +1,90 @@ +# Integrating SPIRE as a CA through Envoy's SDS API + +This sample deploys a setup of [SPIRE](https://github.com/spiffe/spire) (the SPIFFE Runtime Environment) as an example of integrating with [Envoy's SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) API. For more information +on the SPIFFE specs, refer to the [SPIFFE Overview](https://spiffe.io/docs/latest/spiffe-about/overview/). + +Once SPIRE is deployed and integrated with Istio, this sample deploys a modified version of the [sleep](/samples/sleep/README.md) service and validates that its [identity](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid) was issued by SPIRE. Workload registration is handled by the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). + +See [Istio CA Integration with SPIRE](https://istio.io/latest/docs/ops/integrations/spire) for further details about this integration. + +## Deploy the integration + +1. Deploy SPIRE. For proper socket injection, this **must** be done prior to installing Istio in your cluster: + + ```bash + $ kubectl apply -f spire-quickstart.yaml + ``` + +1. Ensure that the deployment is completed before moving to the next step. This can be verified by waiting on the `spire-agent` pod to become ready: + + ```bash + $ kubectl wait pod --for=condition=ready -n spire -l app=spire-agent + ``` + +1. Use the configuration profile provided to install Istio (requires istioctl v1.14+): + + ```bash + $ istioctl install -f istio-spire-config.yaml + ``` + +1. Create a ClusterSPIFFEID to create a registration entry for all workloads with the `spiffe.io/spire-managed-identity: true` label: + + ```bash + $ kubectl apply -f clusterspiffeid.yaml + ``` + +1. Add the `spiffe.io/spire-managed-identity: true` label to the Ingress-gateway Deployment: + + ```bash + $ kubectl patch deployment istio-ingressgateway -n istio-system -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spire-managed-identity": "true"}}}}}' + ``` + +1. Deploy the `sleep-spire.yaml` version of the [sleep](/samples/sleep/README.md) service, which injects the custom istio-agent template defined in `istio-spire-config.yaml` and has the `spiffe.io/spire-managed-identity: true` label. + + If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: + + ```bash + $ kubectl apply -f sleep-spire.yaml + ``` + + Otherwise, manually inject the sidecar before applying: + + ```bash + $ kubectl apply -f <(istioctl kube-inject -f sleep-spire.yaml) + ``` + +1. Retrieve sleep's SVID identity document using the `istioctl proxy-config secret` command: + + ```bash + $ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") + $ istioctl pc secret $SLEEP_POD -o json | jq -r \ + '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem + ``` + +1. Inspect the certificate content and verify that SPIRE was the issuer: + + ```bash + $ openssl x509 -in chain.pem -text | grep SPIRE + Subject: C = US, O = SPIRE, CN = sleep-5d6df95bbf-kt2tt + ``` + +## Tear down + +1. Delete all deployments and configurations for the SPIRE Agent, Server, and namespace: + + ```bash + $ kubectl delete namespace spire + ``` + +1. Delete the ClusterRole, ClusterRoleBinding, Role, RoleBindings, ValidatingWebhookConfiguration, CSIDriver, and CustomResourceDefinition: + + ```bash + $ kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role + $ kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding + $ kubectl delete role spire-server-role leader-election-role + $ kubectl delete rolebinding spire-server-role-binding leader-election-role-binding + $ kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook + $ kubectl delete csidriver csi.spiffe.io + $ kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io + $ kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io + ``` diff --git a/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml b/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml new file mode 100644 index 000000000..bf67989e1 --- /dev/null +++ b/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml @@ -0,0 +1,9 @@ +apiVersion: spire.spiffe.io/v1alpha1 +kind: ClusterSPIFFEID +metadata: + name: example +spec: + spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + spiffe.io/spire-managed-identity: "true" diff --git a/istio-1.18.2/samples/security/spire/istio-spire-config.yaml b/istio-1.18.2/samples/security/spire/istio-spire-config.yaml new file mode 100644 index 000000000..812c65eca --- /dev/null +++ b/istio-1.18.2/samples/security/spire/istio-spire-config.yaml @@ -0,0 +1,70 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + profile: default + meshConfig: + trustDomain: example.org + values: + global: + # This is used to customize the sidecar template + sidecarInjectorWebhook: + templates: + spire: | + spec: + containers: + - name: istio-proxy + volumeMounts: + - name: workload-socket + mountPath: /run/secrets/workload-spiffe-uds + readOnly: true + volumes: + - name: workload-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + components: + ingressGateways: + - name: istio-ingressgateway + enabled: true + label: + istio: ingressgateway + k8s: + overlays: + - apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + patches: + - path: spec.template.spec.volumes.[name:workload-socket] + value: + name: workload-socket + csi: + driver: "csi.spiffe.io" + readOnly: true + - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket] + value: + name: workload-socket + mountPath: "/run/secrets/workload-spiffe-uds" + readOnly: true + - path: spec.template.spec.initContainers + value: + - name: wait-for-spire-socket + image: busybox:1.28 + volumeMounts: + - name: workload-socket + mountPath: /run/secrets/workload-spiffe-uds + readOnly: true + env: + - name: CHECK_FILE + value: /run/secrets/workload-spiffe-uds/socket + command: + - sh + - "-c" + - |- + echo `date -Iseconds` Waiting for: ${CHECK_FILE} + while [[ ! -e ${CHECK_FILE} ]] ; do + echo `date -Iseconds` File does not exist: ${CHECK_FILE} + sleep 15 + done + ls -l ${CHECK_FILE} diff --git a/istio-1.18.2/samples/security/spire/sleep-spire.yaml b/istio-1.18.2/samples/security/spire/sleep-spire.yaml new file mode 100644 index 000000000..d1e1673f5 --- /dev/null +++ b/istio-1.18.2/samples/security/spire/sleep-spire.yaml @@ -0,0 +1,70 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Sleep service +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sleep +--- +apiVersion: v1 +kind: Service +metadata: + name: sleep + labels: + app: sleep + service: sleep +spec: + ports: + - port: 80 + name: http + selector: + app: sleep +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sleep +spec: + replicas: 1 + selector: + matchLabels: + app: sleep + template: + metadata: + labels: + app: sleep + spiffe.io/spire-managed-identity: "true" + # Injects custom sidecar template + annotations: + inject.istio.io/templates: "sidecar,spire" + spec: + terminationGracePeriodSeconds: 0 + serviceAccountName: sleep + containers: + - name: sleep + image: curlimages/curl + command: ["/bin/sleep", "infinity"] + imagePullPolicy: IfNotPresent + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + runAsUser: 1000 + volumes: + - name: tmp + emptyDir: {} +--- \ No newline at end of file diff --git a/istio-1.18.2/samples/security/spire/spire-quickstart.yaml b/istio-1.18.2/samples/security/spire/spire-quickstart.yaml new file mode 100644 index 000000000..cff84d0d7 --- /dev/null +++ b/istio-1.18.2/samples/security/spire/spire-quickstart.yaml @@ -0,0 +1,985 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: spire + +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: "csi.spiffe.io" +spec: + # Only ephemeral, inline volumes are supported. There is no need for a + # controller to provision and attach volumes. + attachRequired: false + + # Request the pod information which the CSI driver uses to verify that an + # ephemeral mount was requested. + podInfoOnMount: true + + # Don't change ownership on the contents of the mount since the Workload API + # Unix Domain Socket is typically open to all (i.e. 0777). + fsGroupPolicy: None + + # Declare support for ephemeral volumes only. + volumeLifecycleModes: + - Ephemeral + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire + +--- +# ConfigMap for spire-agent bootstrapping. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire + +--- +# ClusterRole to allow spire-server to query k8s API server. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role +rules: + # allow TokenReview requests (to verify service account tokens for PSAT + # attestation) +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["get", "create"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + +--- +# Binds above cluster role to spire-server service account. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-server-cluster-role + apiGroup: rbac.authorization.k8s.io + +--- +# Role for the SPIRE server. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: spire + name: spire-server-role +rules: + # allow "get" access to pods (to resolve selectors for PSAT attestation) +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE + # agent bootstrapping, see the spire-bundle ConfigMap) +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["spire-bundle"] + verbs: ["get", "patch"] + +--- +# RoleBinding granting the spire-server-role to the SPIRE server +# service account. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-role-binding + namespace: spire +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: Role + name: spire-server-role + apiGroup: rbac.authorization.k8s.io + +--- +# ClusterRules for the SPIRE Controller Manager. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterfederatedtrustdomains/status"] + verbs: ["get", "patch", "update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/finalizers"] + verbs: ["update"] + - apiGroups: ["spire.spiffe.io"] + resources: ["clusterspiffeids/status"] + verbs: ["get", "patch", "update"] + +--- +# Binds manager-role cluster role to spire-server service account. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire + +--- +# Permissions for the SPIRE server to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role + namespace: spire +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- +# Binds leader-election-role to spire-server service account. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-role-binding + namespace: spire +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire + +--- +# ConfigMap containing the SPIRE server configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-server + namespace: spire +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "/run/spire/server/data" + log_level = "DEBUG" + federation { + bundle_endpoint { + address = "0.0.0.0" + port = 8443 + } + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/server/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + # NOTE: Change this to your cluster name + "demo-cluster" = { + service_account_allow_list = ["spire:spire-agent"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/server/data/keys.json" + } + } + + Notifier "k8sbundle" { + plugin_data { + namespace = "spire" + } + } + } + + health_checks { + listener_enabled = true + bind_address = "0.0.0.0" + bind_port = "8080" + live_path = "/live" + ready_path = "/ready" + } + +--- +# Configuration for the SPIRE Controller Manager. +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-controller-manager-config + namespace: spire +data: + spire-controller-manager-config.yaml: | + apiVersion: spire.spiffe.io/v1alpha1 + kind: ControllerManagerConfig + metrics: + bindAddress: 127.0.0.1:8082 + healthProbe: + bindAddress: 127.0.0.1:8083 + leaderElection: + leaderElect: true + resourceName: 98c9c988.spiffe.io + resourceNamespace: spire + clusterName: demo-cluster + trustDomain: example.org + ignoreNamespaces: + - kube-system + - kube-public + - spire + - local-path-storage + +--- +# SPIRE Server Deployment. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spire-server + namespace: spire + labels: + app: spire-server +spec: + replicas: 1 + selector: + matchLabels: + app: spire-server + template: + metadata: + namespace: spire + labels: + app: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: ghcr.io/spiffe/spire-server:1.5.4 + imagePullPolicy: IfNotPresent + args: + - -config + - /run/spire/server/config/server.conf + livenessProbe: + httpGet: + path: /live + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + ports: + - containerPort: 8081 + volumeMounts: + - name: spire-config + mountPath: /run/spire/server/config + readOnly: true + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-controller-manager + image: ghcr.io/spiffe/spire-controller-manager:0.2.3 + imagePullPolicy: IfNotPresent + args: + - "--config=spire-controller-manager-config.yaml" + ports: + - containerPort: 9443 + volumeMounts: + - name: spire-server-socket + mountPath: /spire-server + readOnly: true + - name: spire-controller-manager-config + mountPath: /spire-controller-manager-config.yaml + subPath: spire-controller-manager-config.yaml + volumes: + - name: spire-config + configMap: + name: spire-server + - name: spire-server-socket + emptyDir: {} + - name: spire-controller-manager-config + configMap: + name: spire-controller-manager-config + +--- +# Service definition for SPIRE server defining the gRPC port. +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire +spec: + type: NodePort + ports: + - name: grpc + port: 8081 + targetPort: 8081 + protocol: TCP + selector: + app: spire-server + +--- +# Service definition for SPIRE server bundle endpoint. +apiVersion: v1 +kind: Service +metadata: + name: spire-server-bundle-endpoint + namespace: spire +spec: + type: NodePort + ports: + - name: tcp-api + port: 8443 + protocol: TCP + selector: + app: spire-server + +--- +# Service definition for SPIRE controller manager webhook. +apiVersion: v1 +kind: Service +metadata: + name: spire-controller-manager-webhook-service + namespace: spire +spec: + ports: + - name: tcp + port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: spire-server + +--- +# ClusterFederatedTrustDomains CRD. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterfederatedtrustdomains.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterFederatedTrustDomain + listKind: ClusterFederatedTrustDomainList + plural: clusterfederatedtrustdomains + singular: clusterfederatedtrustdomain + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.trustDomain + name: Trust Domain + type: string + - jsonPath: .spec.bundleEndpointURL + name: Endpoint URL + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterFederatedTrustDomainSpec defines the desired state + of ClusterFederatedTrustDomain + properties: + bundleEndpointProfile: + description: BundleEndpointProfile is the profile for the bundle endpoint. + properties: + endpointSPIFFEID: + description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. + It is required for the "https_spiffe" profile. + type: string + type: + description: Type is the type of the bundle endpoint profile. + enum: + - https_spiffe + - https_web + type: string + required: + - type + type: object + bundleEndpointURL: + description: BundleEndpointURL is the URL of the bundle endpoint. + It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). + type: string + trustDomain: + description: TrustDomain is the name of the trust domain to federate + with (e.g. example.org) + pattern: '[a-z0-9._-]{1,255}' + type: string + trustDomainBundle: + description: TrustDomainBundle is the contents of the bundle for the + referenced trust domain. This field is optional when the resource + is created. + type: string + required: + - bundleEndpointProfile + - bundleEndpointURL + - trustDomain + type: object + status: + description: ClusterFederatedTrustDomainStatus defines the observed state + of ClusterFederatedTrustDomain + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# ClusterSPIFFEID CRD. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterspiffeids.spire.spiffe.io +spec: + group: spire.spiffe.io + names: + kind: ClusterSPIFFEID + listKind: ClusterSPIFFEIDList + plural: clusterspiffeids + singular: clusterspiffeid + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSPIFFEID is the Schema for the clusterspiffeids API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID + properties: + admin: + description: Admin indicates whether or not the SVID can be used to + access the SPIRE administrative APIs. Extra care should be taken + to only apply this SPIFFE ID to admin workloads. + type: boolean + dnsNameTemplates: + description: DNSNameTemplate represents templates for extra DNS names + that are applicable to SVIDs minted for this ClusterSPIFFEID. The + node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + downstream: + description: Downstream indicates that the entry describes a downstream SPIRE server. + type: boolean + federatesWith: + description: FederatesWith is a list of trust domain names that workloads + that obtain this SPIFFE ID will federate with. + items: + type: string + type: array + namespaceSelector: + description: NamespaceSelector selects the namespaces that are targeted + by this CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + podSelector: + description: PodSelector selects the pods that are targeted by this + CRD. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + spiffeIDTemplate: + description: SPIFFEID is the SPIFFE ID template. The node and pod + spec are made available to the template under .NodeSpec, .PodSpec + respectively. + type: string + ttl: + description: TTL indicates an upper-bound time-to-live for SVIDs minted + for this ClusterSPIFFEID. If unset, a default will be chosen. + type: string + workloadSelectorTemplates: + description: WorkloadSelectorTemplates are templates to produce arbitrary + workload selectors that apply to a given workload before it will + receive this SPIFFE ID. The rendered value is interpreted by SPIRE + and are of the form type:value, where the value may, and often does, + contain semicolons, .e.g., k8s:container-image:docker/hello-world + The node and pod spec are made available to the template under .NodeSpec, + .PodSpec respectively. + items: + type: string + type: array + required: + - spiffeIDTemplate + type: object + status: + description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID + properties: + stats: + description: Stats produced by the last entry reconciliation run + properties: + entriesMasked: + description: How many entries were masked by entries for other + ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs + produce an entry for the same pod with the same set of workload + selectors. + type: integer + entriesToSet: + description: How many entries are to be set for this ClusterSPIFFEID. + In nominal conditions, this should reflect the number of pods + selected, but not always if there were problems encountered + rendering an entry for the pod (RenderFailures) or entries are + masked (EntriesMasked). + type: integer + entryFailures: + description: How many entries were unable to be set due to failures + to create or update the entries via the SPIRE Server API. + type: integer + namespacesIgnored: + description: How many (selected) namespaces were ignored (based + on configuration). + type: integer + namespacesSelected: + description: How many namespaces were selected. + type: integer + podEntryRenderFailures: + description: How many failures were encountered rendering an entry + selected pods. This could be due to either a bad template in + the ClusterSPIFFEID or Pod metadata that when applied to the + template did not produce valid entry values. + type: integer + podsSelected: + description: How many pods were selected out of the namespaces. + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# ValidatingWebhookConfiguration for validating ClusterSPIFFEID and +# ClusterFederatedTrustDomain custom resources. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: spire-controller-manager-webhook +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain + failurePolicy: Fail + name: vclusterfederatedtrustdomain.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterfederatedtrustdomains"] + sideEffects: None + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: spire-controller-manager-webhook-service + namespace: spire + path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid + failurePolicy: Fail + name: vclusterspiffeid.kb.io + rules: + - apiGroups: ["spire.spiffe.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["clusterspiffeids"] + sideEffects: None + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire + +--- +# Required cluster role to allow spire-agent to query k8s API server. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: +- apiGroups: [""] + resources: ["pods","nodes","nodes/proxy"] + verbs: ["get"] + +--- +# Binds above cluster role to spire-agent service account. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io + +--- +# ConfigMap for the SPIRE agent featuring: +# 1) PSAT node attestation +# 2) K8S Workload Attestation over the secure kubelet port +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/secrets/workload-spiffe-uds/socket" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = "example.org" + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + # NOTE: Change this to your cluster name + cluster = "demo-cluster" + } + } + + KeyManager "memory" { + plugin_data { + } + } + + WorkloadAttestor "k8s" { + plugin_data { + # Defaults to the secure kubelet port by default. + # Minikube does not have a cert in the cluster CA bundle that + # can authenticate the kubelet cert, so skip validation. + skip_kubelet_verification = true + + # We need to set disable_container_selectors = true if we make holdApplicationUntilProxyStarts = true in istio + # see https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig + # If true, container selectors are not produced. + # This can be used to produce pod selectors when the workload pod is known + # but the workload container is not ready at the time of attestation. + # disable_container_selectors = true + } + } + + WorkloadAttestor "unix" { + plugin_data { + } + } + + } + +--- +# SPIRE Agent DaemonSet. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire + labels: + app: spire-agent +spec: + selector: + matchLabels: + app: spire-agent + template: + metadata: + namespace: spire + labels: + app: spire-agent + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + containers: + - name: spire-agent + image: ghcr.io/spiffe/spire-agent:1.2.3 + imagePullPolicy: IfNotPresent + args: ["-config", "/run/spire/config/agent.conf"] + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + readOnly: true + - name: spire-agent-socket-dir + mountPath: /run/secrets/workload-spiffe-uds + - name: spire-token + mountPath: /var/run/secrets/tokens + # This is the container which runs the SPIFFE CSI driver. + - name: spiffe-csi-driver + image: ghcr.io/spiffe/spiffe-csi-driver:0.2.0 + imagePullPolicy: IfNotPresent + args: [ + "-workload-api-socket-dir", "/spire-agent-socket", + "-csi-socket-path", "/spiffe-csi/csi.sock", + ] + env: + # The CSI driver needs a unique node ID. The node name can be + # used for this purpose. + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + # The volume containing the SPIRE agent socket. The SPIFFE CSI + # driver will mount this directory into containers. + - mountPath: /spire-agent-socket + name: spire-agent-socket-dir + readOnly: true + # The volume that will contain the CSI driver socket shared + # with the kubelet and the driver registrar. + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The volume containing mount points for containers. + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + securityContext: + privileged: true + # This container runs the CSI Node Driver Registrar which takes care + # of all the little details required to register a CSI driver with + # the kubelet. + - name: node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.4.0 + imagePullPolicy: IfNotPresent + args: [ + "-csi-address", "/spiffe-csi/csi.sock", + "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", + ] + volumeMounts: + # The registrar needs access to the SPIFFE CSI driver socket + - mountPath: /spiffe-csi + name: spiffe-csi-socket-dir + # The registrar needs access to the Kubelet plugin registration + # directory + - name: kubelet-plugin-registration-dir + mountPath: /registration + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server + # This volume is used to share the workload api socket between the + # CSI driver and SPIRE agent + - name: spire-agent-socket-dir + emptyDir: {} + # This volume is where the socket for kubelet->driver communication lives + - name: spiffe-csi-socket-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.spiffe.io + type: DirectoryOrCreate + # This volume is where the SPIFFE CSI driver mounts volumes + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + # This volume is where the node-driver-registrar registers the plugin + # with kubelet + - name: kubelet-plugin-registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory diff --git a/istio-1.18.2/samples/sleep/README.md b/istio-1.18.2/samples/sleep/README.md new file mode 100644 index 000000000..045df5c50 --- /dev/null +++ b/istio-1.18.2/samples/sleep/README.md @@ -0,0 +1,37 @@ +# Simple sleep service + +This sample consists of a simple service that does nothing but sleep. +It's a ubuntu container with curl installed that can be used as a request source for invoking other services +to experiment with Istio networking. + +To use it: + +1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/). + +1. Start the sleep service: + + If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: + + ```bash + kubectl apply -f sleep.yaml + ``` + + Otherwise manually inject the sidecars before applying: + + ```bash + kubectl apply -f <(istioctl kube-inject -f sleep.yaml) + ``` + +1. Start some other services, for example, the [Bookinfo sample](https://istio.io/docs/examples/bookinfo/). + + Now you can `kubectl exec` into the sleep service to experiment with Istio networking. + For example, the following commands can be used to call the Bookinfo `ratings` service: + + ```bash + export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) + kubectl exec -it $SLEEP_POD -c sleep -- curl http://ratings.default.svc.cluster.local:9080/ratings/1 + {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}} + ``` + +You can also use the sleep service to test accessing services outside of the mesh. +See [configuring egress](https://istio.io/docs/tasks/traffic-management/egress/) for details. diff --git a/istio-1.18.2/samples/sleep/notsleep.yaml b/istio-1.18.2/samples/sleep/notsleep.yaml new file mode 100644 index 000000000..898d4ab47 --- /dev/null +++ b/istio-1.18.2/samples/sleep/notsleep.yaml @@ -0,0 +1,78 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Notsleep service - based on the sleep service but has its own identity and affinity rule +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: notsleep +--- +apiVersion: v1 +kind: Service +metadata: + name: notsleep + labels: + app: notsleep + service: notsleep +spec: + ports: + - port: 80 + name: http + selector: + app: notsleep +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: notsleep +spec: + replicas: 1 + selector: + matchLabels: + app: notsleep + template: + metadata: + labels: + app: notsleep + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - productpage + topologyKey: kubernetes.io/hostname + terminationGracePeriodSeconds: 0 + serviceAccountName: notsleep + containers: + - name: notsleep + image: curlimages/curl + command: ["/bin/sleep", "3650d"] + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /etc/sleep/tls + name: secret-volume + volumes: + - name: secret-volume + secret: + secretName: notsleep-secret + optional: true +--- diff --git a/istio-1.18.2/samples/sleep/sleep-vault.yaml b/istio-1.18.2/samples/sleep/sleep-vault.yaml new file mode 100644 index 000000000..b31196cf1 --- /dev/null +++ b/istio-1.18.2/samples/sleep/sleep-vault.yaml @@ -0,0 +1,57 @@ +# Copyright 2019 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Sleep service +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sleep +--- +apiVersion: v1 +kind: Service +metadata: + name: sleep + labels: + app: sleep + service: sleep +spec: + ports: + - port: 80 + name: http + selector: + app: sleep +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sleep +spec: + replicas: 1 + selector: + matchLabels: + app: sleep + template: + metadata: + labels: + app: sleep + spec: + serviceAccountName: vault-citadel-sa + containers: + - name: sleep + image: curlimages/curl + command: ["/bin/sleep", "infinity"] + imagePullPolicy: IfNotPresent +--- diff --git a/istio-1.18.2/samples/sleep/sleep.yaml b/istio-1.18.2/samples/sleep/sleep.yaml new file mode 100644 index 000000000..570086b93 --- /dev/null +++ b/istio-1.18.2/samples/sleep/sleep.yaml @@ -0,0 +1,66 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Sleep service +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sleep +--- +apiVersion: v1 +kind: Service +metadata: + name: sleep + labels: + app: sleep + service: sleep +spec: + ports: + - port: 80 + name: http + selector: + app: sleep +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sleep +spec: + replicas: 1 + selector: + matchLabels: + app: sleep + template: + metadata: + labels: + app: sleep + spec: + terminationGracePeriodSeconds: 0 + serviceAccountName: sleep + containers: + - name: sleep + image: curlimages/curl + command: ["/bin/sleep", "infinity"] + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /etc/sleep/tls + name: secret-volume + volumes: + - name: secret-volume + secret: + secretName: sleep-secret + optional: true +--- diff --git a/istio-1.18.2/samples/tcp-echo/README.md b/istio-1.18.2/samples/tcp-echo/README.md new file mode 100644 index 000000000..50f2d82aa --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/README.md @@ -0,0 +1,38 @@ +# TCP Echo Service + +This sample runs [TCP Echo Server](src/) as an Istio service. TCP Echo Server +allows you to connect to it over TCP and echoes back data sent to it along with +a preconfigured prefix. + +## Usage + +To run the TCP Echo Service sample: + +1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html). + +1. Start the `tcp-echo-server` service inside the Istio service mesh: + + ```console + $ kubectl apply -f <(istioctl kube-inject -f tcp-echo.yaml) + service/tcp-echo created + deployment.apps/tcp-echo created + ``` + +1. Test by running the `nc` command from a `busybox` container from within the cluster. + + ```console + $ kubectl run -i --rm --restart=Never dummy --image=busybox -- sh -c "echo world | nc tcp-echo 9000" + hello world + pod "dummy" deleted + ``` + + As you observe, sending _world_ on a TCP connection to the server results in + the server prepending _hello_ and echoing back with _hello world_. + +1. To clean up, execute the following command: + + ```console + $ kubectl delete -f tcp-echo.yaml + service "tcp-echo" deleted + deployment.apps "tcp-echo" deleted + ``` diff --git a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml new file mode 100644 index 000000000..11e27be3f --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml @@ -0,0 +1,16 @@ +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: tcp-echo +spec: + parentRefs: + - name: tcp-echo-gateway + sectionName: tcp-31400 + rules: + - backendRefs: + - name: tcp-echo-v1 + port: 9000 + weight: 80 + - name: tcp-echo-v2 + port: 9000 + weight: 20 diff --git a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml new file mode 100644 index 000000000..23965bbc3 --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml @@ -0,0 +1,50 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: tcp-echo-gateway +spec: + gatewayClassName: istio + listeners: + - name: tcp-31400 + protocol: TCP + port: 31400 + allowedRoutes: + kinds: + - kind: TCPRoute +--- +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo-v1 +spec: + ports: + - port: 9000 + name: tcp + selector: + app: tcp-echo + version: v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo-v2 +spec: + ports: + - port: 9000 + name: tcp + selector: + app: tcp-echo + version: v2 +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: tcp-echo +spec: + parentRefs: + - name: tcp-echo-gateway + sectionName: tcp-31400 + rules: + - backendRefs: + - name: tcp-echo-v1 + port: 9000 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml new file mode 100644 index 000000000..f69ab1156 --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml @@ -0,0 +1,39 @@ +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tcp-echo +spec: + hosts: + - "*" + gateways: + - tcp-echo-gateway + tcp: + - match: + - port: 31400 + route: + - destination: + host: tcp-echo + port: + number: 9000 + subset: v1 + weight: 80 + - destination: + host: tcp-echo + port: + number: 9000 + subset: v2 + weight: 20 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml new file mode 100644 index 000000000..3c302c514 --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml @@ -0,0 +1,61 @@ +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: tcp-echo-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 31400 + name: tcp + protocol: TCP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: tcp-echo-destination +spec: + host: tcp-echo + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tcp-echo +spec: + hosts: + - "*" + gateways: + - tcp-echo-gateway + tcp: + - match: + - port: 31400 + route: + - destination: + host: tcp-echo + port: + number: 9000 + subset: v1 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml new file mode 100644 index 000000000..dd72061df --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml @@ -0,0 +1,62 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# tcp-echo service +################################################################################ +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ipFamilyPolicy: RequireDualStack + ipFamilies: + - IPv6 + - IPv4 + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.2 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "hello" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml new file mode 100644 index 000000000..8ac98630c --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml @@ -0,0 +1,61 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# tcp-echo service +################################################################################ +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ipFamilyPolicy: SingleStack + ipFamilies: + - IPv4 + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.2 + imagePullPolicy: Always + args: [ "9000,9001,9002", "hello" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml new file mode 100644 index 000000000..02ddd6dec --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml @@ -0,0 +1,61 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# tcp-echo service +################################################################################ +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ipFamilyPolicy: SingleStack + ipFamilies: + - IPv6 + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.2 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "hello" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml new file mode 100644 index 000000000..7f6457464 --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml @@ -0,0 +1,86 @@ +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo-v1 + labels: + app: tcp-echo + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.2 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "one" ] + ports: + - containerPort: 9000 + - containerPort: 9001 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo-v2 + labels: + app: tcp-echo + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v2 + template: + metadata: + labels: + app: tcp-echo + version: v2 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.2 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "two" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml new file mode 100644 index 000000000..fae951612 --- /dev/null +++ b/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml @@ -0,0 +1,58 @@ +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# tcp-echo service +################################################################################ +apiVersion: v1 +kind: Service +metadata: + name: tcp-echo + labels: + app: tcp-echo + service: tcp-echo +spec: + ports: + - name: tcp + port: 9000 + - name: tcp-other + port: 9001 + # Port 9002 is omitted intentionally for testing the pass through filter chain. + selector: + app: tcp-echo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tcp-echo +spec: + replicas: 1 + selector: + matchLabels: + app: tcp-echo + version: v1 + template: + metadata: + labels: + app: tcp-echo + version: v1 + spec: + containers: + - name: tcp-echo + image: docker.io/istio/tcp-echo-server:1.2 + imagePullPolicy: IfNotPresent + args: [ "9000,9001,9002", "hello" ] + ports: + - containerPort: 9000 + - containerPort: 9001 diff --git a/istio-1.18.2/samples/wasm_modules/README.md b/istio-1.18.2/samples/wasm_modules/README.md new file mode 100644 index 000000000..4a8a8702c --- /dev/null +++ b/istio-1.18.2/samples/wasm_modules/README.md @@ -0,0 +1,3 @@ +# WASM demo + +`header_injector` is used for istio e2e tests, more tests can be found [here](https://github.com/istio-ecosystem/wasm-extensions). diff --git a/istio-1.18.2/samples/wasm_modules/header_injector/Makefile b/istio-1.18.2/samples/wasm_modules/header_injector/Makefile new file mode 100644 index 000000000..377495d22 --- /dev/null +++ b/istio-1.18.2/samples/wasm_modules/header_injector/Makefile @@ -0,0 +1,22 @@ +.PHONY: docker-push docker-build build clean + +VERSION_LIST := 1 2 +HUB ?= gcr.io/istio-testing +IMAGE_PREFIX ?= /wasm +IMG := $(HUB)$(IMAGE_PREFIX)/header-injector + +all: docker-push + +build: plugin.cc plugin.h BUILD WORKSPACE + rm -f *.wasm + $(foreach VERSION, $(VERSION_LIST), bazel build :plugin-0.0.$(VERSION).wasm && cp bazel-bin/plugin-0.0.$(VERSION).wasm .;) + +docker-build: build + $(foreach VERSION, $(VERSION_LIST), docker buildx build . -t $(IMG):0.0.$(VERSION) --build-arg WASM_BINARY=plugin-0.0.$(VERSION).wasm;) + +docker-push: docker-build + $(foreach VERSION, $(VERSION_LIST), docker push $(IMG):0.0.$(VERSION);) + +clean: + rm -rf bazel-* + rm -f *.wasm diff --git a/istio-1.18.2/samples/websockets/README.md b/istio-1.18.2/samples/websockets/README.md new file mode 100644 index 000000000..26a1f382a --- /dev/null +++ b/istio-1.18.2/samples/websockets/README.md @@ -0,0 +1,48 @@ +# Tornado - Demo Websockets App + +This is a sample application that demonstrates the use of an upgraded websockets connection on an ingress traffic when using Istio `VirtualService`. +The `app.yaml` creates a Kubernetes `Service` and a `Deployment` that is based on an existing Docker image for [Hiroakis's Tornado Websocket Example](https://github.com/hiroakis/tornado-websocket-example). + +__Notice:__ The addition of websockets upgrade support in v1alpha3 routing rules has only been added after the release of `Istio v0.8.0`. + +## Prerequisites + +Install Istio by following the [Istio Quick Start](https://istio.io/docs/setup/kubernetes/quick-start.html). + +## Installation + +1. First install the application service: + + - With manual sidecar injection: + + ```command + kubectl create -f <(istioctl kube-inject -f samples/websockets/app.yaml) + ``` + + - With automatic sidecar injection + + ```command + kubectl create -f samples/websockets/app.yaml + ``` + +1. Create the Ingress `Gateway` and `VirtualService` that enables the upgrade to Websocket for incoming traffic: + + ```command + kubectl create -f samples/websockets/route.yaml + ``` + +## Test + +- [Find your ingress gateway IP](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports) + +- Access with your browser + +- The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established. +To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing). + +## Cleanup + +```command +kubectl delete -f samples/websockets/route.yaml +kubectl delete -f samples/websockets/app.yaml +``` diff --git a/istio-1.18.2/samples/websockets/app.yaml b/istio-1.18.2/samples/websockets/app.yaml new file mode 100644 index 000000000..4f44ea7d7 --- /dev/null +++ b/istio-1.18.2/samples/websockets/app.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + name: tornado + labels: + app: tornado + service: tornado +spec: + ports: + - port: 8888 + name: http + selector: + app: tornado +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tornado +spec: + replicas: 1 + selector: + matchLabels: + app: tornado + version: v1 + template: + metadata: + labels: + app: tornado + version: v1 + spec: + containers: + - name: tornado + image: hiroakis/tornado-websocket-example + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8888 +--- diff --git a/istio-1.18.2/samples/websockets/route.yaml b/istio-1.18.2/samples/websockets/route.yaml new file mode 100644 index 000000000..ef580b2cd --- /dev/null +++ b/istio-1.18.2/samples/websockets/route.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: tornado-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tornado +spec: + hosts: + - "*" + gateways: + - tornado-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: tornado + weight: 100 diff --git a/istio-1.18.2/tools/_istioctl b/istio-1.18.2/tools/_istioctl new file mode 100644 index 000000000..d1e29f21f --- /dev/null +++ b/istio-1.18.2/tools/_istioctl @@ -0,0 +1,212 @@ +#compdef istioctl +compdef _istioctl istioctl + +# zsh completion for istioctl -*- shell-script -*- + +__istioctl_debug() +{ + local file="$BASH_COMP_DEBUG_FILE" + if [[ -n ${file} ]]; then + echo "$*" >> "${file}" + fi +} + +_istioctl() +{ + local shellCompDirectiveError=1 + local shellCompDirectiveNoSpace=2 + local shellCompDirectiveNoFileComp=4 + local shellCompDirectiveFilterFileExt=8 + local shellCompDirectiveFilterDirs=16 + local shellCompDirectiveKeepOrder=32 + + local lastParam lastChar flagPrefix requestComp out directive comp lastComp noSpace keepOrder + local -a completions + + __istioctl_debug "\n========= starting completion logic ==========" + __istioctl_debug "CURRENT: ${CURRENT}, words[*]: ${words[*]}" + + # The user could have moved the cursor backwards on the command-line. + # We need to trigger completion from the $CURRENT location, so we need + # to truncate the command-line ($words) up to the $CURRENT location. + # (We cannot use $CURSOR as its value does not work when a command is an alias.) + words=("${=words[1,CURRENT]}") + __istioctl_debug "Truncated words[*]: ${words[*]}," + + lastParam=${words[-1]} + lastChar=${lastParam[-1]} + __istioctl_debug "lastParam: ${lastParam}, lastChar: ${lastChar}" + + # For zsh, when completing a flag with an = (e.g., istioctl -n=) + # completions must be prefixed with the flag + setopt local_options BASH_REMATCH + if [[ "${lastParam}" =~ '-.*=' ]]; then + # We are dealing with a flag with an = + flagPrefix="-P ${BASH_REMATCH}" + fi + + # Prepare the command to obtain completions + requestComp="${words[1]} __complete ${words[2,-1]}" + if [ "${lastChar}" = "" ]; then + # If the last parameter is complete (there is a space following it) + # We add an extra empty parameter so we can indicate this to the go completion code. + __istioctl_debug "Adding extra empty parameter" + requestComp="${requestComp} \"\"" + fi + + __istioctl_debug "About to call: eval ${requestComp}" + + # Use eval to handle any environment variables and such + out=$(eval ${requestComp} 2>/dev/null) + __istioctl_debug "completion output: ${out}" + + # Extract the directive integer following a : from the last line + local lastLine + while IFS='\n' read -r line; do + lastLine=${line} + done < <(printf "%s\n" "${out[@]}") + __istioctl_debug "last line: ${lastLine}" + + if [ "${lastLine[1]}" = : ]; then + directive=${lastLine[2,-1]} + # Remove the directive including the : and the newline + local suffix + (( suffix=${#lastLine}+2)) + out=${out[1,-$suffix]} + else + # There is no directive specified. Leave $out as is. + __istioctl_debug "No directive found. Setting do default" + directive=0 + fi + + __istioctl_debug "directive: ${directive}" + __istioctl_debug "completions: ${out}" + __istioctl_debug "flagPrefix: ${flagPrefix}" + + if [ $((directive & shellCompDirectiveError)) -ne 0 ]; then + __istioctl_debug "Completion received error. Ignoring completions." + return + fi + + local activeHelpMarker="_activeHelp_ " + local endIndex=${#activeHelpMarker} + local startIndex=$((${#activeHelpMarker}+1)) + local hasActiveHelp=0 + while IFS='\n' read -r comp; do + # Check if this is an activeHelp statement (i.e., prefixed with $activeHelpMarker) + if [ "${comp[1,$endIndex]}" = "$activeHelpMarker" ];then + __istioctl_debug "ActiveHelp found: $comp" + comp="${comp[$startIndex,-1]}" + if [ -n "$comp" ]; then + compadd -x "${comp}" + __istioctl_debug "ActiveHelp will need delimiter" + hasActiveHelp=1 + fi + + continue + fi + + if [ -n "$comp" ]; then + # If requested, completions are returned with a description. + # The description is preceded by a TAB character. + # For zsh's _describe, we need to use a : instead of a TAB. + # We first need to escape any : as part of the completion itself. + comp=${comp//:/\\:} + + local tab="$(printf '\t')" + comp=${comp//$tab/:} + + __istioctl_debug "Adding completion: ${comp}" + completions+=${comp} + lastComp=$comp + fi + done < <(printf "%s\n" "${out[@]}") + + # Add a delimiter after the activeHelp statements, but only if: + # - there are completions following the activeHelp statements, or + # - file completion will be performed (so there will be choices after the activeHelp) + if [ $hasActiveHelp -eq 1 ]; then + if [ ${#completions} -ne 0 ] || [ $((directive & shellCompDirectiveNoFileComp)) -eq 0 ]; then + __istioctl_debug "Adding activeHelp delimiter" + compadd -x "--" + hasActiveHelp=0 + fi + fi + + if [ $((directive & shellCompDirectiveNoSpace)) -ne 0 ]; then + __istioctl_debug "Activating nospace." + noSpace="-S ''" + fi + + if [ $((directive & shellCompDirectiveKeepOrder)) -ne 0 ]; then + __istioctl_debug "Activating keep order." + keepOrder="-V" + fi + + if [ $((directive & shellCompDirectiveFilterFileExt)) -ne 0 ]; then + # File extension filtering + local filteringCmd + filteringCmd='_files' + for filter in ${completions[@]}; do + if [ ${filter[1]} != '*' ]; then + # zsh requires a glob pattern to do file filtering + filter="\*.$filter" + fi + filteringCmd+=" -g $filter" + done + filteringCmd+=" ${flagPrefix}" + + __istioctl_debug "File filtering command: $filteringCmd" + _arguments '*:filename:'"$filteringCmd" + elif [ $((directive & shellCompDirectiveFilterDirs)) -ne 0 ]; then + # File completion for directories only + local subdir + subdir="${completions[1]}" + if [ -n "$subdir" ]; then + __istioctl_debug "Listing directories in $subdir" + pushd "${subdir}" >/dev/null 2>&1 + else + __istioctl_debug "Listing directories in ." + fi + + local result + _arguments '*:dirname:_files -/'" ${flagPrefix}" + result=$? + if [ -n "$subdir" ]; then + popd >/dev/null 2>&1 + fi + return $result + else + __istioctl_debug "Calling _describe" + if eval _describe $keepOrder "completions" completions $flagPrefix $noSpace; then + __istioctl_debug "_describe found some completions" + + # Return the success of having called _describe + return 0 + else + __istioctl_debug "_describe did not find completions." + __istioctl_debug "Checking if we should do file completion." + if [ $((directive & shellCompDirectiveNoFileComp)) -ne 0 ]; then + __istioctl_debug "deactivating file completion" + + # We must return an error code here to let zsh know that there were no + # completions found by _describe; this is what will trigger other + # matching algorithms to attempt to find completions. + # For example zsh can match letters in the middle of words. + return 1 + else + # Perform file completion + __istioctl_debug "Activating file completion" + + # We must return the result of this command, so it must be the + # last command, or else we must store its result to return it. + _arguments '*:filename:_files'" ${flagPrefix}" + fi + fi + fi +} + +# don't run the completion function when being source-ed or eval-ed +if [ "$funcstack[1]" = "_istioctl" ]; then + _istioctl +fi diff --git a/istio-1.18.2/tools/certs/Makefile.k8s.mk b/istio-1.18.2/tools/certs/Makefile.k8s.mk new file mode 100644 index 000000000..3d2e7fe0f --- /dev/null +++ b/istio-1.18.2/tools/certs/Makefile.k8s.mk @@ -0,0 +1,102 @@ +.SUFFIXES: .csr .pem .conf +.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem +.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem +.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf + +.DEFAULT_GOAL := help + +SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) + +include $(SELF_DIR)common.mk + +#------------------------------------------------------------------------ +##help: print this help message +.PHONY: help + +help: + @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' + +#------------------------------------------------------------------------ +##fetch-root-ca: fetch root CA and key from a k8s cluster. +.PHONY: fetch-root-ca +rawcluster := $(shell kubectl config current-context) +cluster := $(subst /,-,$(rawcluster)) +pwd := $(shell pwd) +export KUBECONFIG + +fetch-root-ca: + @echo "fetching root ca from k8s cluster: "$(cluster)"" + @mkdir -p $(pwd)/$(cluster) + @res=$(shell kubectl get secret istio-ca-secret -n $(ISTIO-NAMESPACE) >/dev/null 2>&1; echo $$?) +ifeq ($(res), 1) + @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem + @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem +else + @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem + @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem +endif + +k8s-root-cert.pem: + @cat $(cluster)/k8s-root-cert.pem > $@ + +k8s-root-key.pem: + @cat $(cluster)/k8s-root-key.pem > $@ +#------------------------------------------------------------------------ +##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory +.PHONY: %-cacerts + +%-cacerts: %/cert-chain.pem + @echo "done" + +%/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate certs stored in $(dir $<)" + @cp k8s-root-cert.pem $(dir $<)/root-cert.pem + +%/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem + @echo "generating $@" + @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ + -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/intermediate.conf \ + -in $< -out $@ + +%/cluster-ca.csr: L=$(dir $@) +%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf + @echo "generating $@" + @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ + +%/ca-key.pem: fetch-root-ca + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 + +#------------------------------------------------------------------------ +##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. +.PHONY: %-certs + +%-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem + @echo "done" + +%/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate and workload certs stored in $(dir $<)" + @cp k8s-root-cert.pem $(dir $@)/root-cert.pem + +%/workload-cert.pem: %/workload.csr + @echo "generating $@" + @openssl x509 -req -days $(WORKLOAD_DAYS) \ + -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/workload.conf \ + -in $< -out $@ + +%/workload.csr: L=$(dir $@) +%/workload.csr: %/key.pem %/workload.conf + @echo "generating $@" + @openssl req -new -config $(L)/workload.conf -key $< -out $@ + +%/key.pem: + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 \ No newline at end of file diff --git a/istio-1.18.2/tools/certs/Makefile.selfsigned.mk b/istio-1.18.2/tools/certs/Makefile.selfsigned.mk new file mode 100644 index 000000000..2a87d071f --- /dev/null +++ b/istio-1.18.2/tools/certs/Makefile.selfsigned.mk @@ -0,0 +1,98 @@ +.SUFFIXES: .csr .pem .conf +.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem +.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem +.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf + +.DEFAULT_GOAL := help + +SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) + +include $(SELF_DIR)common.mk + +#------------------------------------------------------------------------ +##help: print this help message +.PHONY: help + +help: + @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' + +#------------------------------------------------------------------------ +##root-ca: generate root CA files (key and certificate) in current directory. +.PHONY: root-ca + +root-ca: root-key.pem root-cert.pem + +root-cert.pem: root-cert.csr root-key.pem + @echo "generating $@" + @openssl x509 -req -sha256 -days $(ROOTCA_DAYS) -signkey root-key.pem \ + -extensions req_ext -extfile root-ca.conf \ + -in $< -out $@ + +root-cert.csr: root-key.pem root-ca.conf + @echo "generating $@" + @openssl req -sha256 -new -key $< -config root-ca.conf -out $@ + +root-key.pem: + @echo "generating $@" + @openssl genrsa -out $@ 4096 +#------------------------------------------------------------------------ +##-cacerts: generate self signed intermediate certificates for and store them under directory. +.PHONY: %-cacerts + +%-cacerts: %/cert-chain.pem + @echo "done" + +%/cert-chain.pem: %/ca-cert.pem root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate inputs stored in $(dir $<)" + @cp root-cert.pem $(dir $<) + + +%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem + @echo "generating $@" + @openssl x509 -req -sha256 -days $(INTERMEDIATE_DAYS) \ + -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/intermediate.conf \ + -in $< -out $@ + +%/cluster-ca.csr: L=$(dir $@) +%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf + @echo "generating $@" + @openssl req -sha256 -new -config $(L)/intermediate.conf -key $< -out $@ + +%/ca-key.pem: + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 + +#------------------------------------------------------------------------ +##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs. +.PHONY: %-certs + +%-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem + @echo "done" + +%/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate and workload certs stored in $(dir $<)" + @cp root-cert.pem $(dir $@)/root-cert.pem + + +%/workload-cert.pem: %/workload.csr + @echo "generating $@" + @openssl x509 -sha256 -req -days $(WORKLOAD_DAYS) \ + -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/workload.conf \ + -in $< -out $@ + +%/workload.csr: L=$(dir $@) +%/workload.csr: %/key.pem %/workload.conf + @echo "generating $@" + @openssl req -sha256 -new -config $(L)/workload.conf -key $< -out $@ + +%/key.pem: + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 diff --git a/istio-1.18.2/tools/certs/README.md b/istio-1.18.2/tools/certs/README.md new file mode 100644 index 000000000..f197e2a8f --- /dev/null +++ b/istio-1.18.2/tools/certs/README.md @@ -0,0 +1,26 @@ +# Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust + +The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: +- `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default +`kubeconfig` is used for accessing the cluster. +- `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. + +The table below describes the targets supported by both Makefiles. + +Make Target | Makefile | Description +------ | -------- | ----------- +`root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. +`fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. +`$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. +`$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. +`clean` | Both | Removes any generated root certificates, keys, and intermediate files. + +For example: + +```bash +make -f Makefile.selfsigned.mk root-ca +``` + +Note that the Makefile generates long-lived intermediate certificates. While this might be +acceptable for demonstration purposes, a more realistic and secure deployment would use +short-lived and automatically renewed certificates for the intermediate CAs. diff --git a/istio-1.18.2/tools/certs/common.mk b/istio-1.18.2/tools/certs/common.mk new file mode 100644 index 000000000..ba3f90c9d --- /dev/null +++ b/istio-1.18.2/tools/certs/common.mk @@ -0,0 +1,101 @@ +#------------------------------------------------------------------------ +# variables: root CA +ROOTCA_DAYS ?= 3650 +ROOTCA_KEYSZ ?= 4096 +ROOTCA_ORG ?= Istio +ROOTCA_CN ?= Root CA +KUBECONFIG ?= $(HOME)/.kube/config +ISTIO_NAMESPACE ?= istio-system +# Additional variables are defined in root-ca.conf target below. + +#------------------------------------------------------------------------ +# variables: intermediate CA +INTERMEDIATE_DAYS ?= 3650 +INTERMEDIATE_KEYSZ ?= 4096 +INTERMEDIATE_ORG ?= Istio +INTERMEDIATE_CN ?= Intermediate CA +INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc +# Additional variables are defined in %/intermediate.conf target below. + +#------------------------------------------------------------------------ +# variables: workload certs: eg VM +WORKLOAD_DAYS ?= 1 +SERVICE_ACCOUNT ?= default +WORKLOAD_CN ?= Workload + +#------------------------------------------------------------------------ +# variables: files to clean +FILES_TO_CLEAN+=k8s-root-cert.pem \ + k8s-root-cert.srl \ + k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem +#------------------------------------------------------------------------ +# clean +.PHONY: clean + +clean: ## Cleans all the intermediate files and folders previously generated. + @rm -f $(FILES_TO_CLEAN) + +root-ca.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:true" >> $@ + @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(ROOTCA_ORG)" >> $@ + @echo "CN = $(ROOTCA_CN)" >> $@ + +%/intermediate.conf: L=$(dir $@) +%/intermediate.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ + @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ + @echo "subjectAltName=@san" >> $@ + @echo "[ san ]" >> $@ + @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(INTERMEDIATE_ORG)" >> $@ + @echo "CN = $(INTERMEDIATE_CN)" >> $@ + @echo "L = $(L:/=)" >> $@ + +%/workload.conf: L=$(dir $@) +%/workload.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:false" >> $@ + @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ + @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ + @echo "subjectAltName=@san" >> $@ + @echo "[ san ]" >> $@ + @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(INTERMEDIATE_ORG)" >> $@ + @echo "CN = $(WORKLOAD_CN)" >> $@ + @echo "L = $(L:/=)" >> $@ diff --git a/istio-1.18.2/tools/istioctl.bash b/istio-1.18.2/tools/istioctl.bash new file mode 100644 index 000000000..6f1e15854 --- /dev/null +++ b/istio-1.18.2/tools/istioctl.bash @@ -0,0 +1,338 @@ +# bash completion V2 for istioctl -*- shell-script -*- + +__istioctl_debug() +{ + if [[ -n ${BASH_COMP_DEBUG_FILE-} ]]; then + echo "$*" >> "${BASH_COMP_DEBUG_FILE}" + fi +} + +# Macs have bash3 for which the bash-completion package doesn't include +# _init_completion. This is a minimal version of that function. +__istioctl_init_completion() +{ + COMPREPLY=() + _get_comp_words_by_ref "$@" cur prev words cword +} + +# This function calls the istioctl program to obtain the completion +# results and the directive. It fills the 'out' and 'directive' vars. +__istioctl_get_completion_results() { + local requestComp lastParam lastChar args + + # Prepare the command to request completions for the program. + # Calling ${words[0]} instead of directly istioctl allows to handle aliases + args=("${words[@]:1}") + requestComp="${words[0]} __complete ${args[*]}" + + lastParam=${words[$((${#words[@]}-1))]} + lastChar=${lastParam:$((${#lastParam}-1)):1} + __istioctl_debug "lastParam ${lastParam}, lastChar ${lastChar}" + + if [[ -z ${cur} && ${lastChar} != = ]]; then + # If the last parameter is complete (there is a space following it) + # We add an extra empty parameter so we can indicate this to the go method. + __istioctl_debug "Adding extra empty parameter" + requestComp="${requestComp} ''" + fi + + # When completing a flag with an = (e.g., istioctl -n=) + # bash focuses on the part after the =, so we need to remove + # the flag part from $cur + if [[ ${cur} == -*=* ]]; then + cur="${cur#*=}" + fi + + __istioctl_debug "Calling ${requestComp}" + # Use eval to handle any environment variables and such + out=$(eval "${requestComp}" 2>/dev/null) + + # Extract the directive integer at the very end of the output following a colon (:) + directive=${out##*:} + # Remove the directive + out=${out%:*} + if [[ ${directive} == "${out}" ]]; then + # There is not directive specified + directive=0 + fi + __istioctl_debug "The completion directive is: ${directive}" + __istioctl_debug "The completions are: ${out}" +} + +__istioctl_process_completion_results() { + local shellCompDirectiveError=1 + local shellCompDirectiveNoSpace=2 + local shellCompDirectiveNoFileComp=4 + local shellCompDirectiveFilterFileExt=8 + local shellCompDirectiveFilterDirs=16 + local shellCompDirectiveKeepOrder=32 + + if (((directive & shellCompDirectiveError) != 0)); then + # Error code. No completion. + __istioctl_debug "Received error from custom completion go code" + return + else + if (((directive & shellCompDirectiveNoSpace) != 0)); then + if [[ $(type -t compopt) == builtin ]]; then + __istioctl_debug "Activating no space" + compopt -o nospace + else + __istioctl_debug "No space directive not supported in this version of bash" + fi + fi + if (((directive & shellCompDirectiveKeepOrder) != 0)); then + if [[ $(type -t compopt) == builtin ]]; then + # no sort isn't supported for bash less than < 4.4 + if [[ ${BASH_VERSINFO[0]} -lt 4 || ( ${BASH_VERSINFO[0]} -eq 4 && ${BASH_VERSINFO[1]} -lt 4 ) ]]; then + __istioctl_debug "No sort directive not supported in this version of bash" + else + __istioctl_debug "Activating keep order" + compopt -o nosort + fi + else + __istioctl_debug "No sort directive not supported in this version of bash" + fi + fi + if (((directive & shellCompDirectiveNoFileComp) != 0)); then + if [[ $(type -t compopt) == builtin ]]; then + __istioctl_debug "Activating no file completion" + compopt +o default + else + __istioctl_debug "No file completion directive not supported in this version of bash" + fi + fi + fi + + # Separate activeHelp from normal completions + local completions=() + local activeHelp=() + __istioctl_extract_activeHelp + + if (((directive & shellCompDirectiveFilterFileExt) != 0)); then + # File extension filtering + local fullFilter filter filteringCmd + + # Do not use quotes around the $completions variable or else newline + # characters will be kept. + for filter in ${completions[*]}; do + fullFilter+="$filter|" + done + + filteringCmd="_filedir $fullFilter" + __istioctl_debug "File filtering command: $filteringCmd" + $filteringCmd + elif (((directive & shellCompDirectiveFilterDirs) != 0)); then + # File completion for directories only + + local subdir + subdir=${completions[0]} + if [[ -n $subdir ]]; then + __istioctl_debug "Listing directories in $subdir" + pushd "$subdir" >/dev/null 2>&1 && _filedir -d && popd >/dev/null 2>&1 || return + else + __istioctl_debug "Listing directories in ." + _filedir -d + fi + else + __istioctl_handle_completion_types + fi + + __istioctl_handle_special_char "$cur" : + __istioctl_handle_special_char "$cur" = + + # Print the activeHelp statements before we finish + if ((${#activeHelp[*]} != 0)); then + printf "\n"; + printf "%s\n" "${activeHelp[@]}" + printf "\n" + + # The prompt format is only available from bash 4.4. + # We test if it is available before using it. + if (x=${PS1@P}) 2> /dev/null; then + printf "%s" "${PS1@P}${COMP_LINE[@]}" + else + # Can't print the prompt. Just print the + # text the user had typed, it is workable enough. + printf "%s" "${COMP_LINE[@]}" + fi + fi +} + +# Separate activeHelp lines from real completions. +# Fills the $activeHelp and $completions arrays. +__istioctl_extract_activeHelp() { + local activeHelpMarker="_activeHelp_ " + local endIndex=${#activeHelpMarker} + + while IFS='' read -r comp; do + if [[ ${comp:0:endIndex} == $activeHelpMarker ]]; then + comp=${comp:endIndex} + __istioctl_debug "ActiveHelp found: $comp" + if [[ -n $comp ]]; then + activeHelp+=("$comp") + fi + else + # Not an activeHelp line but a normal completion + completions+=("$comp") + fi + done <<<"${out}" +} + +__istioctl_handle_completion_types() { + __istioctl_debug "__istioctl_handle_completion_types: COMP_TYPE is $COMP_TYPE" + + case $COMP_TYPE in + 37|42) + # Type: menu-complete/menu-complete-backward and insert-completions + # If the user requested inserting one completion at a time, or all + # completions at once on the command-line we must remove the descriptions. + # https://github.com/spf13/cobra/issues/1508 + local tab=$'\t' comp + while IFS='' read -r comp; do + [[ -z $comp ]] && continue + # Strip any description + comp=${comp%%$tab*} + # Only consider the completions that match + if [[ $comp == "$cur"* ]]; then + COMPREPLY+=("$comp") + fi + done < <(printf "%s\n" "${completions[@]}") + ;; + + *) + # Type: complete (normal completion) + __istioctl_handle_standard_completion_case + ;; + esac +} + +__istioctl_handle_standard_completion_case() { + local tab=$'\t' comp + + # Short circuit to optimize if we don't have descriptions + if [[ "${completions[*]}" != *$tab* ]]; then + IFS=$'\n' read -ra COMPREPLY -d '' < <(compgen -W "${completions[*]}" -- "$cur") + return 0 + fi + + local longest=0 + local compline + # Look for the longest completion so that we can format things nicely + while IFS='' read -r compline; do + [[ -z $compline ]] && continue + # Strip any description before checking the length + comp=${compline%%$tab*} + # Only consider the completions that match + [[ $comp == "$cur"* ]] || continue + COMPREPLY+=("$compline") + if ((${#comp}>longest)); then + longest=${#comp} + fi + done < <(printf "%s\n" "${completions[@]}") + + # If there is a single completion left, remove the description text + if ((${#COMPREPLY[*]} == 1)); then + __istioctl_debug "COMPREPLY[0]: ${COMPREPLY[0]}" + comp="${COMPREPLY[0]%%$tab*}" + __istioctl_debug "Removed description from single completion, which is now: ${comp}" + COMPREPLY[0]=$comp + else # Format the descriptions + __istioctl_format_comp_descriptions $longest + fi +} + +__istioctl_handle_special_char() +{ + local comp="$1" + local char=$2 + if [[ "$comp" == *${char}* && "$COMP_WORDBREAKS" == *${char}* ]]; then + local word=${comp%"${comp##*${char}}"} + local idx=${#COMPREPLY[*]} + while ((--idx >= 0)); do + COMPREPLY[idx]=${COMPREPLY[idx]#"$word"} + done + fi +} + +__istioctl_format_comp_descriptions() +{ + local tab=$'\t' + local comp desc maxdesclength + local longest=$1 + + local i ci + for ci in ${!COMPREPLY[*]}; do + comp=${COMPREPLY[ci]} + # Properly format the description string which follows a tab character if there is one + if [[ "$comp" == *$tab* ]]; then + __istioctl_debug "Original comp: $comp" + desc=${comp#*$tab} + comp=${comp%%$tab*} + + # $COLUMNS stores the current shell width. + # Remove an extra 4 because we add 2 spaces and 2 parentheses. + maxdesclength=$(( COLUMNS - longest - 4 )) + + # Make sure we can fit a description of at least 8 characters + # if we are to align the descriptions. + if ((maxdesclength > 8)); then + # Add the proper number of spaces to align the descriptions + for ((i = ${#comp} ; i < longest ; i++)); do + comp+=" " + done + else + # Don't pad the descriptions so we can fit more text after the completion + maxdesclength=$(( COLUMNS - ${#comp} - 4 )) + fi + + # If there is enough space for any description text, + # truncate the descriptions that are too long for the shell width + if ((maxdesclength > 0)); then + if ((${#desc} > maxdesclength)); then + desc=${desc:0:$(( maxdesclength - 1 ))} + desc+="…" + fi + comp+=" ($desc)" + fi + COMPREPLY[ci]=$comp + __istioctl_debug "Final comp: $comp" + fi + done +} + +__start_istioctl() +{ + local cur prev words cword split + + COMPREPLY=() + + # Call _init_completion from the bash-completion package + # to prepare the arguments properly + if declare -F _init_completion >/dev/null 2>&1; then + _init_completion -n =: || return + else + __istioctl_init_completion -n =: || return + fi + + __istioctl_debug + __istioctl_debug "========= starting completion logic ==========" + __istioctl_debug "cur is ${cur}, words[*] is ${words[*]}, #words[@] is ${#words[@]}, cword is $cword" + + # The user could have moved the cursor backwards on the command-line. + # We need to trigger completion from the $cword location, so we need + # to truncate the command-line ($words) up to the $cword location. + words=("${words[@]:0:$cword+1}") + __istioctl_debug "Truncated words[*]: ${words[*]}," + + local out directive + __istioctl_get_completion_results + __istioctl_process_completion_results +} + +if [[ $(type -t compopt) = "builtin" ]]; then + complete -o default -F __start_istioctl istioctl +else + complete -o default -o nospace -F __start_istioctl istioctl +fi + +# ex: ts=4 sw=4 et filetype=sh From f88ae6d7d58b9aeb12439cea5c51a4a1742367f4 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Sat, 19 Aug 2023 11:31:39 +0800 Subject: [PATCH 7/9] fix test Signed-off-by: huabing zhao --- internal/controller/istio/controller.go | 14 ++++++++------ internal/envoyfilter/controller.go | 11 ++++++----- internal/plugin/redis/outbound.go | 4 ++-- internal/xds/cache_mgr.go | 15 ++++++--------- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/internal/controller/istio/controller.go b/internal/controller/istio/controller.go index cdf9600f5..69b988cb9 100644 --- a/internal/controller/istio/controller.go +++ b/internal/controller/istio/controller.go @@ -27,6 +27,7 @@ import ( istioconfig "istio.io/istio/pkg/config" "istio.io/istio/pkg/config/schema/collection" "istio.io/istio/pkg/config/schema/collections" + "istio.io/istio/pkg/config/schema/gvk" "istio.io/istio/pkg/security" "istio.io/istio/security/pkg/nodeagent/cache" citadel "istio.io/istio/security/pkg/nodeagent/caclient/providers/citadel" @@ -44,7 +45,8 @@ const ( var ( controllerLog = log.RegisterScope("config-controller", "config-controller debugging", 0) // We need serviceentry and virtualservice to generate the envoyfiters - configCollection = collection.NewSchemasBuilder().MustAdd(collections.ServiceEntry). + configCollection = collection.NewSchemasBuilder(). + MustAdd(collections.ServiceEntry). MustAdd(collections.VirtualService). MustAdd(collections.DestinationRule). MustAdd(collections.EnvoyFilter). @@ -149,7 +151,7 @@ func (c *Controller) configInitialRequests() []*discovery.DiscoveryRequest { requests := make([]*discovery.DiscoveryRequest, len(schemas)) for i, schema := range schemas { requests[i] = &discovery.DiscoveryRequest{ - TypeUrl: schema.GroupVersionResource().String(), + TypeUrl: schema.GroupVersionKind().String(), } } return requests @@ -167,22 +169,22 @@ func (c *Controller) RegisterEventHandler(handler func(*istioconfig.Config, *ist // * DestinationRule: the Load balancing policy in set in the dr, // httpHeaderName is used to convey the metadata key for generating hash switch curr.GroupVersionKind { - case collections.ServiceEntry.GroupVersionKind(): + case gvk.ServiceEntry: controllerLog.Infof("service entry changed: %s %s", event.String(), curr.Name) if c.shouldHandleServiceEntryChange(&prev, &curr) { handler(&prev, &curr, event) } - case collections.VirtualService.GroupVersionKind(): + case gvk.VirtualService: controllerLog.Infof("virtual service changed: %s %s", event.String(), curr.Name) if c.shouldHandleVirtualServiceChange(&prev, &curr) { handler(&prev, &curr, event) } - case collections.DestinationRule.GroupVersionKind(): + case gvk.DestinationRule: controllerLog.Infof("Destination rules changed: %s %s", event.String(), curr.Name) if c.shouldHandleDestinationRuleChange(&prev, &curr) { handler(&prev, &curr, event) } - case collections.Gateway.GroupVersionKind(): + case gvk.Gateway: controllerLog.Infof("Gateway changed: %s %s", event.String(), curr.Name) if c.shouldHandleGatewayChange(&prev, &curr) { handler(&prev, &curr, event) diff --git a/internal/envoyfilter/controller.go b/internal/envoyfilter/controller.go index f581c79b2..b92d1ff96 100644 --- a/internal/envoyfilter/controller.go +++ b/internal/envoyfilter/controller.go @@ -30,7 +30,7 @@ import ( istiomodel "istio.io/istio/pilot/pkg/model" "istio.io/istio/pkg/config" "istio.io/istio/pkg/config/mesh" - "istio.io/istio/pkg/config/schema/collections" + "istio.io/istio/pkg/config/schema/gvk" "istio.io/pkg/log" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -98,6 +98,7 @@ func (c *Controller) mainLoop(stop <-chan struct{}) { const maxRetries = 3 retries := 0 callback := func() { + controllerLog.Debugf("create envoyfilter") err := c.pushEnvoyFilters2APIServer() if err != nil { controllerLog.Errorf("failed to create envoyFilters: %v", err) @@ -126,6 +127,7 @@ func (c *Controller) mainLoop(stop <-chan struct{}) { func (c *Controller) pushEnvoyFilters2APIServer() error { generatedEnvoyFilters, err := c.generateEnvoyFilters() + controllerLog.Debugf("create envoyfilter: %v", len(generatedEnvoyFilters)) if err != nil { return fmt.Errorf("failed to generate EnvoyFilter: %v", err) } @@ -197,7 +199,7 @@ func (c *Controller) toEnvoyFilterCRD(newEf *model.EnvoyFilterWrapper, func (c *Controller) generateEnvoyFilters() (map[string]*model.EnvoyFilterWrapper, error) { envoyFilters := make(map[string]*model.EnvoyFilterWrapper) - serviceEntries := c.configStore.List(collections.ServiceEntry.GroupVersionKind(), "") + serviceEntries := c.configStore.List(gvk.ServiceEntry, "") for i := range serviceEntries { service, ok := serviceEntries[i].Spec.(*networking.ServiceEntry) @@ -251,7 +253,7 @@ func (c *Controller) generateEnvoyFilters() (map[string]*model.EnvoyFilterWrappe func (c *Controller) generateGatewayEnvoyFilters(envoyFilters map[string]*model.EnvoyFilterWrapper) error { var envoyFilterContexts []*model.EnvoyFilterContext - gateways := c.configStore.List(collections.Gateway.GroupVersionKind(), "") + gateways := c.configStore.List(gvk.Gateway, "") for i := range gateways { gw, ok := gateways[i].Spec.(*networking.Gateway) @@ -466,8 +468,7 @@ func envoyFilterMapKey(name, ns string) string { } func (c *Controller) findRelatedVirtualService(service *networking.ServiceEntry) (*model.VirtualServiceWrapper, error) { - virtualServices := c.configStore.List( - collections.VirtualService.GroupVersionKind(), "") + virtualServices := c.configStore.List(gvk.VirtualService, "") for i := range virtualServices { vs, ok := virtualServices[i].Spec.(*networking.VirtualService) diff --git a/internal/plugin/redis/outbound.go b/internal/plugin/redis/outbound.go index e098a6762..b3038b1db 100644 --- a/internal/plugin/redis/outbound.go +++ b/internal/plugin/redis/outbound.go @@ -25,7 +25,7 @@ import ( redis "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/redis_proxy/v3" "google.golang.org/protobuf/types/known/durationpb" networking "istio.io/api/networking/v1alpha3" - "istio.io/istio/pkg/config/schema/collections" + "istio.io/istio/pkg/config/schema/gvk" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -200,7 +200,7 @@ func (g *Generator) findTargetHostAndRedisService(ctx context.Context, ns string func (g *Generator) hostServices(ns string) (hostServices map[string]*networking.ServiceEntry) { hostServices = map[string]*networking.ServiceEntry{} - entries := g.store.List(collections.ServiceEntry.GroupVersionKind(), ns) + entries := g.store.List(gvk.ServiceEntry, ns) for i := range entries { se := entries[i].Spec.(*networking.ServiceEntry) for _, host := range se.Hosts { diff --git a/internal/xds/cache_mgr.go b/internal/xds/cache_mgr.go index ae6c4eaac..960962806 100644 --- a/internal/xds/cache_mgr.go +++ b/internal/xds/cache_mgr.go @@ -31,7 +31,7 @@ import ( networking "istio.io/api/networking/v1alpha3" istiomodel "istio.io/istio/pilot/pkg/model" istioconfig "istio.io/istio/pkg/config" - "istio.io/istio/pkg/config/schema/collections" + "istio.io/istio/pkg/config/schema/gvk" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/aeraki-mesh/aeraki/internal/model" @@ -118,8 +118,7 @@ func (c *CacheMgr) updateRouteCache() error { return nil } - serviceEntries := c.configStore.List( - collections.ServiceEntry.GroupVersionKind(), "") + serviceEntries := c.configStore.List(gvk.ServiceEntry, "") routes := c.generateMetaRoutes(serviceEntries) snapshot, err := generateSnapshot(routes) @@ -336,8 +335,7 @@ func (c *CacheMgr) defaultRoute(service *networking.ServiceEntry, port *networki } func (c *CacheMgr) findRelatedServiceEntry(dr *model.DestinationRuleWrapper) (*model.ServiceEntryWrapper, error) { - serviceEntries := c.configStore.List( - collections.ServiceEntry.GroupVersionKind(), "") + serviceEntries := c.configStore.List(gvk.ServiceEntry, "") for i := range serviceEntries { se, ok := serviceEntries[i].Spec.(*networking.ServiceEntry) @@ -377,8 +375,7 @@ func (c *CacheMgr) findRelatedMetaRouter(service *networking.ServiceEntry) (*met func (c *CacheMgr) findRelatedDestinationRule(service *model.ServiceEntryWrapper) (*model.DestinationRuleWrapper, error) { - drs := c.configStore.List( - collections.DestinationRule.GroupVersionKind(), "") + drs := c.configStore.List(gvk.DestinationRule, "") for i := range drs { dr, ok := drs[i].Spec.(*networking.DestinationRule) @@ -406,7 +403,7 @@ func (c *CacheMgr) ConfigUpdated(prev, curr *istioconfig.Config, event istiomode func (c *CacheMgr) shouldUpdateCache(config *istioconfig.Config) bool { var serviceEntry *networking.ServiceEntry - if config.GroupVersionKind == collections.ServiceEntry.GroupVersionKind() { + if config.GroupVersionKind == gvk.ServiceEntry { service, ok := config.Spec.(*networking.ServiceEntry) if !ok { xdsLog.Errorf("Failed in getting a service entry: %v", config.Name) @@ -416,7 +413,7 @@ func (c *CacheMgr) shouldUpdateCache(config *istioconfig.Config) bool { } // Cache needs to be updated if dr changed, the hash policy in the dr is used to generate routes - if config.GroupVersionKind == collections.DestinationRule.GroupVersionKind() { + if config.GroupVersionKind == gvk.DestinationRule { dr, ok := config.Spec.(*networking.DestinationRule) if !ok { xdsLog.Errorf("Failed in getting a destination rule: %v", config.Name) From 97c8292e37030d027c54cc2dcfb36e837dca51c8 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Sat, 19 Aug 2023 11:34:25 +0800 Subject: [PATCH 8/9] remove istio-1.18.2 directory Signed-off-by: huabing zhao --- .github/workflows/ci.yaml | 1 - istio-1.18.2/LICENSE | 202 - istio-1.18.2/README.md | 117 - istio-1.18.2/manifest.yaml | 33 - istio-1.18.2/manifests/charts/README.md | 136 - .../manifests/charts/UPDATING-CHARTS.md | 67 - istio-1.18.2/manifests/charts/base/Chart.yaml | 14 - istio-1.18.2/manifests/charts/base/README.md | 21 - .../charts/base/crds/crd-all.gen.yaml | 7199 ---------------- .../charts/base/crds/crd-operator.yaml | 48 - .../manifests/charts/base/templates/NOTES.txt | 5 - .../charts/base/templates/clusterrole.yaml | 181 - .../base/templates/clusterrolebinding.yaml | 37 - .../manifests/charts/base/templates/crds.yaml | 4 - .../charts/base/templates/default.yaml | 48 - .../charts/base/templates/endpoints.yaml | 23 - .../base/templates/reader-serviceaccount.yaml | 16 - .../manifests/charts/base/templates/role.yaml | 25 - .../charts/base/templates/rolebinding.yaml | 21 - .../charts/base/templates/serviceaccount.yaml | 19 - .../charts/base/templates/services.yaml | 28 - .../manifests/charts/base/values.yaml | 29 - .../manifests/charts/default/Chart.yaml | 13 - .../default/templates/mutatingwebhook.yaml | 125 - .../default/templates/validatingwebhook.yaml | 47 - .../manifests/charts/default/values.yaml | 27 - .../manifests/charts/gateway/Chart.yaml | 16 - .../manifests/charts/gateway/README.md | 148 - .../charts/gateway/templates/NOTES.txt | 9 - .../charts/gateway/templates/_helpers.tpl | 61 - .../charts/gateway/templates/deployment.yaml | 107 - .../charts/gateway/templates/hpa.yaml | 31 - .../templates/poddisruptionbudget.yaml | 16 - .../charts/gateway/templates/role.yaml | 33 - .../charts/gateway/templates/service.yaml | 50 - .../gateway/templates/serviceaccount.yaml | 13 - .../charts/gateway/values.schema.json | 219 - .../manifests/charts/gateway/values.yaml | 127 - .../charts/gateways/istio-egress/Chart.yaml | 15 - .../charts/gateways/istio-egress/NOTES.txt | 45 - .../istio-egress/templates/_affinity.tpl | 104 - .../istio-egress/templates/autoscale.yaml | 60 - .../istio-egress/templates/deployment.yaml | 348 - .../templates/injected-deployment.yaml | 146 - .../templates/poddisruptionbudget.yaml | 23 - .../gateways/istio-egress/templates/role.yaml | 16 - .../istio-egress/templates/rolebindings.yaml | 19 - .../istio-egress/templates/service.yaml | 47 - .../templates/serviceaccount.yaml | 22 - .../charts/gateways/istio-egress/values.yaml | 299 - .../charts/gateways/istio-ingress/Chart.yaml | 16 - .../charts/gateways/istio-ingress/NOTES.txt | 43 - .../istio-ingress/templates/_affinity.tpl | 104 - .../istio-ingress/templates/autoscale.yaml | 60 - .../istio-ingress/templates/deployment.yaml | 348 - .../templates/injected-deployment.yaml | 146 - .../templates/poddisruptionbudget.yaml | 23 - .../istio-ingress/templates/role.yaml | 16 - .../istio-ingress/templates/rolebindings.yaml | 19 - .../istio-ingress/templates/service.yaml | 47 - .../templates/serviceaccount.yaml | 22 - .../charts/gateways/istio-ingress/values.yaml | 319 - .../manifests/charts/install-OpenShift.md | 43 - .../manifests/charts/istio-cni/Chart.yaml | 14 - .../manifests/charts/istio-cni/README.md | 43 - .../charts/istio-cni/templates/NOTES.txt | 5 - .../istio-cni/templates/clusterrole.yaml | 34 - .../templates/clusterrolebinding.yaml | 58 - .../istio-cni/templates/configmap-cni.yaml | 33 - .../charts/istio-cni/templates/daemonset.yaml | 202 - .../istio-cni/templates/resourcequota.yaml | 16 - .../istio-cni/templates/serviceaccount.yaml | 17 - .../manifests/charts/istio-cni/values.yaml | 127 - .../istio-control/istio-discovery/Chart.yaml | 16 - .../istio-control/istio-discovery/README.md | 59 - .../files/gateway-injection-template.yaml | 237 - .../istio-discovery/files/grpc-agent.yaml | 320 - .../istio-discovery/files/grpc-simple.yaml | 65 - .../files/injection-template.yaml | 513 -- .../istio-discovery/files/kube-gateway.yaml | 312 - .../istio-discovery/files/waypoint.yaml | 238 - .../istio-discovery/templates/NOTES.txt | 56 - .../istio-discovery/templates/_helpers.tpl | 35 - .../istio-discovery/templates/autoscale.yaml | 59 - .../templates/clusterrole.yaml | 147 - .../templates/clusterrolebinding.yaml | 33 - .../templates/configmap-jwks.yaml | 14 - .../istio-discovery/templates/configmap.yaml | 120 - .../istio-discovery/templates/deployment.yaml | 258 - .../templates/istiod-injector-configmap.yaml | 75 - .../templates/mutatingwebhook.yaml | 152 - .../templates/poddisruptionbudget.yaml | 29 - .../templates/reader-clusterrole.yaml | 55 - .../templates/reader-clusterrolebinding.yaml | 15 - .../templates/revision-tags.yaml | 140 - .../istio-discovery/templates/role.yaml | 30 - .../templates/rolebinding.yaml | 16 - .../istio-discovery/templates/service.yaml | 41 - .../templates/serviceaccount.yaml | 15 - .../templates/telemetryv2_1.16.yaml | 616 -- .../templates/telemetryv2_1.17.yaml | 486 -- .../templates/telemetryv2_1.18.yaml | 486 -- .../validatingwebhookconfiguration.yaml | 58 - .../istio-control/istio-discovery/values.yaml | 485 -- .../charts/istio-operator/Chart.yaml | 15 - .../istio-operator/crds/crd-operator.yaml | 48 - .../istio-operator/templates/clusterrole.yaml | 117 - .../templates/clusterrole_binding.yaml | 13 - .../charts/istio-operator/templates/crds.yaml | 6 - .../istio-operator/templates/deployment.yaml | 81 - .../istio-operator/templates/service.yaml | 16 - .../templates/service_account.yaml | 12 - .../charts/istio-operator/values.yaml | 51 - .../manifests/charts/istiod-remote/Chart.yaml | 15 - .../manifests/charts/istiod-remote/NOTES.txt | 4 - .../files/gateway-injection-template.yaml | 237 - .../files/injection-template.yaml | 513 -- .../istiod-remote/templates/_helpers.tpl | 35 - .../istiod-remote/templates/clusterrole.yaml | 149 - .../templates/clusterrolebinding.yaml | 35 - .../istiod-remote/templates/configmap.yaml | 120 - .../istiod-remote/templates/crd-all.gen.yaml | 7201 ----------------- .../istiod-remote/templates/crd-operator.yaml | 50 - .../istiod-remote/templates/default.yaml | 50 - .../istiod-remote/templates/endpoints.yaml | 23 - .../templates/istiod-injector-configmap.yaml | 75 - .../templates/mutatingwebhook.yaml | 152 - .../templates/reader-clusterrole.yaml | 55 - .../templates/reader-clusterrolebinding.yaml | 15 - .../templates/reader-serviceaccount.yaml | 16 - .../charts/istiod-remote/templates/role.yaml | 32 - .../istiod-remote/templates/rolebinding.yaml | 18 - .../templates/serviceaccount.yaml | 17 - .../istiod-remote/templates/services.yaml | 28 - .../templates/telemetryv2_1.16.yaml | 616 -- .../templates/telemetryv2_1.17.yaml | 486 -- .../templates/telemetryv2_1.18.yaml | 486 -- .../validatingwebhookconfiguration.yaml | 60 - .../charts/istiod-remote/values.yaml | 416 - .../manifests/charts/ztunnel/Chart.yaml | 14 - .../manifests/charts/ztunnel/README.md | 36 - .../charts/ztunnel/templates/NOTES.txt | 5 - .../charts/ztunnel/templates/daemonset.yaml | 121 - .../charts/ztunnel/templates/rbac.yaml | 16 - .../manifests/charts/ztunnel/values.yaml | 55 - .../istio_v1alpha1_istiooperator_cr.yaml | 9 - .../user-gateway/ingress-gateway-only.yaml | 8 - istio-1.18.2/manifests/profiles/ambient.yaml | 52 - istio-1.18.2/manifests/profiles/default.yaml | 177 - istio-1.18.2/manifests/profiles/demo.yaml | 85 - istio-1.18.2/manifests/profiles/empty.yaml | 13 - istio-1.18.2/manifests/profiles/external.yaml | 23 - istio-1.18.2/manifests/profiles/minimal.yaml | 8 - .../manifests/profiles/openshift.yaml | 21 - istio-1.18.2/manifests/profiles/preview.yaml | 21 - istio-1.18.2/manifests/profiles/remote.yaml | 24 - istio-1.18.2/samples/README.md | 3 - istio-1.18.2/samples/addons/README.md | 102 - .../addons/extras/prometheus-operator.yaml | 66 - .../samples/addons/extras/prometheus_vm.yaml | 530 -- .../addons/extras/prometheus_vm_tls.yaml | 548 -- .../samples/addons/extras/skywalking.yaml | 133 - .../samples/addons/extras/zipkin.yaml | 61 - istio-1.18.2/samples/addons/grafana.yaml | 1129 --- istio-1.18.2/samples/addons/jaeger.yaml | 117 - istio-1.18.2/samples/addons/kiali.yaml | 551 -- istio-1.18.2/samples/addons/loki.yaml | 283 - istio-1.18.2/samples/addons/prometheus.yaml | 531 -- istio-1.18.2/samples/bookinfo/README.md | 100 - .../bookinfo/build_push_update_images.sh | 130 - .../bookinfo/demo-profile-no-gateways.yaml | 12 - .../gateway-api/bookinfo-gateway.yaml | 41 - .../bookinfo/gateway-api/route-all-v1.yaml | 56 - .../gateway-api/route-reviews-50-v3.yaml | 17 - .../gateway-api/route-reviews-90-10.yaml | 17 - .../gateway-api/route-reviews-v1.yaml | 13 - .../gateway-api/route-reviews-v3.yaml | 13 - .../bookinfo/networking/bookinfo-gateway.yaml | 43 - .../networking/certmanager-gateway.yaml | 35 - .../networking/destination-rule-all-mtls.yaml | 74 - .../networking/destination-rule-all.yaml | 62 - .../networking/destination-rule-reviews.yaml | 19 - .../networking/egress-rule-google-apis.yaml | 46 - .../fault-injection-details-v1.yaml | 32 - .../networking/virtual-service-all-v1.yaml | 52 - .../virtual-service-details-v2.yaml | 12 - .../virtual-service-ratings-db.yaml | 26 - .../virtual-service-ratings-mysql-vm.yaml | 26 - .../virtual-service-ratings-mysql.yaml | 26 - .../virtual-service-ratings-test-abort.yaml | 25 - .../virtual-service-ratings-test-delay.yaml | 25 - .../virtual-service-reviews-50-v3.yaml | 17 - .../virtual-service-reviews-80-20.yaml | 17 - .../virtual-service-reviews-90-10.yaml | 17 - .../virtual-service-reviews-jason-v2-v3.yaml | 20 - .../virtual-service-reviews-test-v2.yaml | 20 - .../virtual-service-reviews-v2-v3.yaml | 17 - .../virtual-service-reviews-v3.yaml | 12 - .../samples/bookinfo/platform/kube/README.md | 2 - .../platform/kube/bookinfo-certificate.yaml | 37 - .../bookinfo/platform/kube/bookinfo-db.yaml | 60 - .../platform/kube/bookinfo-details-v2.yaml | 48 - .../platform/kube/bookinfo-details.yaml | 59 - .../platform/kube/bookinfo-ingress.yaml | 63 - .../platform/kube/bookinfo-mysql.yaml | 79 - .../bookinfo/platform/kube/bookinfo-psa.yaml | 369 - .../kube/bookinfo-ratings-discovery.yaml | 31 - .../kube/bookinfo-ratings-v2-mysql-vm.yaml | 55 - .../kube/bookinfo-ratings-v2-mysql.yaml | 58 - .../platform/kube/bookinfo-ratings-v2.yaml | 65 - .../platform/kube/bookinfo-ratings.yaml | 59 - .../platform/kube/bookinfo-reviews-v2.yaml | 58 - .../platform/kube/bookinfo-versions.yaml | 72 - .../bookinfo/platform/kube/bookinfo.yaml | 347 - .../samples/bookinfo/platform/kube/cleanup.sh | 85 - .../platform/kube/productpage-nodeport.yaml | 32 - .../policy/productpage_envoy_ratelimit.yaml | 88 - .../samples/bookinfo/src/build-services.sh | 103 - .../bookinfo/src/mongodb/ratings_data.json | 2 - .../samples/bookinfo/src/mongodb/script.sh | 18 - .../bookinfo/src/productpage/requirements.txt | 32 - .../src/productpage/test-requirements.txt | 1 - .../samples/bookinfo/src/ratings/package.json | 11 - istio-1.18.2/samples/bookinfo/swagger.yaml | 248 - istio-1.18.2/samples/certs/README.md | 34 - istio-1.18.2/samples/certs/ca-cert-alt.pem | 31 - istio-1.18.2/samples/certs/ca-cert.pem | 22 - istio-1.18.2/samples/certs/ca-key-alt.pem | 51 - istio-1.18.2/samples/certs/ca-key.pem | 27 - istio-1.18.2/samples/certs/cert-chain-alt.pem | 61 - istio-1.18.2/samples/certs/cert-chain.pem | 22 - .../samples/certs/generate-workload.sh | 111 - .../samples/certs/leaf-workload-bar-cert.pem | 21 - .../samples/certs/leaf-workload-foo-cert.pem | 21 - istio-1.18.2/samples/certs/root-cert-alt.pem | 30 - istio-1.18.2/samples/certs/root-cert.pem | 24 - .../samples/certs/workload-bar-cert.pem | 43 - .../samples/certs/workload-bar-key.pem | 27 - .../samples/certs/workload-bar-root-certs.pem | 46 - .../samples/certs/workload-foo-cert.pem | 43 - .../samples/certs/workload-foo-key.pem | 27 - .../samples/certs/workload-foo-root-certs.pem | 46 - istio-1.18.2/samples/cicd/skaffold/README.md | 45 - .../samples/cicd/skaffold/skaffold.yaml | 145 - .../samples/custom-bootstrap/README.md | 52 - .../custom-bootstrap/custom-bootstrap.yaml | 20 - .../samples/custom-bootstrap/example-app.yaml | 30 - istio-1.18.2/samples/extauthz/README.md | 99 - istio-1.18.2/samples/extauthz/ext-authz.yaml | 55 - .../samples/extauthz/local-ext-authz.yaml | 99 - istio-1.18.2/samples/external/README.md | 34 - istio-1.18.2/samples/external/aptget.yaml | 20 - istio-1.18.2/samples/external/github.yaml | 53 - istio-1.18.2/samples/external/pypi.yaml | 44 - istio-1.18.2/samples/grpc-echo/README.md | 7 - istio-1.18.2/samples/grpc-echo/grpc-echo.yaml | 197 - .../health-check/liveness-command.yaml | 58 - .../health-check/liveness-http-same-port.yaml | 40 - istio-1.18.2/samples/helloworld/README.md | 110 - .../samples/helloworld/gateway-api/README.md | 74 - .../gateway-api/helloworld-gateway.yaml | 29 - .../gateway-api/helloworld-route.yaml | 19 - .../gateway-api/helloworld-versions.yaml | 23 - .../samples/helloworld/gen-helloworld.sh | 131 - .../helloworld/helloworld-gateway.yaml | 33 - .../samples/helloworld/helloworld.yaml | 71 - istio-1.18.2/samples/helloworld/loadgen.sh | 17 - .../samples/helloworld/src/build_service.sh | 22 - .../samples/helloworld/src/requirements.txt | 7 - istio-1.18.2/samples/httpbin/README.md | 41 - .../httpbin/gateway-api/httpbin-gateway.yaml | 25 - .../samples/httpbin/httpbin-gateway.yaml | 30 - .../samples/httpbin/httpbin-nodeport.yaml | 55 - .../samples/httpbin/httpbin-vault.yaml | 55 - istio-1.18.2/samples/httpbin/httpbin.yaml | 60 - .../httpbin/sample-client/fortio-deploy.yaml | 49 - .../samples/jwt-server/jwt-server.yaml | 125 - istio-1.18.2/samples/jwt-server/src/Makefile | 19 - istio-1.18.2/samples/kind-lb/README.md | 48 - istio-1.18.2/samples/kind-lb/setupkind.sh | 241 - istio-1.18.2/samples/multicluster/README.md | 47 - .../multicluster/expose-istiod-https.yaml | 76 - .../samples/multicluster/expose-istiod.yaml | 54 - .../samples/multicluster/expose-services.yaml | 16 - .../multicluster/gen-eastwest-gateway.sh | 146 - .../samples/open-telemetry/als/README.md | 79 - .../samples/open-telemetry/loki/REAME.md | 99 - .../samples/open-telemetry/loki/iop.yaml | 15 - .../samples/open-telemetry/loki/otel.yaml | 122 - .../open-telemetry/loki/telemetry.yaml | 9 - istio-1.18.2/samples/open-telemetry/otel.yaml | 137 - .../samples/open-telemetry/tracing/README.md | 137 - .../open-telemetry/tracing/telemetry.yaml | 9 - istio-1.18.2/samples/operator/cni-on.yaml | 6 - .../samples/operator/default-install.yaml | 8 - .../operator/pilot-advanced-override.yaml | 19 - istio-1.18.2/samples/operator/pilot-k8s.yaml | 13 - .../samples/operator/values-global.yaml | 7 - .../samples/operator/values-pilot.yaml | 6 - .../samples/ratelimit/rate-limit-service.yaml | 151 - .../samples/security/psp/sidecar-psp.yaml | 46 - istio-1.18.2/samples/security/spire/README.md | 90 - .../security/spire/clusterspiffeid.yaml | 9 - .../security/spire/istio-spire-config.yaml | 70 - .../samples/security/spire/sleep-spire.yaml | 70 - .../security/spire/spire-quickstart.yaml | 985 --- istio-1.18.2/samples/sleep/README.md | 37 - istio-1.18.2/samples/sleep/notsleep.yaml | 78 - istio-1.18.2/samples/sleep/sleep-vault.yaml | 57 - istio-1.18.2/samples/sleep/sleep.yaml | 66 - istio-1.18.2/samples/tcp-echo/README.md | 38 - .../tcp-echo/gateway-api/tcp-echo-20-v2.yaml | 16 - .../tcp-echo/gateway-api/tcp-echo-all-v1.yaml | 50 - .../samples/tcp-echo/tcp-echo-20-v2.yaml | 39 - .../samples/tcp-echo/tcp-echo-all-v1.yaml | 61 - .../samples/tcp-echo/tcp-echo-dual-stack.yaml | 62 - .../samples/tcp-echo/tcp-echo-ipv4.yaml | 61 - .../samples/tcp-echo/tcp-echo-ipv6.yaml | 61 - .../samples/tcp-echo/tcp-echo-services.yaml | 86 - istio-1.18.2/samples/tcp-echo/tcp-echo.yaml | 58 - istio-1.18.2/samples/wasm_modules/README.md | 3 - .../wasm_modules/header_injector/Makefile | 22 - istio-1.18.2/samples/websockets/README.md | 48 - istio-1.18.2/samples/websockets/app.yaml | 37 - istio-1.18.2/samples/websockets/route.yaml | 32 - istio-1.18.2/tools/_istioctl | 212 - istio-1.18.2/tools/certs/Makefile.k8s.mk | 102 - .../tools/certs/Makefile.selfsigned.mk | 98 - istio-1.18.2/tools/certs/README.md | 26 - istio-1.18.2/tools/certs/common.mk | 101 - istio-1.18.2/tools/istioctl.bash | 338 - 331 files changed, 43689 deletions(-) delete mode 100644 istio-1.18.2/LICENSE delete mode 100644 istio-1.18.2/README.md delete mode 100644 istio-1.18.2/manifest.yaml delete mode 100644 istio-1.18.2/manifests/charts/README.md delete mode 100644 istio-1.18.2/manifests/charts/UPDATING-CHARTS.md delete mode 100644 istio-1.18.2/manifests/charts/base/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/README.md delete mode 100644 istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/NOTES.txt delete mode 100644 istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/crds.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/default.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/endpoints.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/role.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/templates/services.yaml delete mode 100644 istio-1.18.2/manifests/charts/base/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/default/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml delete mode 100644 istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml delete mode 100644 istio-1.18.2/manifests/charts/default/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateway/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateway/README.md delete mode 100644 istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt delete mode 100644 istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl delete mode 100644 istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateway/templates/role.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateway/templates/service.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateway/values.schema.json delete mode 100644 istio-1.18.2/manifests/charts/gateway/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/install-OpenShift.md delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/README.md delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-cni/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml delete mode 100644 istio-1.18.2/manifests/charts/istio-operator/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml delete mode 100644 istio-1.18.2/manifests/charts/istiod-remote/values.yaml delete mode 100644 istio-1.18.2/manifests/charts/ztunnel/Chart.yaml delete mode 100644 istio-1.18.2/manifests/charts/ztunnel/README.md delete mode 100644 istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt delete mode 100644 istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml delete mode 100644 istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml delete mode 100644 istio-1.18.2/manifests/charts/ztunnel/values.yaml delete mode 100644 istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml delete mode 100644 istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml delete mode 100644 istio-1.18.2/manifests/profiles/ambient.yaml delete mode 100644 istio-1.18.2/manifests/profiles/default.yaml delete mode 100644 istio-1.18.2/manifests/profiles/demo.yaml delete mode 100644 istio-1.18.2/manifests/profiles/empty.yaml delete mode 100644 istio-1.18.2/manifests/profiles/external.yaml delete mode 100644 istio-1.18.2/manifests/profiles/minimal.yaml delete mode 100644 istio-1.18.2/manifests/profiles/openshift.yaml delete mode 100644 istio-1.18.2/manifests/profiles/preview.yaml delete mode 100644 istio-1.18.2/manifests/profiles/remote.yaml delete mode 100644 istio-1.18.2/samples/README.md delete mode 100644 istio-1.18.2/samples/addons/README.md delete mode 100644 istio-1.18.2/samples/addons/extras/prometheus-operator.yaml delete mode 100644 istio-1.18.2/samples/addons/extras/prometheus_vm.yaml delete mode 100644 istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml delete mode 100644 istio-1.18.2/samples/addons/extras/skywalking.yaml delete mode 100644 istio-1.18.2/samples/addons/extras/zipkin.yaml delete mode 100644 istio-1.18.2/samples/addons/grafana.yaml delete mode 100644 istio-1.18.2/samples/addons/jaeger.yaml delete mode 100644 istio-1.18.2/samples/addons/kiali.yaml delete mode 100644 istio-1.18.2/samples/addons/loki.yaml delete mode 100644 istio-1.18.2/samples/addons/prometheus.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/README.md delete mode 100755 istio-1.18.2/samples/bookinfo/build_push_update_images.sh delete mode 100644 istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/README.md delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml delete mode 100755 istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh delete mode 100644 istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml delete mode 100644 istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml delete mode 100755 istio-1.18.2/samples/bookinfo/src/build-services.sh delete mode 100644 istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json delete mode 100644 istio-1.18.2/samples/bookinfo/src/mongodb/script.sh delete mode 100644 istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt delete mode 100644 istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt delete mode 100644 istio-1.18.2/samples/bookinfo/src/ratings/package.json delete mode 100644 istio-1.18.2/samples/bookinfo/swagger.yaml delete mode 100644 istio-1.18.2/samples/certs/README.md delete mode 100644 istio-1.18.2/samples/certs/ca-cert-alt.pem delete mode 100644 istio-1.18.2/samples/certs/ca-cert.pem delete mode 100644 istio-1.18.2/samples/certs/ca-key-alt.pem delete mode 100644 istio-1.18.2/samples/certs/ca-key.pem delete mode 100644 istio-1.18.2/samples/certs/cert-chain-alt.pem delete mode 100644 istio-1.18.2/samples/certs/cert-chain.pem delete mode 100755 istio-1.18.2/samples/certs/generate-workload.sh delete mode 100644 istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem delete mode 100644 istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem delete mode 100644 istio-1.18.2/samples/certs/root-cert-alt.pem delete mode 100644 istio-1.18.2/samples/certs/root-cert.pem delete mode 100644 istio-1.18.2/samples/certs/workload-bar-cert.pem delete mode 100644 istio-1.18.2/samples/certs/workload-bar-key.pem delete mode 100644 istio-1.18.2/samples/certs/workload-bar-root-certs.pem delete mode 100644 istio-1.18.2/samples/certs/workload-foo-cert.pem delete mode 100644 istio-1.18.2/samples/certs/workload-foo-key.pem delete mode 100644 istio-1.18.2/samples/certs/workload-foo-root-certs.pem delete mode 100644 istio-1.18.2/samples/cicd/skaffold/README.md delete mode 100644 istio-1.18.2/samples/cicd/skaffold/skaffold.yaml delete mode 100644 istio-1.18.2/samples/custom-bootstrap/README.md delete mode 100644 istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml delete mode 100644 istio-1.18.2/samples/custom-bootstrap/example-app.yaml delete mode 100644 istio-1.18.2/samples/extauthz/README.md delete mode 100644 istio-1.18.2/samples/extauthz/ext-authz.yaml delete mode 100644 istio-1.18.2/samples/extauthz/local-ext-authz.yaml delete mode 100644 istio-1.18.2/samples/external/README.md delete mode 100644 istio-1.18.2/samples/external/aptget.yaml delete mode 100644 istio-1.18.2/samples/external/github.yaml delete mode 100644 istio-1.18.2/samples/external/pypi.yaml delete mode 100644 istio-1.18.2/samples/grpc-echo/README.md delete mode 100644 istio-1.18.2/samples/grpc-echo/grpc-echo.yaml delete mode 100644 istio-1.18.2/samples/health-check/liveness-command.yaml delete mode 100644 istio-1.18.2/samples/health-check/liveness-http-same-port.yaml delete mode 100644 istio-1.18.2/samples/helloworld/README.md delete mode 100644 istio-1.18.2/samples/helloworld/gateway-api/README.md delete mode 100644 istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml delete mode 100644 istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml delete mode 100644 istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml delete mode 100755 istio-1.18.2/samples/helloworld/gen-helloworld.sh delete mode 100644 istio-1.18.2/samples/helloworld/helloworld-gateway.yaml delete mode 100644 istio-1.18.2/samples/helloworld/helloworld.yaml delete mode 100755 istio-1.18.2/samples/helloworld/loadgen.sh delete mode 100755 istio-1.18.2/samples/helloworld/src/build_service.sh delete mode 100644 istio-1.18.2/samples/helloworld/src/requirements.txt delete mode 100644 istio-1.18.2/samples/httpbin/README.md delete mode 100644 istio-1.18.2/samples/httpbin/gateway-api/httpbin-gateway.yaml delete mode 100644 istio-1.18.2/samples/httpbin/httpbin-gateway.yaml delete mode 100644 istio-1.18.2/samples/httpbin/httpbin-nodeport.yaml delete mode 100644 istio-1.18.2/samples/httpbin/httpbin-vault.yaml delete mode 100644 istio-1.18.2/samples/httpbin/httpbin.yaml delete mode 100644 istio-1.18.2/samples/httpbin/sample-client/fortio-deploy.yaml delete mode 100644 istio-1.18.2/samples/jwt-server/jwt-server.yaml delete mode 100644 istio-1.18.2/samples/jwt-server/src/Makefile delete mode 100644 istio-1.18.2/samples/kind-lb/README.md delete mode 100755 istio-1.18.2/samples/kind-lb/setupkind.sh delete mode 100644 istio-1.18.2/samples/multicluster/README.md delete mode 100644 istio-1.18.2/samples/multicluster/expose-istiod-https.yaml delete mode 100644 istio-1.18.2/samples/multicluster/expose-istiod.yaml delete mode 100644 istio-1.18.2/samples/multicluster/expose-services.yaml delete mode 100755 istio-1.18.2/samples/multicluster/gen-eastwest-gateway.sh delete mode 100644 istio-1.18.2/samples/open-telemetry/als/README.md delete mode 100644 istio-1.18.2/samples/open-telemetry/loki/REAME.md delete mode 100644 istio-1.18.2/samples/open-telemetry/loki/iop.yaml delete mode 100644 istio-1.18.2/samples/open-telemetry/loki/otel.yaml delete mode 100644 istio-1.18.2/samples/open-telemetry/loki/telemetry.yaml delete mode 100644 istio-1.18.2/samples/open-telemetry/otel.yaml delete mode 100644 istio-1.18.2/samples/open-telemetry/tracing/README.md delete mode 100644 istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml delete mode 100644 istio-1.18.2/samples/operator/cni-on.yaml delete mode 100644 istio-1.18.2/samples/operator/default-install.yaml delete mode 100644 istio-1.18.2/samples/operator/pilot-advanced-override.yaml delete mode 100644 istio-1.18.2/samples/operator/pilot-k8s.yaml delete mode 100644 istio-1.18.2/samples/operator/values-global.yaml delete mode 100644 istio-1.18.2/samples/operator/values-pilot.yaml delete mode 100644 istio-1.18.2/samples/ratelimit/rate-limit-service.yaml delete mode 100644 istio-1.18.2/samples/security/psp/sidecar-psp.yaml delete mode 100644 istio-1.18.2/samples/security/spire/README.md delete mode 100644 istio-1.18.2/samples/security/spire/clusterspiffeid.yaml delete mode 100644 istio-1.18.2/samples/security/spire/istio-spire-config.yaml delete mode 100644 istio-1.18.2/samples/security/spire/sleep-spire.yaml delete mode 100644 istio-1.18.2/samples/security/spire/spire-quickstart.yaml delete mode 100644 istio-1.18.2/samples/sleep/README.md delete mode 100644 istio-1.18.2/samples/sleep/notsleep.yaml delete mode 100644 istio-1.18.2/samples/sleep/sleep-vault.yaml delete mode 100644 istio-1.18.2/samples/sleep/sleep.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/README.md delete mode 100644 istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml delete mode 100644 istio-1.18.2/samples/tcp-echo/tcp-echo.yaml delete mode 100644 istio-1.18.2/samples/wasm_modules/README.md delete mode 100644 istio-1.18.2/samples/wasm_modules/header_injector/Makefile delete mode 100644 istio-1.18.2/samples/websockets/README.md delete mode 100644 istio-1.18.2/samples/websockets/app.yaml delete mode 100644 istio-1.18.2/samples/websockets/route.yaml delete mode 100644 istio-1.18.2/tools/_istioctl delete mode 100644 istio-1.18.2/tools/certs/Makefile.k8s.mk delete mode 100644 istio-1.18.2/tools/certs/Makefile.selfsigned.mk delete mode 100644 istio-1.18.2/tools/certs/README.md delete mode 100644 istio-1.18.2/tools/certs/common.mk delete mode 100644 istio-1.18.2/tools/istioctl.bash diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8c0036400..03b89f6f2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -59,7 +59,6 @@ jobs: uses: golangci/golangci-lint-action@v3.7.0 with: args: --timeout=10m --tests="false" - version: v1.47.0 style-check: name: style-check runs-on: ubuntu-latest diff --git a/istio-1.18.2/LICENSE b/istio-1.18.2/LICENSE deleted file mode 100644 index bb7b19dec..000000000 --- a/istio-1.18.2/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2016-2022 Istio Authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/istio-1.18.2/README.md b/istio-1.18.2/README.md deleted file mode 100644 index 8955af708..000000000 --- a/istio-1.18.2/README.md +++ /dev/null @@ -1,117 +0,0 @@ -# Istio - -[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1395/badge)](https://bestpractices.coreinfrastructure.org/projects/1395) -[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio) -[![GoDoc](https://godoc.org/istio.io/istio?status.svg)](https://godoc.org/istio.io/istio) - - - Istio logo - - ---- - -Istio is an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes. - -- For in-depth information about how to use Istio, visit [istio.io](https://istio.io) -- To ask questions and get assistance from our community, visit [discuss.istio.io](https://discuss.istio.io) -- To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) - -In this README: - -- [Introduction](#introduction) -- [Repositories](#repositories) -- [Issue management](#issue-management) - -In addition, here are some other documents you may wish to read: - -- [Istio Community](https://github.com/istio/community#istio-community) - describes how to get involved and contribute to the Istio project -- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Preparing-for-Development) - explains how to set up and use an Istio development environment -- [Project Conventions](https://github.com/istio/istio/wiki/Development-Conventions) - describes the conventions we use within the code base -- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base - -You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki). - -## Introduction - -[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate -microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies -and aggregate telemetry data. Istio's control plane provides an abstraction -layer over the underlying cluster management platform, such as Kubernetes. - -Istio is composed of these components: - -- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic - between services in the cluster and from a service to external - services. The proxies form a _secure microservice mesh_ providing a rich - set of functions like discovery, rich layer-7 routing, circuit breakers, - policy enforcement and telemetry recording/reporting - functions. - - > Note: The service mesh is not an overlay network. It - > simplifies and enhances how microservices in an application talk to each - > other over the network provided by the underlying platform. - -- **Istiod** - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components: - - - **Pilot** - Responsible for configuring the proxies at runtime. - - - **Citadel** - Responsible for certificate issuance and rotation. - - - **Galley** - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio. - -- **Operator** - The component provides user friendly options to operate the Istio service mesh. - -## Repositories - -The Istio project is divided across a few GitHub repositories: - -- [istio/api](https://github.com/istio/api). This repository defines -component-level APIs and common configuration formats for the Istio platform. - -- [istio/community](https://github.com/istio/community). This repository contains -information on the Istio community, including the various documents that govern -the Istio open source project. - -- [istio/istio](README.md). This is the main code repository. It hosts Istio's -core components, install artifacts, and sample programs. It includes: - - - [istioctl](istioctl/). This directory contains code for the -[_istioctl_](https://istio.io/latest/docs/reference/commands/istioctl/) command line utility. - - - [operator](operator/). This directory contains code for the -[Istio Operator](https://istio.io/latest/docs/setup/install/operator/). - - - [pilot](pilot/). This directory -contains platform-specific code to populate the -[abstract service model](https://istio.io/docs/concepts/traffic-management/#pilot), dynamically reconfigure the proxies -when the application topology changes, as well as translate -[routing rules](https://istio.io/latest/docs/reference/config/networking/) into proxy specific configuration. - - - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code, -including Citadel (acting as Certificate Authority), citadel agent, etc. - -- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains -extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of -Envoy filters) that support authentication, authorization, and telemetry collection. - -## Issue management - -We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata: - -- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. -Each issue is ultimately part of an epic. - -- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we -think the issue should get addressed. - -- **Priority**. Each issue has a priority which is represented by the column in the [Prioritization](https://github.com/orgs/istio/projects/6) project. Priority can be one of -P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the -milestone cannot be considered achieved if the issue isn't resolved. - ---- - -
- Cloud Native Computing Foundation logo -

Istio is a Cloud Native Computing Foundation project.

-
diff --git a/istio-1.18.2/manifest.yaml b/istio-1.18.2/manifest.yaml deleted file mode 100644 index d8a508160..000000000 --- a/istio-1.18.2/manifest.yaml +++ /dev/null @@ -1,33 +0,0 @@ -architectures: -- linux/amd64 -- linux/arm64 -dashboards: - istio-extension-dashboard: 13277 - istio-mesh-dashboard: 7639 - istio-performance-dashboard: 11829 - istio-service-dashboard: 7636 - istio-workload-dashboard: 7630 - pilot-dashboard: 7645 -dependencies: - api: - sha: 06047cce866f317d90b6ee58386aba7faa63ed9e - client-go: - sha: 2683ac554dc2cf65a0a78dfbe8335e593a207f42 - istio: - sha: 0183f2886bc078e8df4d6bbd21fa452a3a23481d - pkg: - sha: 1015535057be24595b88a2b39555716bb0d82bf6 - proxy: - sha: 3c27a1b0cf381ca854ccc3a2034e88c206928da2 - release-builder: - sha: bcf4277ff6c526761200652122bb4ea2d21f5747 - test-infra: - sha: 776c397ca9590b77c00b19d58f888805f3cb986f - tools: - sha: 60988e44238a79538c9d667a56b15895296f95a3 - ztunnel: - sha: 556e299c60ecba1fc2697810010a6a76c3ae6535 -docker: docker.io/istio -dockerOutput: tar -skipGenerateBillOfMaterials: false -version: 1.18.2 diff --git a/istio-1.18.2/manifests/charts/README.md b/istio-1.18.2/manifests/charts/README.md deleted file mode 100644 index 6575a50c7..000000000 --- a/istio-1.18.2/manifests/charts/README.md +++ /dev/null @@ -1,136 +0,0 @@ -# Istio Installer - -Note: If making any changes to the charts or values.yaml in this dir, first read [UPDATING-CHARTS.md](UPDATING-CHARTS.md) - -Istio installer is a modular, 'a-la-carte' installer for Istio. It is based on a -fork of the Istio helm templates, refactored to increase modularity and isolation. - -Goals: -- Improve upgrade experience: users should be able to gradually roll upgrades, with proper -canary deployments for Istio components. It should be possible to deploy a new version while keeping the -stable version in place and gradually migrate apps to the new version. - -- More flexibility: the new installer allows multiple 'environments', allowing applications to select -a set of control plane settings and components. While the entire mesh respects the same APIs and config, -apps may target different 'environments' which contain different instances and variants of Istio. - -- Better security: separate Istio components reside in different namespaces, allowing different teams or -roles to manage different parts of Istio. For example, a security team would maintain the -root CA and policy, a telemetry team may only have access to Prometheus, -and a different team may maintain the control plane components (which are highly security sensitive). - -The install is organized in 'environments' - each environment consists of a set of components -in different namespaces that are configured to work together. Regardless of 'environment', -workloads can talk with each other and obey the Istio configuration resources, but each environment -can use different Istio versions and different configuration defaults. - -`istioctl kube-inject` or the automatic sidecar injector are used to select the environment. -In the case of the sidecar injector, the namespace label `istio-env: ` is used instead -of the conventional `istio-injected: true`. The name of the environment is defined as the namespace -where the corresponding control plane components (config, discovery, auto-injection) are running. -In the examples below, by default this is the `istio-control` namespace. Pod annotations can also -be used to select a different 'environment'. - -## Installing - -The new installer is intended to be modular and very explicit about what is installed. It has -far more steps than the Istio installer - but each step is smaller and focused on a specific -feature, and can be performed by different people/teams at different times. - -It is strongly recommended that different namespaces are used, with different service accounts. -In particular access to the security-critical production components (root CA, policy, control) -should be locked down and restricted. The new installer allows multiple instances of -policy/control/telemetry - so testing/staging of new settings and versions can be performed -by a different role than the prod version. - -The intended users of this repo are users running Istio in production who want to select, tune -and understand each binary that gets deployed, and select which combination to use. - -Note: each component can be installed in parallel with an existing Istio 1.0 or 1.1 install in -`istio-system`. The new components will not interfere with existing apps, but can interoperate -and it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and -across environments ( for example canary -> prod ) - -Note: there are still some cluster roles that may need to be fixed, most likely cluster permissions -will need to move to the security component. - -## Everything is Optional - -Each component in the new installer is optional. Users can install the component defined in the new installer, -use the equivalent component in `istio-system`, configured with the official installer, or use a different -version or implementation. - -For example you may use your own Prometheus and Grafana installs, or you may use a specialized/custom -certificate provisioning tool, or use components that are centrally managed and running in a different cluster. - -This is a work in progress - building on top of the multi-cluster installer. - -As an extreme, the goal is to be possible to run Istio workloads in a cluster without installing any Istio component -in that cluster. Currently the minimum we require is the security provider (node agent or citadel). - -### Install Istio CRDs - -This is the first step of the install. Please do not remove or edit any CRD - config currently requires -all CRDs to be present. On each upgrade it is recommended to reapply the file, to make sure -you get all CRDs. CRDs are separated by release and by component type in the CRD directory. - -Istio has strong integration with certmanager. Some operators may want to keep their current certmanager -CRDs in place and not have Istio modify them. In this case, it is necessary to apply CRD files individually. - -```bash -kubectl apply -k github.com/istio/installer/base -``` - -or - -```bash -kubectl apply -f base/files -``` - -### Install Istio-CNI - -This is an optional step - CNI must run in a dedicated namespace, it is a 'singleton' and extremely -security sensitive. Access to the CNI namespace must be highly restricted. - -**NOTE:** The environment variable `ISTIO_CLUSTER_ISGKE` is assumed to be set to `true` if the cluster -is a GKE cluster. - -```bash -ISTIO_CNI_ARGS= -# TODO: What k8s data can we use for this check for whether GKE? -if [[ "${ISTIO_CLUSTER_ISGKE}" == "true" ]]; then - ISTIO_CNI_ARGS="--set cni.cniBinDir=/home/kubernetes/bin" -fi -iop kube-system istio-cni $IBASE/istio-cni/ ${ISTIO_CNI_ARGS} -``` - -TODO. It is possible to add Istio-CNI later, and gradually migrate. - -### Install Control plane - -This can run in any cluster. A mesh should have at least one cluster should run Pilot or equivalent XDS server, -and it is recommended to have Pilot running in each region and in multiple availability zones for multi cluster. - -```bash -iop istio-control istio-discovery $IBASE/istio-control/istio-discovery \ - --set global.istioNamespace=istio-system - -# Second istio-discovery, using master version of istio -TAG=latest HUB=gcr.io/istio-testing iop istio-master istio-discovery-master $IBASE/istio-control/istio-discovery \ - --set policy.enable=false \ - --set global.istioNamespace=istio-master -``` - -### Gateways - -A cluster may use multiple Gateways, each with a different load balancer IP, domains and certificates. - -Since the domain certificates are stored in the gateway namespace, it is recommended to keep each -gateway in a dedicated namespace and restrict access. - -For large-scale gateways it is optionally possible to use a dedicated pilot in the gateway namespace. - -### Additional test templates - -A number of helm test setups are general-purpose and should be installable in any cluster, to confirm -Istio works properly and allow testing the specific install. diff --git a/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md b/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md deleted file mode 100644 index 88a89291e..000000000 --- a/istio-1.18.2/manifests/charts/UPDATING-CHARTS.md +++ /dev/null @@ -1,67 +0,0 @@ -# Updating charts and values.yaml - -## Acceptable Pull Requests - -Helm charts `values.yaml` represent a complex user facing API that tends to grow uncontrollably over time -due to design choices in Helm. -The underlying Kubernetes resources we configure have 1000s of fields; given enough users and bespoke use cases, -eventually someone will want to customize every one of those fields. -If all fields are exposed in `values.yaml`, we end up with an massive API that is also likely worse than just using the Kubernetes API directly. - -To avoid this, the project attempts to minimize additions to the `values.yaml` API where possible. - -If the change is a dynamic runtime configuration, it probably belongs in the [MeshConfig API](https://github.com/istio/api/blob/master/mesh/v1alpha1/config.proto). -This allows configuration without re-installing or restarting deployments. - -If the change is to a Kubernetes field (such as modifying a Deployment attribute), it will likely need to be install-time configuration. -However, that doesn't necessarily mean a PR to add a value will be accepted. -The `values.yaml` API is intended to maintain a *minimal core set of configuration* that most users will use. -For bespoke use cases, [Helm Chart Customization](https://istio.io/latest/docs/setup/additional-setup/customize-installation-helm/#advanced-helm-chart-customization) can be used -to allow arbitrary customizations. - -If the change truly is generally purpose, it is generally preferred to have broader APIs. For example, instead of providing -direct access to each of the complex fields in [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/), just providing -a single `affinity` field that is passed through as-is to the Kubernetes resource. -This provides maximum flexibility with minimal API surface overhead. - -## Making changes - -## Step 1. Make changes in charts and values.yaml in `manifests` directory - -Be sure to provide sufficient documentation and example usage in values.yaml. -If the chart has a `values.schema.json`, that should be updated as well. - -## Step 2. Update the istioctl/Operator values - -If you are modifying the `gateway` chart, you can stop here. -All other charts, however, are exposed by `istioctl` and need to follow the steps below. - -The charts in the `manifests` directory are used in istioctl to generate an installation manifest. - -If `values.yaml` is changed, be sure to update corresponding values changes in [../profiles/default.yaml](../profiles/default.yaml) - -## Step 3. Update istioctl schema - -Istioctl uses a [schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto) to validate the values. Any changes to -the schema must be added here, otherwise istioctl users will see errors. -Once the schema file is updated, run: - -```bash -$ make operator-proto -``` - -This will regenerate the Go structs used for schema validation. - -## Step 4. Update the generated manifests - -Tests of istioctl use the auto-generated manifests to ensure that the istioctl binary has the correct version of the charts. -These manifests can be found in [gen-istio.yaml](../charts/istio-control/istio-discovery/files/gen-istio.yaml). -To regenerate the manifests, run: - -```bash -$ make copy-templates update-golden -``` - -## Step 5. Create a PR using outputs from Steps 1 to 4 - -Your PR should pass all the checks if you followed these steps. diff --git a/istio-1.18.2/manifests/charts/base/Chart.yaml b/istio-1.18.2/manifests/charts/base/Chart.yaml deleted file mode 100644 index 8e2b4c5bf..000000000 --- a/istio-1.18.2/manifests/charts/base/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -name: base -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio cluster resources and CRDs -keywords: - - istio -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/base/README.md b/istio-1.18.2/manifests/charts/base/README.md deleted file mode 100644 index 68bf667ac..000000000 --- a/istio-1.18.2/manifests/charts/base/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` diff --git a/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml b/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml deleted file mode 100644 index 7c2948565..000000000 --- a/istio-1.18.2/manifests/charts/base/crds/crd-all.gen.yaml +++ /dev/null @@ -1,7199 +0,0 @@ -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - imagePullPolicy: - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: Criteria for selecting traffic by their direction. - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - type: integer - type: object - type: array - type: object - type: array - phase: - description: Determines where in the filter chain this `WasmPlugin` - is to be injected. - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - nullable: true - type: integer - selector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - type: string - url: - description: URL of a Wasm module or OCI container. - type: string - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - type: string - value: - description: Value for the environment variable. - type: string - valueFrom: - enum: - - INLINE - - HOST - type: string - type: object - type: array - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - type: object - proxyVersion: - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - type: integer - vhost: - properties: - name: - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows provides the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - type: string - metric: - description: One of the well-known Istio Standard - Metrics. - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to - update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - type: string - type: object - header: - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - type: string - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - type: string - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - randomSamplingPercentage: - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- diff --git a/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml b/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml deleted file mode 100644 index 2a80f4186..000000000 --- a/istio-1.18.2/manifests/charts/base/crds/crd-operator.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- diff --git a/istio-1.18.2/manifests/charts/base/templates/NOTES.txt b/istio-1.18.2/manifests/charts/base/templates/NOTES.txt deleted file mode 100644 index 006450167..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml deleted file mode 100644 index e0cbea8fe..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/clusterrole.yaml +++ /dev/null @@ -1,181 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-{{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] -{{- if or .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} ---- diff --git a/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml deleted file mode 100644 index d61729b29..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-{{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} ---- diff --git a/istio-1.18.2/manifests/charts/base/templates/crds.yaml b/istio-1.18.2/manifests/charts/base/templates/crds.yaml deleted file mode 100644 index 871ee2a6b..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/crds.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{- if .Values.base.enableCRDTemplates }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} -{{ .Files.Get "crds/crd-operator.yaml" }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/default.yaml b/istio-1.18.2/manifests/charts/base/templates/default.yaml deleted file mode 100644 index f7950de2b..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/default.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml b/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml deleted file mode 100644 index 2675b47a1..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod-remote - {{- else }} - name: istiod - {{- end }} - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml b/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index d9ce18c27..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/role.yaml b/istio-1.18.2/manifests/charts/base/templates/role.yaml deleted file mode 100644 index ca1a4243f..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml deleted file mode 100644 index 2b591fb89..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml deleted file mode 100644 index ec25fd250..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/serviceaccount.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/base/templates/services.yaml b/istio-1.18.2/manifests/charts/base/templates/services.yaml deleted file mode 100644 index 2bc55e669..000000000 --- a/istio-1.18.2/manifests/charts/base/templates/services.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod - {{- end }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/base/values.yaml b/istio-1.18.2/manifests/charts/base/values.yaml deleted file mode 100644 index 96a74562e..000000000 --- a/istio-1.18.2/manifests/charts/base/values.yaml +++ /dev/null @@ -1,29 +0,0 @@ -global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - istiod: - enableAnalysis: false - - configValidation: true - externalIstiod: false - remotePilotAddress: "" - -base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - -defaultRevision: "default" diff --git a/istio-1.18.2/manifests/charts/default/Chart.yaml b/istio-1.18.2/manifests/charts/default/Chart.yaml deleted file mode 100644 index 90ddf7568..000000000 --- a/istio-1.18.2/manifests/charts/default/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: istio-default -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.0.0 -appVersion: 1.0.0 -description: Helm chart for istio default revision components. -keywords: - - istio -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml deleted file mode 100644 index 5fa635ebd..000000000 --- a/istio-1.18.2/manifests/charts/default/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionURL" .Values.istiodRemote.injectionURL - "namespace" .Release.Namespace }} -{{- define "core" }} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: {{ .injectionURL }} - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "/inject" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} - -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-revision-tag-default - labels: - istio.io/tag: "default" - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "default" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "default" - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} diff --git a/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml b/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml deleted file mode 100644 index 8ffa277e7..000000000 --- a/istio-1.18.2/manifests/charts/default/templates/validatingwebhook.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - istio.io/tag: "default" - # Required to make sure this resource is removed - # when purging Istio resources - operator.istio.io/component: Pilot -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist ---- diff --git a/istio-1.18.2/manifests/charts/default/values.yaml b/istio-1.18.2/manifests/charts/default/values.yaml deleted file mode 100644 index f0b1c35d3..000000000 --- a/istio-1.18.2/manifests/charts/default/values.yaml +++ /dev/null @@ -1,27 +0,0 @@ -global: - # Used to locate istiod. - istioNamespace: "istio-system" - -base: - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # If enabled, gateway-api types will be validated using the standard upstream validation logic. - # This is an alternative to deploying the standalone validation server the project provides. - # This is disabled by default, as the cluster may already have a validation server; while technically - # it works to have multiple redundant validations, this adds complexity and operational risks. - # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. - validateGateway: false - -istiodRemote: - # Sidecar injector mutating webhook configuration url - # For example: https://$remotePilotAddress:15017/inject - injectionURL: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -sidecarInjectorWebhook: - # This enables injection of sidecar in all namespaces, - enableNamespacesByDefault: false - diff --git a/istio-1.18.2/manifests/charts/gateway/Chart.yaml b/istio-1.18.2/manifests/charts/gateway/Chart.yaml deleted file mode 100644 index e16d97e68..000000000 --- a/istio-1.18.2/manifests/charts/gateway/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v2 -name: gateway -description: Helm chart for deploying Istio gateways -type: application - -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 - -sources: -- https://github.com/istio/istio -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/gateway/README.md b/istio-1.18.2/manifests/charts/gateway/README.md deleted file mode 100644 index 0e58c00f2..000000000 --- a/istio-1.18.2/manifests/charts/gateway/README.md +++ /dev/null @@ -1,148 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt b/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt deleted file mode 100644 index 78451d33e..000000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index a777d43bc..000000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,61 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gateway.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{- define "gateway.labels" -}} -helm.sh/chart: {{ include "gateway.chart" . }} -{{ include "gateway.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ include "gateway.name" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.podLabels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -{{- if hasKey .Values.labels "app" }} -{{- with .Values.labels.app }}app: {{.|quote}} -{{- end}} -{{- else }}app: {{ include "gateway.name" . }} -{{- end }} -{{- if hasKey .Values.labels "istio" }} -{{- with .Values.labels.istio }} -istio: {{.|quote}} -{{- end}} -{{- else }} -istio: {{ include "gateway.name" . | trimPrefix "istio-" }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml deleted file mode 100644 index da0fa270b..000000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,107 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - {{- include "gateway.podLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml b/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml deleted file mode 100644 index e287406c4..000000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index 77f71e7fa..000000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/role.yaml b/istio-1.18.2/manifests/charts/gateway/templates/role.yaml deleted file mode 100644 index c8a25cb72..000000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/service.yaml b/istio-1.18.2/manifests/charts/gateway/templates/service.yaml deleted file mode 100644 index b96a52b90..000000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index e5b2304d6..000000000 --- a/istio-1.18.2/manifests/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateway/values.schema.json b/istio-1.18.2/manifests/charts/gateway/values.schema.json deleted file mode 100644 index d0878a2cc..000000000 --- a/istio-1.18.2/manifests/charts/gateway/values.schema.json +++ /dev/null @@ -1,219 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "additionalProperties": false, - "properties": { - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": ["object", "null"] - }, - "containerSecurityContext": { - "type": ["object", "null"] - }, - "kind":{ - "type": "string", - "enum": ["Deployment", "DaemonSet"] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": "integer" - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - }, - "revision": { - "type": "string" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": ["string", "boolean"], - "enum": [true, false, "auto"] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": ["", "Always", "IfNotPresent", "Never"] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": ["integer", "string"] - }, - "maxUnavailable": { - "type": ["integer", "string"] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": ["", "IfHealthyBudget", "AlwaysAllow"] - } - } - } - } -} diff --git a/istio-1.18.2/manifests/charts/gateway/values.yaml b/istio-1.18.2/manifests/charts/gateway/values.yaml deleted file mode 100644 index 81e757e9d..000000000 --- a/istio-1.18.2/manifests/charts/gateway/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -# Name allows overriding the release name. Generally this should not be set -name: "" -# revision declares which revision this gateway is a part of -revision: "" - -replicaCount: 1 - -kind: Deployment - -rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - -serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - -podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - -# Define the security context for the pod. -# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. -# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. -securityContext: ~ -containerSecurityContext: ~ - -service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - -resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - -autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - -# Pod environment variables -env: {} - -# Labels to apply to all resources -labels: {} - -# Annotations to apply to all resources -annotations: {} - -nodeSelector: {} - -tolerations: [] - -topologySpreadConstraints: [] - -affinity: {} - -# If specified, the gateway will act as a network gateway for the given network. -networkGateway: "" - -# Specify image pull policy if default behavior isn't desired. -# Default behavior: latest images will be Always else IfNotPresent -imagePullPolicy: "" - -imagePullSecrets: [] - -# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. -# -# By default, the `podDisruptionBudget` is disabled (set to `{}`), -# which means that no PodDisruptionBudget resource will be created. -# -# To enable the PodDisruptionBudget, configure it by specifying the -# `minAvailable` or `maxUnavailable`. For example, to set the -# minimum number of available replicas to 1, you can update this value as follows: -# -# podDisruptionBudget: -# minAvailable: 1 -# -# Or, to allow a maximum of 1 unavailable replica, you can set: -# -# podDisruptionBudget: -# maxUnavailable: 1 -# -# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. -# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: -# -# podDisruptionBudget: -# minAvailable: 1 -# unhealthyPodEvictionPolicy: AlwaysAllow -# -# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: -# -# podDisruptionBudget: {} -# -podDisruptionBudget: {} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml deleted file mode 100644 index b42ee2215..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -name: istio-egress -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -description: Helm chart for deploying Istio gateways -keywords: - - istio - - egressgateway - - gateways -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt b/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt deleted file mode 100644 index 9baacc0ea..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/NOTES.txt +++ /dev/null @@ -1,45 +0,0 @@ - -Changes: -- separate namespace allows: --- easier reconfig of just the gateway --- TLS secrets and domain name management is isolated, for better security --- simplified configuration --- multiple versions of the ingress can be used, to minize upgrade risks - -- the new chart uses the default namespace service account, and doesn't require -additional RBAC permissions. - -- simplified label structure. Label change is not supported on upgrade. - -- for 'internal load balancer' you should deploy a separate gateway, in a different -namespace. - -All ingress gateway have a "app:ingressgateway" label, used to identify it as an -ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection. - -The Gateways use "istio: ingressgateway$SUFFIX" selectors. - - -# Multiple gateway versions - - - -# Using different pilot versions - - - -# Migration from istio-system - -Istio 1.0 includes the gateways in istio-system. Since the external IP is associated -with the Service and bound to the namespace, it is recommended to: - -1. Install the new gateway in a new namespace. -2. Copy any TLS certificate to the new namespace, and configure the domains. -3. Checking the new gateway work - for example by overriding the IP in /etc/hosts -4. Modify the DNS server to add the A record of the new namespace -5. Check traffic -6. Delete the A record corresponding to the gateway in istio-system -7. Upgrade istio-system, disabling the ingressgateway -8. Delete the domain TLS certs from istio-system. - -If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl deleted file mode 100644 index fc1ec5407..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/_affinity.tpl +++ /dev/null @@ -1,104 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{ define "nodeaffinity" }} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- if or .global.arch $nodeSelector }} - nodeSelectorTerms: - - matchExpressions: - {{- if .global.arch }} - - key: kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- if $item.namespaces }} - namespaces: - {{- $ns := split "," $item.namespaces }} - {{- range $i, $n := $ns }} - - {{ $n | quote }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml deleted file mode 100644 index aa901685a..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/autoscale.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} -{{- if not .Values.global.autoscalingv2API }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- else }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml deleted file mode 100644 index 60dec8b32..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/deployment.yaml +++ /dev/null @@ -1,348 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if eq $gateway.injectionTemplate "" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - service.istio.io/canonical-name: {{ $gateway.name }} - {{- if not (eq .Values.revision "") }} - service.istio.io/canonical-revision: {{ .Values.revision }} - {{- else}} - service.istio.io/canonical-revision: latest - {{- end }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" - sidecar.istio.io/inject: "false" - annotations: - istio.io/rev: {{ .Values.revision | default "default" }} - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "false" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - securityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - privileged: true -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} - {{- end}} - {{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} - {{- if $.Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.meshID }}" - {{- else if .Values.meshConfig.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if .Values.meshConfig.trustDomain }} - - name: TRUST_DOMAIN - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} - {{- if and (not $network_set) .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert -{{- end }} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert -{{- end }} - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - secretName: istio.istio-egressgateway-service-account - optional: true - {{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - optional: true - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml deleted file mode 100644 index 150a5bd1c..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml +++ /dev/null @@ -1,146 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if ne $gateway.injectionTemplate "" }} -{{/* This provides a minimal gateway, ready to be injected. - Any settings from values.gateways should be here - these are options specific to the gateway. - Global settings, like the image, various env vars and volumes, etc will be injected. - The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name | default "istio-egressgateway" }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "true" - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: istio-proxy - image: auto -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - volumeMounts: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml deleted file mode 100644 index ba3c6d24b..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: -{{ $gateway.labels | toYaml | trim | indent 6 }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml deleted file mode 100644 index c472fcef2..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml deleted file mode 100644 index fd1ffcd70..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $gateway.name }}-sds -subjects: -- kind: ServiceAccount - name: {{ $gateway.name }}-service-account ---- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml deleted file mode 100644 index 2f8ce959e..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -{{- if not $gateway.customService }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := $gateway.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" -spec: -{{- if $gateway.loadBalancerIP }} - loadBalancerIP: "{{ $gateway.loadBalancerIP }}" -{{- end }} -{{- if $gateway.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $gateway.externalTrafficPolicy }} - externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} -{{- end }} - type: {{ $gateway.type }} - selector: -{{ $gateway.labels | toYaml | indent 4 }} - ports: - - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - - {{ range $app := $gateway.egressPorts }} - - - port: {{ $app.port }} - name: {{ $app.name }} - {{- end }} ---- -{{ end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml deleted file mode 100644 index b6a3eb40c..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-egressgateway" }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $gateway.name }}-service-account - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "EgressGateways" - {{- with $gateway.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml b/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml deleted file mode 100644 index dd8588efd..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-egress/values.yaml +++ /dev/null @@ -1,299 +0,0 @@ -# Standalone istio egress gateway. -# Should be installed in a separate namespace, to minimize access to config -gateways: - istio-egressgateway: - name: istio-egressgateway - ports: - - port: 80 - targetPort: 8080 - name: http2 - protocol: TCP - - port: 443 - name: https - targetPort: 8443 - protocol: TCP - - labels: - app: istio-egressgateway - istio: egressgateway - - # Scalability tuning - # replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - cpu: - targetAverageUtilization: 80 - - serviceAnnotations: {} - podAnnotations: {} - type: ClusterIP # change to NodePort or LoadBalancer if need be - - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - - configVolumes: [] - additionalContainers: [] - - serviceAccount: - # Annotations to add to the service account - annotations: {} - - ### Advanced options ############ - # TODO: convert to real options, env should not be exposed - env: {} - # Set this to "external" if and only if you want the egress gateway to - # act as a transparent SNI gateway that routes mTLS/TLS traffic to - # external services defined using service entries, where the service - # entry has resolution set to DNS, has one or more endpoints with - # network field set to "external". By default its set to "" so that - # the egress gateway sees the same set of endpoints as the sidecars - # preserving backward compatibility - # ISTIO_META_REQUESTED_NETWORK_VIEW: "" - - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote "hard" vs. "soft" requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # "security" and value "S1". - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - # whether to run the gateway in a privileged container - runAsRoot: false - - # The injection template to use for the gateway. If not set, no injection will be performed. - injectionTemplate: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - defaultConfigVisibilitySettings: [] - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.18.2 - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: {} - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - -meshConfig: - enablePrometheusMerge: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - defaultConfig: - proxyMetadata: {} - tracing: - # tlsSettings: - # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem - # privateKey: # example: /etc/istio/tracer/key.pem - # caCertificates: # example: /etc/istio/tracer/root-cert.pem - # sni: # example: tracer.somedomain - # subjectAltNames: [] - # - tracer.somedomain diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml deleted file mode 100644 index fd1e5f887..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -name: istio-ingress -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio gateways -keywords: - - istio - - ingressgateway - - gateways -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt b/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt deleted file mode 100644 index 221ee5605..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/NOTES.txt +++ /dev/null @@ -1,43 +0,0 @@ - -Changes: -- separate namespace allows: --- easier reconfig of just the gateway --- TLS secrets and domain name management is isolated, for better security --- simplified configuration --- multiple versions of the ingress can be used, to minimize upgrade risks - -- the new chart uses the default namespace service account, and doesn't require -additional RBAC permissions. - -- simplified label and chart structure. -- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades -and allows a bit more flexibility. -- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. - -# Port and basic host configuration - -In order to configure the Service object, the install/upgrade needs to provide a list of all ports. -In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured -both in upgrade, Gateway and VirtualService. - -The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, -Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual -config for the rest. - -All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. - -# Migration from istio-system - -Istio 1.0 includes the gateways in istio-system. Since the external IP is associated -with the Service and bound to the namespace, it is recommended to: - -1. Install the new gateway in a new namespace. -2. Copy any TLS certificate to the new namespace, and configure the domains. -3. Checking the new gateway work - for example by overriding the IP in /etc/hosts -4. Modify the DNS server to add the A record of the new namespace -5. Check traffic -6. Delete the A record corresponding to the gateway in istio-system -7. Upgrade istio-system, disabling the ingressgateway -8. Delete the domain TLS certs from istio-system. - -If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl deleted file mode 100644 index fc1ec5407..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl +++ /dev/null @@ -1,104 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{ define "nodeaffinity" }} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- if or .global.arch $nodeSelector }} - nodeSelectorTerms: - - matchExpressions: - {{- if .global.arch }} - - key: kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- if $item.namespaces }} - namespaces: - {{- $ns := split "," $item.namespaces }} - {{- range $i, $n := $ns }} - - {{ $n | quote }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml deleted file mode 100644 index 0a6299bf0..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} -{{- if not .Values.global.autoscalingv2API }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- else }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml deleted file mode 100644 index 243545a5d..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/deployment.yaml +++ /dev/null @@ -1,348 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if eq $gateway.injectionTemplate "" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - service.istio.io/canonical-name: {{ $gateway.name }} - {{- if not (eq .Values.revision "") }} - service.istio.io/canonical-revision: {{ .Values.revision }} - {{- else}} - service.istio.io/canonical-revision: latest - {{- end }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "false" - annotations: - istio.io/rev: {{ .Values.revision | default "default" }} - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "false" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - securityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - privileged: true -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} - {{- end}} - {{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} - {{- if $.Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.meshID }}" - {{- else if .Values.meshConfig.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if .Values.meshConfig.trustDomain }} - - name: TRUST_DOMAIN - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} - {{- if and (not $network_set) .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert -{{- end }} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert -{{- end }} - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - secretName: istio.istio-ingressgateway-service-account - optional: true - {{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - optional: true - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml deleted file mode 100644 index bc666a8bf..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml +++ /dev/null @@ -1,146 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if ne $gateway.injectionTemplate "" }} -{{/* This provides a minimal gateway, ready to be injected. - Any settings from values.gateways should be here - these are options specific to the gateway. - Global settings, like the image, various env vars and volumes, etc will be injected. - The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "true" - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: istio-proxy - image: auto -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - volumeMounts: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml deleted file mode 100644 index 8b3688959..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: -{{ $gateway.labels | toYaml | trim | indent 6 }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml deleted file mode 100644 index 3e21bca5b..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml deleted file mode 100644 index d45255792..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $gateway.name }}-sds -subjects: -- kind: ServiceAccount - name: {{ $gateway.name }}-service-account ---- diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml deleted file mode 100644 index a3b97be16..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if not $gateway.customService }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := $gateway.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if $gateway.loadBalancerIP }} - loadBalancerIP: "{{ $gateway.loadBalancerIP }}" -{{- end }} -{{- if $gateway.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $gateway.externalTrafficPolicy }} - externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} -{{- end }} - type: {{ $gateway.type }} - selector: -{{ $gateway.labels | toYaml | indent 4 }} - ports: - - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - - {{ range $app := $gateway.ingressPorts }} - - - port: {{ $app.port }} - name: {{ $app.name }} - {{- end }} ---- -{{ end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml deleted file mode 100644 index 9cf3034cd..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $gateway.name }}-service-account - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - {{- with $gateway.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml b/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml deleted file mode 100644 index 89c24a0c7..000000000 --- a/istio-1.18.2/manifests/charts/gateways/istio-ingress/values.yaml +++ /dev/null @@ -1,319 +0,0 @@ -# A-la-carte istio ingress gateway. -# Must be installed in a separate namespace, to minimize access to secrets. - -gateways: - istio-ingressgateway: - name: istio-ingressgateway - labels: - app: istio-ingressgateway - istio: ingressgateway - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - protocol: TCP - - port: 80 - targetPort: 8080 - name: http2 - protocol: TCP - - port: 443 - targetPort: 8443 - name: https - protocol: TCP - - # Scalability tuning - # replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - - cpu: - targetAverageUtilization: 80 - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - serviceAnnotations: {} - - # To generate an internal load balancer: - # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal - #serviceAnnotations: - # cloud.google.com/load-balancer-type: "internal" - - podAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ############## - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - - customService: false - externalTrafficPolicy: "" - - ingressPorts: [] - additionalContainers: [] - configVolumes: [] - - serviceAccount: - # Annotations to add to the service account - annotations: {} - - ### Advanced options ############ - env: {} - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote "hard" vs. "soft" requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # "security" and value "S1". - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - # whether to run the gateway in a privileged container - runAsRoot: false - - # The injection template to use for the gateway. If not set, no injection will be performed. - injectionTemplate: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - defaultConfigVisibilitySettings: [] - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.18.2 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: {} - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # The suffix for global service names - globalDomainSuffix: "global" - # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication - includeEnvoyFilter: true - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - -meshConfig: - enablePrometheusMerge: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - defaultConfig: - proxyMetadata: {} - tracing: - # tlsSettings: - # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem - # privateKey: # example: /etc/istio/tracer/key.pem - # caCertificates: # example: /etc/istio/tracer/root-cert.pem - # sni: # example: tracer.somedomain - # subjectAltNames: [] - # - tracer.somedomain diff --git a/istio-1.18.2/manifests/charts/install-OpenShift.md b/istio-1.18.2/manifests/charts/install-OpenShift.md deleted file mode 100644 index 0417c07a3..000000000 --- a/istio-1.18.2/manifests/charts/install-OpenShift.md +++ /dev/null @@ -1,43 +0,0 @@ -# Installing Istio on OpenShift using Helm - -> Note: Be aware of the [platform setup required for OpenShift](https://istio.io/latest/docs/setup/platform-setup/openshift/) when installing Istio. - -To install with Helm, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows: - -```console -kubectl create namespace istio-system -``` - -The installation process using the Helm charts is as follows: - -1) `base` chart creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended. - -```console -helm install istio-base -n istio-system manifests/charts/base -``` - -2) `istio-cni` chart installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod` chart. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage. - -```console -helm install istio-cni -n kube-system manifests/charts/istio-cni --set cni.cniBinDir="/var/lib/cni/bin" --set cni.cniConfDir="/etc/cni/multus/net.d" --set cni.chained=false --set cni.cniConfFileName="istio-cni.conf" --set cni.excludeNamespaces[0]="istio-system" --set cni.excludeNamespaces[1]="kube-system" --set cni.repair.enabled=false --set cni.logLevel=info -``` - -3) `istio-control/istio-discovery` chart installs a revision of istiod. - -```console - helm install -n istio-system istio-17 manifests/charts/istio-control/istio-discovery --set istio_cni.enabled=true --set global.jwtPolicy=first-party-jwt --set sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"="istio-cni" -``` - -4) `gateways` charts install a load balancer with `ingress` and `egress`. - -Ingress secrets and access should be separated from the control plane. - -```console -helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress --set global.jwtPolicy=first-party-jwt -``` - -Egress secrets and access should be separated from the control plane. - -```console -helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress --set global.jwtPolicy=first-party-jwt -``` diff --git a/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml b/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml deleted file mode 100644 index 2d61757c1..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -name: cni -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -description: Helm chart for istio-cni components -keywords: - - istio-cni - - istio -sources: - - https://github.com/istio/istio/tree/master/cni -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-cni/README.md b/istio-1.18.2/manifests/charts/istio-cni/README.md deleted file mode 100644 index 215051ae7..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/README.md +++ /dev/null @@ -1,43 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Ambient - -To enable ambient, you need to to add `--set cni.ambient.enabled=true`. - -### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -## GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt b/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt deleted file mode 100644 index 994628240..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml deleted file mode 100644 index 4f930e2e7..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrole.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] ---- -{{- if .Values.cni.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni-repair-role - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "delete", "patch", "update" ] -- apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml deleted file mode 100644 index d7e4a861a..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.cni.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni-repair-rolebinding - labels: - k8s-app: istio-cni-repair - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni-repair-role -{{- end }} ---- -{{- if ne .Values.cni.psp_cluster_role "" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-cni-psp - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.cni.psp_cluster_role }} -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml deleted file mode 100644 index de62a0c7c..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: ConfigMap -apiVersion: v1 -metadata: - name: istio-cni-config - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -data: - # The CNI network configuration to add to the plugin chain on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "cniVersion": "0.3.1", - "name": "istio-cni", - "type": "istio-cni", - "log_level": {{ quote .Values.cni.logLevel }}, - "log_uds_address": "__LOG_UDS_ADDRESS__", - {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}} - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__", - "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, - "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] - } - } diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml deleted file mode 100644 index 6ce0e16aa..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/daemonset.yaml +++ /dev/null @@ -1,202 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: istio-cni-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: istio-cni-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -spec: - selector: - matchLabels: - k8s-app: istio-cni-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} - template: - metadata: - labels: - k8s-app: istio-cni-node - sidecar.istio.io/inject: "false" - annotations: - sidecar.istio.io/inject: "false" - ambient.istio.io/redirection: disabled - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Custom annotations - {{- if .Values.cni.podAnnotations }} -{{ toYaml .Values.cni.podAnnotations | indent 8 }} - {{- end }} - spec: - {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes - {{- with .Values.cni.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: istio-cni - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.cni.image }} - image: "{{ .Values.cni.image }}" -{{- else }} - image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - privileged: {{ .Values.cni.privileged }} -{{- if .Values.cni.seccompProfile }} - seccompProfile: -{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - env: -{{- if .Values.cni.cniConfFileName }} - # Name of the CNI config file to create. - - name: CNI_CONF_NAME - value: "{{ .Values.cni.cniConfFileName }}" -{{- end }} - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: istio-cni-config - key: cni_network_config - - name: CNI_NET_DIR - value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Deploy as a standalone CNI plugin or as chained? - - name: CHAINED_CNI_PLUGIN - value: "{{ .Values.cni.chained }}" - - name: REPAIR_ENABLED - value: "{{ .Values.cni.repair.enabled }}" - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_LABEL_PODS - value: "{{.Values.cni.repair.labelPods}}" - # Set to true to enable pod deletion - - name: REPAIR_DELETE_PODS - value: "{{.Values.cni.repair.deletePods}}" - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - - name: REPAIR_INIT_CONTAINER_NAME - value: "{{ .Values.cni.repair.initContainerName }}" - - name: REPAIR_BROKEN_POD_LABEL_KEY - value: "{{.Values.cni.repair.brokenPodLabelKey}}" - - name: REPAIR_BROKEN_POD_LABEL_VALUE - value: "{{.Values.cni.repair.brokenPodLabelValue}}" - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: LOG_LEVEL - value: {{ .Values.cni.logLevel | quote }} - {{- if .Values.cni.ambient.enabled }} - - name: AMBIENT_ENABLED - value: "true" - {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} - - name: EBPF_ENABLED - value: "true" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-log-dir - {{- if .Values.cni.ambient.enabled }} - - mountPath: /etc/ambient-config - name: cni-ambientconfig - - mountPath: /var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} - - mountPath: /sys/fs/bpf - mountPropagation: Bidirectional - name: cni-bpffs-dir - {{- end }} - {{ end }} - resources: -{{- if .Values.cni.resources }} -{{ toYaml .Values.cni.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} - {{- if .Values.cni.ambient.enabled }} - - name: cni-ambientconfig - hostPath: - path: /etc/ambient-config - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Used for UDS log - - name: cni-log-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: /var/run/netns - {{- if eq .Values.cni.ambient.redirectMode "ebpf"}} - - name: cni-bpffs-dir - hostPath: - path: /sys/fs/bpf - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml deleted file mode 100644 index 15946ae72..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/resourcequota.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.cni.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: istio-cni-resource-quota - namespace: {{ .Release.Namespace }} -spec: - hard: - pods: {{ .Values.cni.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml deleted file mode 100644 index 4645db63a..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-cni - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" diff --git a/istio-1.18.2/manifests/charts/istio-cni/values.yaml b/istio-1.18.2/manifests/charts/istio-cni/values.yaml deleted file mode 100644 index 157a9ee61..000000000 --- a/istio-1.18.2/manifests/charts/istio-cni/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -cni: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Configuration log level of istio-cni binary - # by default istio-cni send all logs to UDS server - # if want to see them you need change global.logging.level with cni:debug - logLevel: debug - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI bin and conf dir override settings - # defaults: - cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - - excludeNamespaces: - - istio-system - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # If this value is set a RoleBinding will be created - # in the same namespace as the istio-cni DaemonSet is created. - # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount - # e.g. if you use PodSecurityPolicies - psp_cluster_role: "" - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) - privileged: false - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # Set ambient redirection mode: "iptables" or "ebpf" - redirectMode: "iptables" - - repair: - enabled: true - hub: "" - tag: "" - - labelPods: true - deletePods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # The number of pods that can be unavailable during rolling update (see - # `updateStrategy.rollingUpdate.maxUnavailable` here: - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - # May be specified as a number of pods or as a percent of the total number - # of pods at the start of the update. - rollingMaxUnavailable: 1 - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.18.2 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: default:info,cni:info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml deleted file mode 100644 index 321d0f121..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -name: istiod -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for istio control plane -keywords: - - istio - - istiod - - istio-discovery -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md deleted file mode 100644 index 9d4d07a42..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/README.md +++ /dev/null @@ -1,59 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml deleted file mode 100644 index 5002c03f8..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml +++ /dev/null @@ -1,237 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml deleted file mode 100644 index 2bd673670..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml +++ /dev/null @@ -1,320 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml deleted file mode 100644 index a05fd5768..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml +++ /dev/null @@ -1,513 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml deleted file mode 100644 index ec80744c1..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml +++ /dev/null @@ -1,312 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap .Labels | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - istio.io/gateway-name: {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .Labels - (strdict "istio.io/gateway-name" .Name) | nindent 8}} - spec: - {{- if .KubeVersion122 }} - {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - image: "{{ .ProxyImage }}" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - {{- if .KubeVersion122 }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .Labels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{ toJsonMap .Labels | nindent 4}} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - istio.io/gateway-name: {{.Name}} - {{- if .Spec.Addresses }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ index .Annotations "networking.istio.io/service-type" | default "LoadBalancer" | quote }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml deleted file mode 100644 index aa5374cd9..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/files/waypoint.yaml +++ /dev/null @@ -1,238 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap .Labels | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - istio.io/gateway-name: "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "ambient.istio.io/redirection" "disabled" - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .Labels - (strdict - "istio.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 8}} - spec: - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - image: {{.ProxyImage}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - name: istio-proxy - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: true - runAsGroup: 1337 - runAsUser: 0 - capabilities: - add: - - NET_ADMIN - - NET_RAW - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .Annotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{ toJsonMap .Labels | nindent 4}} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ports: - - name: https-hbone - port: 15008 - protocol: TCP - appProtocol: https - selector: - istio.io/gateway-name: "{{.Name}}" ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt deleted file mode 100644 index 03cb8192f..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt +++ /dev/null @@ -1,56 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} - -Next steps: - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl deleted file mode 100644 index ccf8a077f..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl +++ /dev/null @@ -1,35 +0,0 @@ -{{/* Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled - (not (or - .Values.telemetry.v2.prometheus.configOverride.gateway - .Values.telemetry.v2.prometheus.configOverride.inboundSidecar - .Values.telemetry.v2.prometheus.configOverride.outboundSidecar - )) }} -{{- end }} - -{{/* SD has metrics and logging split. Metrics are enabled if SD is enabled and there are no config overrides set */}} -{{ define "sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled - (not (or - .Values.telemetry.v2.stackdriver.configOverride - .Values.telemetry.v2.stackdriver.disableOutbound )) -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled - (not (or - .Values.telemetry.v2.stackdriver.configOverride - (has .Values.telemetry.v2.stackdriver.outboundAccessLogging (list "" "ERRORS_ONLY")) - (has .Values.telemetry.v2.stackdriver.inboundAccessLogging (list "" "ALL")) - .Values.telemetry.v2.stackdriver.disableOutbound )) -}} -{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml deleted file mode 100644 index 4069bbde2..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} -{{- if not .Values.global.autoscalingv2API }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} ---- -{{- else }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml deleted file mode 100644 index e910a317f..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml +++ /dev/null @@ -1,147 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml deleted file mode 100644 index f6e425210..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml deleted file mode 100644 index 7b719ac7e..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.pilot.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -data: - extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml deleted file mode 100644 index d55040477..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "prometheus" . | eq "true" }} - {{ $sdMetrics := include "sd-metrics" . | eq "true" }} - {{ $sdLogs := include "sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if $sdMetrics }}- stackdriver{{ end }} - {{- end }} - {{- if $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - {{- if $.Values.global.tracer.stackdriver.debug }} - debug: {{ $.Values.global.tracer.stackdriver.debug }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- else }} - {} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.pilot.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml deleted file mode 100644 index 1aa802069..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml +++ /dev/null @@ -1,258 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} -{{- range $key, $val := .Values.pilot.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} -spec: -{{- if not .Values.pilot.autoscaleEnabled }} -{{- if .Values.pilot.replicaCount }} - replicas: {{ .Values.pilot.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.pilot.rollingMaxSurge }} - maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.pilot.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - {{- end }} - ambient.istio.io/redirection: disabled - sidecar.istio.io/inject: "false" - {{- if .Values.pilot.podAnnotations }} -{{ toYaml .Values.pilot.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.pilot.nodeSelector }} - nodeSelector: -{{ toYaml .Values.pilot.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.pilot.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.pilot.tolerations }} - tolerations: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - securityContext: - fsGroup: 1337 - containers: - - name: discovery -{{- if contains "/" .Values.pilot.image }} - image: "{{ .Values.pilot.image }}" -{{- else }} - image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.global.oneNamespace }} - - "-a" - - {{ .Release.Namespace }} -{{- end }} -{{- if .Values.pilot.plugins }} - - --plugins={{ .Values.pilot.plugins }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - {{- if .Values.pilot.env }} - {{- range $key, $val := .Values.pilot.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} -{{- if semverCompare "<1.19" .Capabilities.KubeVersion.GitVersion }} - - name: ENABLE_LEGACY_FSGROUP_INJECTION - value: "true" -{{- end }} -{{- if .Values.pilot.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.pilot.traceSampling }}" -{{- end }} - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" - - name: ISTIOD_ADDR - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - resources: -{{- if .Values.pilot.resources }} -{{ toYaml .Values.pilot.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.pilot.seccompProfile }} - seccompProfile: -{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - {{- end }} - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - {{- end }} - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert - defaultMode: 420 - optional: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 69522c674..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml deleted file mode 100644 index fbffdd652..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,152 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml deleted file mode 100644 index 454737a69..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml deleted file mode 100644 index 793b75e66..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 4f9925c9d..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml deleted file mode 100644 index 8bef54643..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml +++ /dev/null @@ -1,140 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml deleted file mode 100644 index 195bdde40..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml deleted file mode 100644 index 0d700f008..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml deleted file mode 100644 index b5ddf5b6e..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.pilot.serviceAnnotations }} - annotations: -{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml deleted file mode 100644 index ee6cbc326..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml deleted file mode 100644 index 8374fc05d..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.16.yaml +++ /dev/null @@ -1,616 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml deleted file mode 100644 index 990d817ca..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.17.yaml +++ /dev/null @@ -1,486 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml deleted file mode 100644 index 736ed586f..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.18.yaml +++ /dev/null @@ -1,486 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 88b9eb7c6..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml b/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml deleted file mode 100644 index 2c05e3dfb..000000000 --- a/istio-1.18.2/manifests/charts/istio-control/istio-discovery/values.yaml +++ /dev/null @@ -1,485 +0,0 @@ -#.Values.pilot for discovery and mesh wide config - -## Discovery Settings -pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - env: {} - - cpu: - targetAverageUtilization: 80 - - # if protocol sniffing is enabled for outbound - enableProtocolSniffingForOutbound: true - # if protocol sniffing is enabled for inbound - enableProtocolSniffingForInbound: true - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # This is used to set the source of configuration for - # the associated address in configSource, if nothing is specified - # the default MCP is assumed. - configSource: - subscribedResources: [] - - plugins: [] - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - -sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] -istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" -telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - metadataExchange: - # Indicates whether to enable WebAssembly runtime for metadata exchange filter. - wasmEnabled: false - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # Indicates whether to enable WebAssembly runtime for stats filter. - wasmEnabled: false - # overrides stats EnvoyFilter configuration. - configOverride: - gateway: {} - inboundSidecar: {} - outboundSidecar: {} - # stackdriver filter settings. - stackdriver: - enabled: false - logging: false - monitoring: false - topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. - disableOutbound: false - # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. - - configOverride: {} - # e.g. - # disable_server_access_logging: false - # disable_host_header_fallback: true - # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. - accessLogPolicy: - enabled: false - # To reduce the number of successful logs, default log window duration is - # set to 12 hours. - logWindowDuration: "43200s" -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# Revision tags are aliases to Istio control plane revisions -revisionTags: [] - -# For Helm compatibility. -ownerName: "" - -# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior -# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options -meshConfig: - enablePrometheusMerge: true - -global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - # Default tag for Istio images. - tag: 1.18.2 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Whether to restrict the applications namespace the controller manages; - # If not set, controller watches all namespaces - oneNamespace: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 30 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 1 - - # The period between readiness probes. - readinessPeriodSeconds: 2 - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "zipkin" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - -base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # If enabled, gateway-api types will be validated using the standard upstream validation logic. - # This is an alternative to deploying the standalone validation server the project provides. - # This is disabled by default, as the cluster may already have a validation server; while technically - # it works to have multiple redundant validations, this adds complexity and operational risks. - # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. - validateGateway: false diff --git a/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml b/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml deleted file mode 100644 index 3e6305781..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -name: istio-operator -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio operator -keywords: - - istio - - operator -sources: - - https://github.com/istio/istio/tree/master/operator -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml b/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml deleted file mode 100644 index 93ac1de07..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/crds/crd-operator.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# SYNC WITH manifests/charts/base/files -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml deleted file mode 100644 index c7101ab6b..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -rules: -# istio groups -- apiGroups: - - authentication.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - config.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - install.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - security.istio.io - resources: - - '*' - verbs: - - '*' -# k8s groups -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions.apiextensions.k8s.io - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - apps - - extensions - resources: - - daemonsets - - deployments - - deployments/finalizers - - replicasets - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - update -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - roles - - rolebindings - verbs: - - '*' -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - create - - update -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - pods - - pods/proxy - - pods/portforward - - persistentvolumeclaims - - secrets - - services - - serviceaccounts - - resourcequotas - verbs: - - '*' ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml deleted file mode 100644 index a3df073ab..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/clusterrole_binding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -subjects: -- kind: ServiceAccount - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{.Release.Namespace}} -roleRef: - kind: ClusterRole - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - apiGroup: rbac.authorization.k8s.io ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml deleted file mode 100644 index a37036508..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.enableCRDTemplates -}} -{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} ---- -{{ $.Files.Get $path }} -{{- end -}} -{{- end -}} diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml deleted file mode 100644 index 018309564..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/deployment.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: {{.Release.Namespace}} - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -spec: - replicas: 1 - revisionHistoryLimit: {{ .Values.deploymentHistory }} - selector: - matchLabels: - name: istio-operator - template: - metadata: - labels: - name: istio-operator - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - annotations: - prometheus.io/port: "{{ .Values.operator.monitoring.port }}" - prometheus.io/scrape: "true" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: - serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - containers: - - name: istio-operator - image: {{.Values.hub}}/operator:{{.Values.tag}} - command: - - operator - - server - - --monitoring-host={{ .Values.operator.monitoring.host }} - - --monitoring-port={{ .Values.operator.monitoring.port }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true -{{- if .Values.operator.seccompProfile }} - seccompProfile: -{{ toYaml .Values.operator.seccompProfile | trim | indent 14 }} -{{- end }} -{{- if .Values.imagePullPolicy }} - imagePullPolicy: {{ .Values.imagePullPolicy }} -{{- end }} - resources: -{{ toYaml .Values.operator.resources | trim | indent 12 }} - env: - - name: WATCH_NAMESPACE - value: {{.Values.watchedNamespaces | quote}} - - name: LEADER_ELECTION_NAMESPACE - value: {{.Release.Namespace | quote}} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: {{.Release.Namespace | quote}} - - name: WAIT_FOR_RESOURCES_TIMEOUT - value: {{.Values.waitForResourcesTimeout | quote}} - - name: REVISION - value: {{.Values.revision | quote}} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml deleted file mode 100644 index e32e8ea0a..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: {{.Release.Namespace}} - labels: - name: istio-operator - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -spec: - ports: - - name: http-metrics - port: 8383 - targetPort: 8383 - protocol: TCP - selector: - name: istio-operator ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml b/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml deleted file mode 100644 index fe9d4cf2b..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/templates/service_account.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: {{.Release.Namespace}} - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{ . }} -{{- end }} -{{- end }} ---- diff --git a/istio-1.18.2/manifests/charts/istio-operator/values.yaml b/istio-1.18.2/manifests/charts/istio-operator/values.yaml deleted file mode 100644 index d344f093a..000000000 --- a/istio-1.18.2/manifests/charts/istio-operator/values.yaml +++ /dev/null @@ -1,51 +0,0 @@ -hub: docker.io/istio -tag: 1.18.2 - -# ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace -# used to pull operator image. Must be set for any cluster configured with private docker registry. -imagePullSecrets: [] - -# Specify image pull policy if default behavior isn't desired. -# Default behavior: latest images will be Always else IfNotPresent. -imagePullPolicy: "" - -# Used to replace istioNamespace to support operator watch multiple namespaces. -watchedNamespaces: istio-system -waitForResourcesTimeout: 300s - -# Used for helm2 to add the CRDs to templates. -enableCRDTemplates: false - -# revision for the operator resources -revision: "" - -# The number of old ReplicaSets to retain in operator deployment -deploymentHistory: 10 - -# Operator resource defaults -operator: - monitoring: - host: 127.0.0.1 - port: 15014 - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 128Mi - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - -# Node labels for pod assignment -nodeSelector: {} - -# Tolerations for pod assignment -tolerations: [] - -# Affinity for pod assignment -affinity: {} - -# Additional labels and annotations to apply on the pod level for monitoring and logging configuration. -podLabels: {} -podAnnotations: {} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml b/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml deleted file mode 100644 index 616ce3fca..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -name: istiod-remote -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -tillerVersion: ">=2.7.2" -description: Helm chart for a remote cluster using an external istio control plane -keywords: - - istio - - external-istiod -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt b/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt deleted file mode 100644 index 0230b6f86..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/NOTES.txt +++ /dev/null @@ -1,4 +0,0 @@ -Install for a remote cluster using an external control plane. - -The templates in this directory are copies of base and istio-discovery templates. -DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml b/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml deleted file mode 100644 index 5002c03f8..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/files/gateway-injection-template.yaml +++ /dev/null @@ -1,237 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml b/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml deleted file mode 100644 index a05fd5768..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/files/injection-template.yaml +++ /dev/null @@ -1,513 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl b/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl deleted file mode 100644 index ccf8a077f..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/_helpers.tpl +++ /dev/null @@ -1,35 +0,0 @@ -{{/* Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled - (not (or - .Values.telemetry.v2.prometheus.configOverride.gateway - .Values.telemetry.v2.prometheus.configOverride.inboundSidecar - .Values.telemetry.v2.prometheus.configOverride.outboundSidecar - )) }} -{{- end }} - -{{/* SD has metrics and logging split. Metrics are enabled if SD is enabled and there are no config overrides set */}} -{{ define "sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled - (not (or - .Values.telemetry.v2.stackdriver.configOverride - .Values.telemetry.v2.stackdriver.disableOutbound )) -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled - (not (or - .Values.telemetry.v2.stackdriver.configOverride - (has .Values.telemetry.v2.stackdriver.outboundAccessLogging (list "" "ERRORS_ONLY")) - (has .Values.telemetry.v2.stackdriver.inboundAccessLogging (list "" "ALL")) - .Values.telemetry.v2.stackdriver.disableOutbound )) -}} -{{- end }} \ No newline at end of file diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml deleted file mode 100644 index 2550df5f7..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrole.yaml +++ /dev/null @@ -1,149 +0,0 @@ -{{- if .Values.global.configCluster }} -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml deleted file mode 100644 index 932cdce02..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml deleted file mode 100644 index d55040477..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/configmap.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "prometheus" . | eq "true" }} - {{ $sdMetrics := include "sd-metrics" . | eq "true" }} - {{ $sdLogs := include "sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if $sdMetrics }}- stackdriver{{ end }} - {{- end }} - {{- if $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - {{- if $.Values.global.tracer.stackdriver.debug }} - debug: {{ $.Values.global.tracer.stackdriver.debug }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- else }} - {} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.pilot.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml deleted file mode 100644 index 27259265f..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-all.gen.yaml +++ /dev/null @@ -1,7201 +0,0 @@ -{{- if .Values.global.configCluster }} -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - imagePullPolicy: - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: Criteria for selecting traffic by their direction. - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - type: integer - type: object - type: array - type: object - type: array - phase: - description: Determines where in the filter chain this `WasmPlugin` - is to be injected. - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - nullable: true - type: integer - selector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - type: string - url: - description: URL of a Wasm module or OCI container. - type: string - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - type: string - value: - description: Value for the environment variable. - type: string - valueFrom: - enum: - - INLINE - - HOST - type: string - type: object - type: array - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - insecureSkipVerify: - nullable: true - type: boolean - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - tunnel: - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - type: object - type: object - workloadSelector: - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - type: object - proxyVersion: - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - type: integer - vhost: - properties: - name: - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows provides the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - type: string - metric: - description: One of the well-known Istio Standard - Metrics. - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to - update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - type: string - type: object - header: - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - type: string - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - type: string - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - randomSamplingPercentage: - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml deleted file mode 100644 index 42e95ee8e..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/crd-operator.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if .Values.global.configCluster }} -# SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml deleted file mode 100644 index 6b1d6633f..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/default.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml deleted file mode 100644 index 2675b47a1..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/endpoints.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod-remote - {{- else }} - name: istiod - {{- end }} - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 69522c674..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml deleted file mode 100644 index fbffdd652..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,152 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml deleted file mode 100644 index 793b75e66..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 4f9925c9d..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml deleted file mode 100644 index d9ce18c27..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml deleted file mode 100644 index c3af8c075..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/role.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml deleted file mode 100644 index f65b3b122..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/rolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml deleted file mode 100644 index 4f8d20f6a..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml deleted file mode 100644 index 2bc55e669..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/services.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod - {{- end }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} ---- -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml deleted file mode 100644 index 8374fc05d..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.16.yaml +++ /dev/null @@ -1,616 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.16{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.16.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml deleted file mode 100644 index 990d817ca..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.17.yaml +++ /dev/null @@ -1,486 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.17{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.17.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml deleted file mode 100644 index 736ed586f..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/telemetryv2_1.18.yaml +++ /dev/null @@ -1,486 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -{{ $prom := not (include "prometheus" . | eq "true") }} -{{ $sdMetrics := not (include "sd-metrics" . | eq "true") }} -{{ $sdLogs := not (include "sd-logs" . | eq "true") }} ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if and .Values.telemetry.v2.prometheus.enabled $prom }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/stats.PluginConfig - value: - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - {} - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} ---- -{{- end }} -{{/*TODO: this is broken, we do not handle the split quite right! */}} -{{- if and .Values.telemetry.v2.stackdriver.enabled $sdLogs $sdMetrics }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "disable_host_header_fallback": true, - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, - "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - { - "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", - "metric_expiry_duration": "3600s" - } - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.18{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - priority: -1 - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.18.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 96c2e68ff..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - {{- if .Values.base.validateGateway }} - - gateway.networking.k8s.io - {{- end }} - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/istio-1.18.2/manifests/charts/istiod-remote/values.yaml b/istio-1.18.2/manifests/charts/istiod-remote/values.yaml deleted file mode 100644 index aba10e2af..000000000 --- a/istio-1.18.2/manifests/charts/istiod-remote/values.yaml +++ /dev/null @@ -1,416 +0,0 @@ -#.Values.pilot for discovery and mesh wide config - -## Discovery Settings -pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - hub: "" - tag: "" - variant: "" - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - env: {} - cpu: - targetAverageUtilization: 80 - # if protocol sniffing is enabled for outbound - enableProtocolSniffingForOutbound: true - # if protocol sniffing is enabled for inbound - enableProtocolSniffingForInbound: true - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - # This is used to set the source of configuration for - # the associated address in configSource, if nothing is specified - # the default MCP is assumed. - configSource: - subscribedResources: [] - plugins: [] - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - # Additional labels to apply to the deployment. - deploymentLabels: {} - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: false - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} -sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - rewriteAppHTTPProbe: true - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] -istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" -telemetry: - enabled: false - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - metadataExchange: - # Indicates whether to enable WebAssembly runtime for metadata exchange filter. - wasmEnabled: false - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # Indicates whether to enable WebAssembly runtime for stats filter. - wasmEnabled: false - # overrides stats EnvoyFilter configuration. - configOverride: - gateway: {} - inboundSidecar: {} - outboundSidecar: {} - # stackdriver filter settings. - stackdriver: - enabled: false - logging: false - monitoring: false - topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. - disableOutbound: false - # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. - - configOverride: {} - # e.g. - # disable_server_access_logging: false - # disable_host_header_fallback: true - # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. - accessLogPolicy: - enabled: false - # To reduce the number of successful logs, default log window duration is - # set to 12 hours. - logWindowDuration: "43200s" -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" -# Revision tags are aliases to Istio control plane revisions -revisionTags: [] -# For Helm compatibility. -ownerName: "" -# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior -# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options -meshConfig: - enablePrometheusMerge: true -global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - # Default tag for Istio images. - tag: 1.18.2 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - omitSidecarInjectorConfigMap: true - # Whether to restrict the applications namespace the controller manages; - # If not set, controller watches all namespaces - oneNamespace: false - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - proxy: - image: proxyv2 - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 30 - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 1 - # The period between readiness probes. - readinessPeriodSeconds: 2 - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "zipkin" - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: true - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true -base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - # If enabled, gateway-api types will be validated using the standard upstream validation logic. - # This is an alternative to deploying the standalone validation server the project provides. - # This is disabled by default, as the cluster may already have a validation server; while technically - # it works to have multiple redundant validations, this adds complexity and operational risks. - # Users should consider enabling this if they want full gateway-api validation but don't have other validation servers. - validateGateway: false diff --git a/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml b/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml deleted file mode 100644 index 1396a7b11..000000000 --- a/istio-1.18.2/manifests/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -name: ztunnel -# This version is never actually shipped. istio/release-builder will replace it at build-time -# with the appropriate version -version: 1.18.2 -appVersion: 1.18.2 -description: Helm chart for istio ztunnel components -keywords: - - istio-ztunnel - - istio -sources: - - https://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/istio-1.18.2/manifests/charts/ztunnel/README.md b/istio-1.18.2/manifests/charts/ztunnel/README.md deleted file mode 100644 index f8887a126..000000000 --- a/istio-1.18.2/manifests/charts/ztunnel/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt b/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 93297520e..000000000 --- a/istio-1.18.2/manifests/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml b/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index d86deb00e..000000000 --- a/istio-1.18.2/manifests/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,121 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - {{- .Values.labels | toYaml | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - updateStrategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - app: ztunnel -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - cni.projectcalico.org/allowedSourcePrefixes: "[\"0.0.0.0/0\"]" - ambient.istio.io/redirection: disabled - sidecar.istio.io/inject: "false" -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - serviceAccountName: ztunnel - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - privileged: false - capabilities: - drop: - - ALL - add: - - NET_ADMIN - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert diff --git a/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml b/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 5a569b647..000000000 --- a/istio-1.18.2/manifests/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - {{- .Values.labels | toYaml | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} ---- diff --git a/istio-1.18.2/manifests/charts/ztunnel/values.yaml b/istio-1.18.2/manifests/charts/ztunnel/values.yaml deleted file mode 100644 index 67967d01c..000000000 --- a/istio-1.18.2/manifests/charts/ztunnel/values.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# Hub to pull from. Image will be `Hub/Image:Tag-Variant` -hub: docker.io/istio -# Tag to pull from. Image will be `Hub/Image:Tag-Variant` -tag: 1.18.2 -# Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. -variant: "" - -# Image name to pull from. Image will be `Hub/Image:Tag-Variant` -# If Image contains a "/", it will replace the entire `image` in the pod. -image: ztunnel - -# Labels to apply to all top level resources -labels: {} -# Annotations to apply to all top level resources -annotations: {} - -# Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). -podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - -# Additional labels to apply on the pod level -podLabels: {} - -# Pod resource configuration -resources: - requests: - cpu: 500m - memory: 2048Mi - -# List of secret names to add to the service account as image pull secrets -imagePullSecrets: [] - -# A `key: value` mapping of environment variables to add to the pod -env: {} - -# Override for the pod imagePullPolicy -imagePullPolicy: "" - -# Settings for multicluster -multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - -# meshConfig defines runtime configuration of components. -# For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other -# components. -# TODO: https://github.com/istio/istio/issues/43248 -meshConfig: - defaultConfig: - proxyMetadata: {} - -# Ambient redirection mode: "iptables" or "ebpf" -redirectMode: "iptables" diff --git a/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml b/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml deleted file mode 100644 index 48303976e..000000000 --- a/istio-1.18.2/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: example-istiocontrolplane -spec: - profile: demo -... diff --git a/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml b/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml deleted file mode 100644 index c37e85b01..000000000 --- a/istio-1.18.2/manifests/examples/user-gateway/ingress-gateway-only.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - profile: empty - components: - ingressGateways: - - enabled: true - namespace: my-namespace diff --git a/istio-1.18.2/manifests/profiles/ambient.yaml b/istio-1.18.2/manifests/profiles/ambient.yaml deleted file mode 100644 index 9900f3759..000000000 --- a/istio-1.18.2/manifests/profiles/ambient.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - # You may override parts of meshconfig by uncommenting the following lines. - meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - # Telemetry API is used with ambient instead of EnvoyFilters - defaultProviders: - metrics: - - prometheus - extensionProviders: - - name: prometheus - prometheus: {} - - components: - cni: - enabled: true - ztunnel: - enabled: true - ingressGateways: - - name: istio-ingressgateway - enabled: false - - values: - pilot: - env: - # Setup more secure default that is off in 'default' only for backwards compatibility - VERIFY_CERTIFICATE_AT_CLIENT: "true" - ENABLE_AUTO_SNI: "true" - - PILOT_ENABLE_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" - PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" - cni: - logLevel: info - privileged: true - ambient: - enabled: true - - # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni - excludeNamespaces: - - kube-system - - # TODO: https://github.com/istio/istio/issues/43243 - # variant: distroless - telemetry: - # Telemetry handled with Telemetry API only - enabled: false - v2: - enabled: false diff --git a/istio-1.18.2/manifests/profiles/default.yaml b/istio-1.18.2/manifests/profiles/default.yaml deleted file mode 100644 index 6e4439230..000000000 --- a/istio-1.18.2/manifests/profiles/default.yaml +++ /dev/null @@ -1,177 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system -spec: - hub: docker.io/istio - tag: 1.18.2 - - # You may override parts of meshconfig by uncommenting the following lines. - meshConfig: - defaultConfig: - proxyMetadata: {} - enablePrometheusMerge: true - # Opt-out of global http2 upgrades. - # Destination rule is used to opt-in. - # h2_upgrade_policy: DO_NOT_UPGRADE - - # Traffic management feature - components: - base: - enabled: true - pilot: - enabled: true - - # Istio Gateway feature - ingressGateways: - - name: istio-ingressgateway - enabled: true - egressGateways: - - name: istio-egressgateway - enabled: false - - # Istio CNI feature - cni: - enabled: false - - # Remote and config cluster configuration for an external istiod - istiodRemote: - enabled: false - - # Global values passed through to helm global.yaml. - # Please keep this in sync with manifests/charts/global.yaml - values: - defaultRevision: "" - global: - istioNamespace: istio-system - istiod: - enableAnalysis: false - logging: - level: "default:info" - logAsJson: false - pilotCertProvider: istiod - jwtPolicy: third-party-jwt - proxy: - image: proxyv2 - clusterDomain: "cluster.local" - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - logLevel: warning - componentLogLevel: "misc:error" - privileged: false - enableCoreDump: false - statusPort: 15020 - readinessInitialDelaySeconds: 1 - readinessPeriodSeconds: 2 - readinessFailureThreshold: 30 - includeIPRanges: "*" - excludeIPRanges: "" - excludeOutboundPorts: "" - excludeInboundPorts: "" - autoInject: enabled - tracer: "zipkin" - proxy_init: - image: proxyv2 - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - operatorManageWebhooks: false - tracer: - lightstep: {} - zipkin: {} - datadog: {} - stackdriver: {} - imagePullSecrets: [] - oneNamespace: false - defaultNodeSelector: {} - configValidation: true - multiCluster: - enabled: false - clusterName: "" - omitSidecarInjectorConfigMap: false - network: "" - defaultResources: - requests: - cpu: 10m - defaultPodDisruptionBudget: - enabled: true - priorityClassName: "" - useMCP: false - sds: - token: - aud: istio-ca - sts: - servicePort: 0 - meshNetworks: {} - mountMtlsCerts: false - base: - enableCRDTemplates: false - validationURL: "" - pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - replicaCount: 1 - image: pilot - traceSampling: 1.0 - env: {} - cpu: - targetAverageUtilization: 80 - nodeSelector: {} - keepaliveMaxServerConnectionAge: 30m - enableProtocolSniffingForOutbound: true - enableProtocolSniffingForInbound: true - deploymentLabels: - podLabels: {} - configMap: true - - telemetry: - enabled: true - v2: - enabled: true - metadataExchange: - wasmEnabled: false - prometheus: - wasmEnabled: false - enabled: true - stackdriver: - enabled: false - logging: false - monitoring: false - topology: false - configOverride: {} - - istiodRemote: - injectionURL: "" - - gateways: - istio-egressgateway: - env: {} - autoscaleEnabled: true - type: ClusterIP - name: istio-egressgateway - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - - istio-ingressgateway: - autoscaleEnabled: true - type: LoadBalancer - name: istio-ingressgateway - env: {} - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs diff --git a/istio-1.18.2/manifests/profiles/demo.yaml b/istio-1.18.2/manifests/profiles/demo.yaml deleted file mode 100644 index 426615539..000000000 --- a/istio-1.18.2/manifests/profiles/demo.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.istio-system.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local - components: - egressGateways: - - name: istio-egressgateway - enabled: true - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - - ingressGateways: - - name: istio-ingressgateway - enabled: true - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - service: - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - - pilot: - k8s: - env: - - name: PILOT_TRACE_SAMPLING - value: "100" - resources: - requests: - cpu: 10m - memory: 100Mi - - values: - global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - - pilot: - autoscaleEnabled: false - - gateways: - istio-egressgateway: - autoscaleEnabled: false - istio-ingressgateway: - autoscaleEnabled: false diff --git a/istio-1.18.2/manifests/profiles/empty.yaml b/istio-1.18.2/manifests/profiles/empty.yaml deleted file mode 100644 index 07de5b1e0..000000000 --- a/istio-1.18.2/manifests/profiles/empty.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: false - pilot: - enabled: false - ingressGateways: - - name: istio-ingressgateway - enabled: false diff --git a/istio-1.18.2/manifests/profiles/external.yaml b/istio-1.18.2/manifests/profiles/external.yaml deleted file mode 100644 index 6a1c65fb3..000000000 --- a/istio-1.18.2/manifests/profiles/external.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Deprecated. Use the "remote" profile instead. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: false - pilot: - enabled: false - ingressGateways: - - name: istio-ingressgateway - enabled: false - istiodRemote: - enabled: true - values: - global: - externalIstiod: true - omitSidecarInjectorConfigMap: true - configCluster: false - pilot: - configMap: false - telemetry: - enabled: false diff --git a/istio-1.18.2/manifests/profiles/minimal.yaml b/istio-1.18.2/manifests/profiles/minimal.yaml deleted file mode 100644 index 075881ee0..000000000 --- a/istio-1.18.2/manifests/profiles/minimal.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The minimal profile will install just the core control plane -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - ingressGateways: - - name: istio-ingressgateway - enabled: false diff --git a/istio-1.18.2/manifests/profiles/openshift.yaml b/istio-1.18.2/manifests/profiles/openshift.yaml deleted file mode 100644 index e483e346c..000000000 --- a/istio-1.18.2/manifests/profiles/openshift.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - cni: - enabled: true - namespace: kube-system - values: - cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - excludeNamespaces: - - istio-system - - kube-system - logLevel: info - privileged: true - sidecarInjectorWebhook: - injectedAnnotations: - k8s.v1.cni.cncf.io/networks: istio-cni diff --git a/istio-1.18.2/manifests/profiles/preview.yaml b/istio-1.18.2/manifests/profiles/preview.yaml deleted file mode 100644 index e0d9b636a..000000000 --- a/istio-1.18.2/manifests/profiles/preview.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" - # Enable dynamic bootstrap generation. - BOOTSTRAP_XDS_AGENT: "true" - values: - telemetry: - v2: - metadataExchange: - wasmEnabled: true - prometheus: - wasmEnabled: true diff --git a/istio-1.18.2/manifests/profiles/remote.yaml b/istio-1.18.2/manifests/profiles/remote.yaml deleted file mode 100644 index 28d024c2f..000000000 --- a/istio-1.18.2/manifests/profiles/remote.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# The remote profile is used to configure a mesh cluster without a locally deployed control plane. -# Only the injector mutating webhook configuration is installed. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: false - pilot: - enabled: false - ingressGateways: - - name: istio-ingressgateway - enabled: false - istiodRemote: - enabled: true - values: - global: - externalIstiod: true - omitSidecarInjectorConfigMap: true - configCluster: false - pilot: - configMap: false - telemetry: - enabled: false diff --git a/istio-1.18.2/samples/README.md b/istio-1.18.2/samples/README.md deleted file mode 100644 index a1a140f8c..000000000 --- a/istio-1.18.2/samples/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Istio Samples - -This directory contains sample applications highlighting various Istio features. diff --git a/istio-1.18.2/samples/addons/README.md b/istio-1.18.2/samples/addons/README.md deleted file mode 100644 index 71da0a3c4..000000000 --- a/istio-1.18.2/samples/addons/README.md +++ /dev/null @@ -1,102 +0,0 @@ -# Telemetry Addons - -This directory contains sample deployments of various addons that integrate with Istio. While these applications -are not a part of Istio, they are essential to making the most of Istio's observability features. - -The deployments here are meant to quickly get up and running, and are optimized for this case. As a result, -they may not be suitable for production. See below for more info on integrating a production grade version of each -addon. - -## Getting started - -To quickly deploy all addons: - -```shell script -kubectl apply -f samples/addons -``` - -Alternatively, you can deploy individual addons: - -```shell script -kubectl apply -f samples/addons/prometheus.yaml -``` - -## Addons - -### Prometheus - -[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database. -You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh. -You can visualize metrics using tools like [Grafana](#grafana) and [Kiali](#kiali). - -For more information about integrating with Prometheus, please see the [Prometheus integration page](https://istio.io/docs/ops/integrations/prometheus/). - -### Grafana - -[Grafana](http://grafana.com/) is an open source monitoring solution that can be used to configure dashboards for Istio. -You can use Grafana to monitor the health of Istio and of applications within the service mesh. - -This sample provides the following dashboards: - -* [Mesh Dashboard](https://grafana.com/grafana/dashboards/7639) provides an overview of all services in the mesh. -* [Service Dashboard](https://grafana.com/grafana/dashboards/7636) provides a detailed breakdown of metrics for a service. -* [Workload Dashboard](https://grafana.com/grafana/dashboards/7630) provides a detailed breakdown of metrics for a workload. -* [Performance Dashboard](https://grafana.com/grafana/dashboards/11829) monitors the resource usage of the mesh. -* [Control Plane Dashboard](https://grafana.com/grafana/dashboards/7645) monitors the health and performance of the control plane. -* [WASM Extension Dashboard](https://grafana.com/grafana/dashboards/13277) provides an overview of mesh wide WebAssembly extension runtime and loading state. - -For more information about integrating with Grafana, please see the [Grafana integration page](https://istio.io/docs/ops/integrations/grafana/). - -### Kiali - -[Kiali](https://kiali.io/) is an observability console for Istio with service mesh configuration capabilities. -It helps you to understand the structure of your service mesh by inferring the topology, and also provides the health of your mesh. -Kiali provides detailed metrics, and a basic [Grafana](#grafana) integration is available for advanced queries. -Distributed tracing is provided by integrating [Jaeger](#jaeger). - -For more information about using Kiali, see the [Visualizing Your Mesh](https://istio.io/docs/tasks/observability/kiali/) task. - -### Jaeger - -[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems. - -Jaeger helps in a variety of tasks including: - -* Distributed context propagation -* Distributed transaction monitoring -* Root cause analysis -* Service dependency analysis -* Performance / latency optimization - -For more information about integrating with Jaeger, please see the [Jaeger integration page](https://istio.io/docs/tasks/observability/distributed-tracing/jaeger/). - -### Zipkin - -[Zipkin](https://zipkin.io/) is a distributed tracing system. It helps gather timing data needed to troubleshoot latency problems in service architectures. Features include both the collection and lookup of this data. - -Zipkin is an alternative to Jaeger and is not deployed by default. To replace Jaeger with Zipkin, run `kubectl apply -f samples/addons/extras/zipkin.yaml`. -You may also want to remove the Jaeger deployment, which will not be used, with `kubectl delete deployment jaeger`, or avoid installing it -to begin with by following the selective install steps in [Getting Started](#getting-started). - -For more information about integrating with Zipkin, please see the [Zipkin integration page](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/). - -### Prometheus Operator - -The [Prometheus Operator](https://github.com/coreos/prometheus-operator) manages and operators a Prometheus instance. - -As an alternative to the standard Prometheus deployment, we provide a `ServiceMonitor` to monitor the Istio control plane and `PodMonitor` -Envoy proxies. To use these, make sure you have the Prometheus operator deployed, then run `kubectl apply -f samples/addons/extras/prometheus-operator.yaml`. - -> **Note** -> -> The example `PodMonitor` requires [metrics merging](https://istio.io/latest/docs/ops/integrations/prometheus/#option-1-metrics-merging) to be enabled. This is enabled by default. -> -> **Note** -> -> The configurations here are only for Istio deployments, and do not scrape metrics from the Kubernetes components. -> See the [Cluster Monitoring](https://coreos.com/operators/prometheus/docs/latest/user-guides/cluster-monitoring.html) documentation for configuring this. -> -> **Warning** -> -> When the example `PodMonitor` is used with OpenShift Monitoring, it must be created in all namespaces where istio-proxies exist. -> This is because `namespaceSelector` is ignored for tenancy isolation. diff --git a/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml b/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml deleted file mode 100644 index 73a926efd..000000000 --- a/istio-1.18.2/samples/addons/extras/prometheus-operator.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: envoy-stats-monitor - namespace: istio-system - labels: - monitoring: istio-proxies - release: istio -spec: - selector: - matchExpressions: - - {key: istio-prometheus-ignore, operator: DoesNotExist} - namespaceSelector: - any: true - jobLabel: envoy-stats - podMetricsEndpoints: - - path: /stats/prometheus - interval: 15s - relabelings: - - action: keep - sourceLabels: [__meta_kubernetes_pod_container_name] - regex: "istio-proxy" - - action: keep - sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape] - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - sourceLabels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - targetLabel: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - sourceLabels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - targetLabel: __address__ - - action: labeldrop - regex: "__meta_kubernetes_pod_label_(.+)" - - sourceLabels: [__meta_kubernetes_namespace] - action: replace - targetLabel: namespace - - sourceLabels: [__meta_kubernetes_pod_name] - action: replace - targetLabel: pod_name ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: istio-component-monitor - namespace: istio-system - labels: - monitoring: istio-components - release: istio -spec: - jobLabel: istio - targetLabels: [app] - selector: - matchExpressions: - - {key: istio, operator: In, values: [pilot]} - namespaceSelector: - any: true - endpoints: - - port: http-monitoring - interval: 15s diff --git a/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml b/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml deleted file mode 100644 index cf4039d84..000000000 --- a/istio-1.18.2/samples/addons/extras/prometheus_vm.yaml +++ /dev/null @@ -1,530 +0,0 @@ ---- -# Source: prometheus/templates/server/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system - annotations: - {} ---- -# Source: prometheus/templates/server/cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -data: - alerting_rules.yml: | - {} - alerts: | - {} - prometheus.yml: | - global: - evaluation_interval: 1m - scrape_interval: 15s - scrape_timeout: 10s - rule_files: - - /etc/config/recording_rules.yml - - /etc/config/alerting_rules.yml - - /etc/config/rules - - /etc/config/alerts - scrape_configs: - - job_name: prometheus - static_configs: - - targets: - - localhost:9090 - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-apiservers - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: default;kubernetes;https - source_labels: - - __meta_kubernetes_namespace - - __meta_kubernetes_service_name - - __meta_kubernetes_endpoint_port_name - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes-cadvisor - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - job_name: kubernetes-service-endpoints - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: kubernetes_node - - job_name: kubernetes-service-endpoints-slow - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: kubernetes_node - scrape_interval: 5m - scrape_timeout: 30s - - honor_labels: true - job_name: prometheus-pushgateway - kubernetes_sd_configs: - - role: service - relabel_configs: - - action: keep - regex: pushgateway - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - job_name: kubernetes-services - kubernetes_sd_configs: - - role: service - metrics_path: /probe - params: - module: - - http_2xx - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - source_labels: - - __address__ - target_label: __param_target - - replacement: blackbox - target_label: __address__ - - source_labels: - - __param_target - target_label: instance - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - job_name: kubernetes-pods - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_pod_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: kubernetes_pod_name - - action: drop - regex: Pending|Succeeded|Failed - source_labels: - - __meta_kubernetes_pod_phase - - job_name: kubernetes-pods-slow - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_pod_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: kubernetes_pod_name - - action: drop - regex: Pending|Succeeded|Failed - source_labels: - - __meta_kubernetes_pod_phase - scrape_interval: 5m - scrape_timeout: 30s - - job_name: kubernetes-file-sd-endpoints - kubernetes_sd_configs: - - role: endpoints - file_sd_configs: - - files: - - /etc/file_sd/*.json - relabel_configs: - - action: keep - regex: (.+) - source_labels: - - __meta_filepath - - replacement: /stats/prometheus - target_label: __metrics_path__ - - recording_rules.yml: | - {} - rules: | - {} ---- -# Source: prometheus/templates/server/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - pods - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - nonResourceURLs: - - "/metrics" - verbs: - - get - - apiGroups: - - "networking.istio.io" - verbs: - - get - - watch - - list - resources: - - workloadentries - - apiGroups: - - "" - verbs: - - get - - watch - - list - - create - - update - - patch - - delete - resources: - - configmaps ---- -# Source: prometheus/templates/server/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus -subjects: - - kind: ServiceAccount - name: prometheus - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus ---- -# Source: prometheus/templates/server/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - ports: - - name: http - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - component: "server" - app: prometheus - release: prometheus - sessionAffinity: None - type: "ClusterIP" ---- -# Source: prometheus/templates/server/deploy.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - selector: - matchLabels: - component: "server" - app: prometheus - release: prometheus - replicas: 1 - template: - metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: prometheus - containers: - - name: prometheus-server-configmap-reload - image: "jimmidyson/configmap-reload:v0.5.0" - imagePullPolicy: "IfNotPresent" - args: - - --volume-dir=/etc/config - - --webhook-url=http://127.0.0.1:9090/-/reload - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: file-sd-volume - mountPath: /etc/file_sd - readOnly: true - - - name: prometheus-server - image: "prom/prometheus:v2.24.0" - imagePullPolicy: "IfNotPresent" - args: - - --storage.tsdb.retention.time=15d - - --config.file=/etc/config/prometheus.yml - - --storage.tsdb.path=/data - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 4 - failureThreshold: 3 - successThreshold: 1 - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: /data - subPath: "" - - name: file-sd-volume - mountPath: /etc/file_sd - - name: vm-discovery - image: "istioecosystem/vm-discovery:latest" - imagePullPolicy: "IfNotPresent" - hostNetwork: false - dnsPolicy: ClusterFirst - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - terminationGracePeriodSeconds: 300 - volumes: - - name: config-volume - configMap: - name: prometheus - - name: file-sd-volume - configMap: - name: file-sd-config - optional: true - - name: storage-volume - emptyDir: - {} \ No newline at end of file diff --git a/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml b/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml deleted file mode 100644 index 3d571b986..000000000 --- a/istio-1.18.2/samples/addons/extras/prometheus_vm_tls.yaml +++ /dev/null @@ -1,548 +0,0 @@ ---- -# Source: prometheus/templates/server/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system - annotations: - {} ---- -# Source: prometheus/templates/server/cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -data: - alerting_rules.yml: | - {} - alerts: | - {} - prometheus.yml: | - global: - evaluation_interval: 1m - scrape_interval: 15s - scrape_timeout: 10s - rule_files: - - /etc/config/recording_rules.yml - - /etc/config/alerting_rules.yml - - /etc/config/rules - - /etc/config/alerts - scrape_configs: - - job_name: prometheus - static_configs: - - targets: - - localhost:9090 - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-apiservers - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: default;kubernetes;https - source_labels: - - __meta_kubernetes_namespace - - __meta_kubernetes_service_name - - __meta_kubernetes_endpoint_port_name - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes-cadvisor - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - job_name: kubernetes-service-endpoints - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: kubernetes_node - - job_name: kubernetes-service-endpoints-slow - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: kubernetes_node - scrape_interval: 5m - scrape_timeout: 30s - - honor_labels: true - job_name: prometheus-pushgateway - kubernetes_sd_configs: - - role: service - relabel_configs: - - action: keep - regex: pushgateway - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - job_name: kubernetes-services - kubernetes_sd_configs: - - role: service - metrics_path: /probe - params: - module: - - http_2xx - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - source_labels: - - __address__ - target_label: __param_target - - replacement: blackbox - target_label: __address__ - - source_labels: - - __param_target - target_label: instance - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - source_labels: - - __meta_kubernetes_service_name - target_label: kubernetes_name - - job_name: kubernetes-pods - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_pod_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: kubernetes_pod_name - - action: drop - regex: Pending|Succeeded|Failed - source_labels: - - __meta_kubernetes_pod_phase - - job_name: kubernetes-pods-slow - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_pod_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: kubernetes_namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: kubernetes_pod_name - - action: drop - regex: Pending|Succeeded|Failed - source_labels: - - __meta_kubernetes_pod_phase - scrape_interval: 5m - scrape_timeout: 30s - - job_name: kubernetes-file-sd-endpoints - kubernetes_sd_configs: - - role: endpoints - file_sd_configs: - - files: - - /etc/file_sd/*.json - scheme: https - tls_config: - ca_file: /etc/prom-certs/root-cert.pem - cert_file: /etc/prom-certs/cert-chain.pem - key_file: /etc/prom-certs/key.pem - insecure_skip_verify: true # Prometheus does not support Istio security naming, thus skip verifying target pod ceritifcate - relabel_configs: - - action: keep - regex: (.+) - source_labels: - - __meta_filepath - - replacement: /stats/prometheus - target_label: __metrics_path__ - - recording_rules.yml: | - {} - rules: | - {} ---- -# Source: prometheus/templates/server/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - pods - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - nonResourceURLs: - - "/metrics" - verbs: - - get - - apiGroups: - - "networking.istio.io" - verbs: - - get - - watch - - list - resources: - - workloadentries - - apiGroups: - - "" - verbs: - - get - - watch - - list - - create - - update - - patch - - delete - resources: - - configmaps ---- -# Source: prometheus/templates/server/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus -subjects: - - kind: ServiceAccount - name: prometheus - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus ---- -# Source: prometheus/templates/server/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - ports: - - name: http - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - component: "server" - app: prometheus - release: prometheus - sessionAffinity: None - type: "ClusterIP" ---- -# Source: prometheus/templates/server/deploy.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - selector: - matchLabels: - component: "server" - app: prometheus - release: prometheus - replicas: 1 - template: - metadata: - annotations: - traffic.sidecar.istio.io/includeInboundPorts: "" # do not intercept any inbound ports - traffic.sidecar.istio.io/includeOutboundIPRanges: "" # do not intercept any outbound traffic - proxy.istio.io/config: | # configure an env variable `OUTPUT_CERTS` to write certificates to the given folder - proxyMetadata: - OUTPUT_CERTS: /etc/istio-output-certs - sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]' # mount the shared volume at sidecar proxy - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-13.6.0 - heritage: Helm - sidecar.istio.io/inject: "true" - spec: - serviceAccountName: prometheus - containers: - - name: prometheus-server-configmap-reload - image: "jimmidyson/configmap-reload:v0.5.0" - imagePullPolicy: "IfNotPresent" - args: - - --volume-dir=/etc/config - - --webhook-url=http://127.0.0.1:9090/-/reload - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: file-sd-volume - mountPath: /etc/file_sd - readOnly: true - - - name: prometheus-server - image: "prom/prometheus:v2.24.0" - imagePullPolicy: "IfNotPresent" - args: - - --storage.tsdb.retention.time=15d - - --config.file=/etc/config/prometheus.yml - - --storage.tsdb.path=/data - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 4 - failureThreshold: 3 - successThreshold: 1 - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: /data - subPath: "" - - name: file-sd-volume - mountPath: /etc/file_sd - - name: istio-certs - mountPath: /etc/prom-certs/ - - name: vm-discovery - image: "istioecosystem/vm-discovery:latest" - imagePullPolicy: "IfNotPresent" - hostNetwork: false - dnsPolicy: ClusterFirst - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - terminationGracePeriodSeconds: 300 - volumes: - - name: config-volume - configMap: - name: prometheus - - name: file-sd-volume - configMap: - name: file-sd-config - optional: true - - name: istio-certs - emptyDir: - medium: Memory - - name: storage-volume - emptyDir: - {} \ No newline at end of file diff --git a/istio-1.18.2/samples/addons/extras/skywalking.yaml b/istio-1.18.2/samples/addons/extras/skywalking.yaml deleted file mode 100644 index 0633b74d0..000000000 --- a/istio-1.18.2/samples/addons/extras/skywalking.yaml +++ /dev/null @@ -1,133 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: skywalking-oap - namespace: istio-system - labels: - app: skywalking-oap -spec: - selector: - matchLabels: - app: skywalking-oap - template: - metadata: - labels: - app: skywalking-oap - sidecar.istio.io/inject: "false" - spec: - containers: - - name: skywalking-oap - image: apache/skywalking-oap-server:9.1.0 - env: - - name: SW_HEALTH_CHECKER - value: default - readinessProbe: - exec: - command: - - /skywalking/bin/swctl - - health - initialDelaySeconds: 30 - periodSeconds: 5 - ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: skywalking-oap -spec: - type: ClusterIP - ports: - - name: grpc - port: 11800 - protocol: TCP - targetPort: 11800 - - name: http-query - port: 12800 - protocol: TCP - targetPort: 12800 - selector: - app: skywalking-oap ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: skywalking-oap - name: skywalking-oap - namespace: istio-system -spec: - ports: - - port: 11800 - targetPort: 11800 - name: grpc - - port: 12800 - targetPort: 12800 - name: http-query - selector: - app: skywalking-oap ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: skywalking-ui - namespace: istio-system - labels: - app: skywalking-ui -spec: - selector: - matchLabels: - app: skywalking-ui - template: - metadata: - labels: - app: skywalking-ui - annotations: - sidecar.istio.io/inject: "false" - spec: - containers: - - name: skywalking-ui - image: apache/skywalking-ui:9.1.0 - env: - - name: SW_OAP_ADDRESS - value: http://skywalking-oap:12800 - readinessProbe: - httpGet: - path: / - port: 8080 - initialDelaySeconds: 30 - periodSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing-ui - namespace: istio-system - labels: - app: skywalking-ui -spec: - type: ClusterIP - ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: skywalking-ui ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: skywalking-ui - name: skywalking-ui - namespace: istio-system -spec: - ports: - - port: 8080 - targetPort: 8080 - name: http - selector: - app: skywalking-ui diff --git a/istio-1.18.2/samples/addons/extras/zipkin.yaml b/istio-1.18.2/samples/addons/extras/zipkin.yaml deleted file mode 100644 index b9bced3d9..000000000 --- a/istio-1.18.2/samples/addons/extras/zipkin.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: zipkin - namespace: istio-system - labels: - app: zipkin -spec: - selector: - matchLabels: - app: zipkin - template: - metadata: - labels: - app: zipkin - sidecar.istio.io/inject: "false" - spec: - containers: - - name: zipkin - image: openzipkin/zipkin-slim:2.23.14 - env: - - name: STORAGE_METHOD - value: "mem" - readinessProbe: - httpGet: - path: /health - port: 9411 - initialDelaySeconds: 5 - periodSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: zipkin -spec: - type: ClusterIP - ports: - - name: http-query - port: 80 - protocol: TCP - targetPort: 9411 - selector: - app: zipkin ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: zipkin - name: zipkin - namespace: istio-system -spec: - ports: - - port: 9411 - targetPort: 9411 - name: http-query - selector: - app: zipkin diff --git a/istio-1.18.2/samples/addons/grafana.yaml b/istio-1.18.2/samples/addons/grafana.yaml deleted file mode 100644 index 0cebcf49a..000000000 --- a/istio-1.18.2/samples/addons/grafana.yaml +++ /dev/null @@ -1,1129 +0,0 @@ ---- -# Source: grafana/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - helm.sh/chart: grafana-6.31.1 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "9.0.1" - app.kubernetes.io/managed-by: Helm - name: grafana - namespace: istio-system ---- -# Source: grafana/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-6.31.1 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "9.0.1" - app.kubernetes.io/managed-by: Helm -data: - allow-snippet-annotations: "false" - grafana.ini: | - [analytics] - check_for_updates = true - [grafana_net] - url = https://grafana.net - [log] - mode = console - [paths] - data = /var/lib/grafana/ - logs = /var/log/grafana - plugins = /var/lib/grafana/plugins - provisioning = /etc/grafana/provisioning - - datasources.yaml: | - apiVersion: 1 - datasources: - - access: proxy - editable: true - isDefault: true - jsonData: - timeInterval: 5s - name: Prometheus - orgId: 1 - type: prometheus - url: http://prometheus:9090 - - access: proxy - editable: true - isDefault: false - jsonData: - timeInterval: 5s - name: Loki - orgId: 1 - type: loki - url: http://loki:3100 - dashboardproviders.yaml: | - apiVersion: 1 - providers: - - disableDeletion: false - folder: istio - name: istio - options: - path: /var/lib/grafana/dashboards/istio - orgId: 1 - type: file - - disableDeletion: false - folder: istio - name: istio-services - options: - path: /var/lib/grafana/dashboards/istio-services - orgId: 1 - type: file ---- -# Source: grafana/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-6.31.1 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "9.0.1" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: service - port: 3000 - protocol: TCP - targetPort: 3000 - - selector: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana ---- -# Source: grafana/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grafana - namespace: istio-system - labels: - helm.sh/chart: grafana-6.31.1 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app.kubernetes.io/version: "9.0.1" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - strategy: - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: grafana - app: grafana - sidecar.istio.io/inject: "false" - annotations: - checksum/config: 21013edd24d239f48f0228579d13d44411baf698367879ae68290467749f6dcf - checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b - spec: - - serviceAccountName: grafana - automountServiceAccountToken: true - securityContext: - fsGroup: 472 - runAsGroup: 472 - runAsUser: 472 - enableServiceLinks: true - containers: - - name: grafana - image: "grafana/grafana:9.0.1" - imagePullPolicy: IfNotPresent - volumeMounts: - - name: config - mountPath: "/etc/grafana/grafana.ini" - subPath: grafana.ini - - name: storage - mountPath: "/var/lib/grafana" - - name: dashboards-istio - mountPath: "/var/lib/grafana/dashboards/istio" - - name: dashboards-istio-services - mountPath: "/var/lib/grafana/dashboards/istio-services" - - name: config - mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" - subPath: "datasources.yaml" - - name: config - mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" - subPath: "dashboardproviders.yaml" - ports: - - name: service - containerPort: 3000 - protocol: TCP - - name: grafana - containerPort: 3000 - protocol: TCP - env: - - name: GF_PATHS_DATA - value: /var/lib/grafana/ - - name: GF_PATHS_LOGS - value: /var/log/grafana - - name: GF_PATHS_PLUGINS - value: /var/lib/grafana/plugins - - name: GF_PATHS_PROVISIONING - value: /etc/grafana/provisioning - - name: "GF_AUTH_ANONYMOUS_ENABLED" - value: "true" - - name: "GF_AUTH_ANONYMOUS_ORG_ROLE" - value: "Admin" - - name: "GF_AUTH_BASIC_ENABLED" - value: "false" - - name: "GF_SECURITY_ADMIN_PASSWORD" - value: "-" - - name: "GF_SECURITY_ADMIN_USER" - value: "-" - livenessProbe: - failureThreshold: 10 - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 60 - timeoutSeconds: 30 - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - {} - volumes: - - name: config - configMap: - name: grafana - - - name: dashboards-istio - configMap: - name: istio-grafana-dashboards - - name: dashboards-istio-services - configMap: - name: istio-services-grafana-dashboards - - name: storage - emptyDir: {} - ---- - -apiVersion: v1 -data: - istio-performance-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":true,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":21,"panels":[{"content":"The charts on this dashboard are intended to show Istio main components cost in terms of resources utilization under steady load.\n\n- **vCPU / 1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred / sec:** shows the number of bytes flowing through each Istio component.\n\n\n","gridPos":{"h":6,"w":24,"x":0,"y":1},"id":19,"links":[],"mode":"markdown","timeFrom":null,"timeShift":null,"title":"Performance Dashboard README","transparent":true,"type":"text"}],"title":"Performance Dashboard Notes","type":"row"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":1},"id":6,"panels":[],"title":"vCPU Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":2},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU / 1k rps","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":2},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":10},"id":13,"panels":[],"title":"Memory and Data Rates","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":11},"id":902,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio-ingressgateway","refId":"A"},{"expr":"sum(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"}) / count(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory Usage","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":11},"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Bytes transferred / sec","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":19},"id":17,"panels":[],"title":"Istio Component Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":24,"x":0,"y":20},"id":15,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":32},"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":32},"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":32},"id":702,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_fs_usage_bytes{container=\"istio-proxy\"})","format":"time_series","intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":39},"id":69,"panels":[],"title":"Istiod Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":40},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"sum(container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"C","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":40},"id":602,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2},{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m])) by (container)","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"pilot (self-reported)","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":40},"id":74,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_open_fds{app=\"istiod\"}","format":"time_series","hide":true,"instant":false,"interval":"","intervalFactor":2,"legendFormat":"Open FDs (pilot)","refId":"A"},{"expr":"container_fs_usage_bytes{ container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"{{ container }}","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":40},"id":402,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"10s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Istio Performance Dashboard","uid":"vu8e0VWZk","version":22} - pilot-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":1,"links":[],"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":60,"panels":[],"title":"Deployed Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":5,"w":24,"x":0,"y":1},"id":56,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build{component=\"pilot\"}) by (tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Versions","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":6},"id":62,"panels":[],"title":"Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":7},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (container)","refId":"B","step":2},{"expr":"container_memory_working_set_bytes{container=~\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar (container)","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":7},"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Discovery (container)","refId":"A"},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (process)","refId":"C","step":2},{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Sidecar (container)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"CPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":7},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"container_fs_usage_bytes{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"Discovery","refId":"B","step":2},{"expr":"container_fs_usage_bytes{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":7},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":14},"id":58,"panels":[],"title":"Pilot Push Information","type":"row"},{"aliasColors":{},"bars":true,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the rate of pilot pushes","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":15},"id":622,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":false,"linewidth":1,"links":[],"nullPointMode":"null as zero","paceLength":10,"percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":true,"steppedLine":false,"targets":[{"expr":"sum(irate(pilot_xds_pushes{type=\"cds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Cluster","refId":"C"},{"expr":"sum(irate(pilot_xds_pushes{type=\"eds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Endpoints","refId":"D"},{"expr":"sum(irate(pilot_xds_pushes{type=\"lds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Listeners","refId":"A"},{"expr":"sum(irate(pilot_xds_pushes{type=\"rds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Routes","refId":"E"},{"expr":"sum(irate(pilot_xds_pushes{type=\"sds\"}[1m]))","interval":"","legendFormat":"Secrets","refId":"B"},{"expr":"sum(irate(pilot_xds_pushes{type=\"nds\"}[1m]))","interval":"","legendFormat":"Nametables","refId":"F"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Pushes","tooltip":{"shared":false,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":["total"]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":"0","show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Captures a variety of pilot errors","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":15},"id":67,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(pilot_xds_cds_reject{app=\"istiod\"}) or (absent(pilot_xds_cds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected CDS Configs","refId":"C"},{"expr":"sum(pilot_xds_eds_reject{app=\"istiod\"}) or (absent(pilot_xds_eds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected EDS Configs","refId":"D"},{"expr":"sum(pilot_xds_rds_reject{app=\"istiod\"}) or (absent(pilot_xds_rds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected RDS Configs","refId":"A"},{"expr":"sum(pilot_xds_lds_reject{app=\"istiod\"}) or (absent(pilot_xds_lds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected LDS Configs","refId":"B"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Write Timeouts","refId":"F"},{"expr":"sum(rate(pilot_total_xds_internal_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Internal Errors","refId":"H"},{"expr":"sum(rate(pilot_total_xds_rejects{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Config Rejection Rate","refId":"E"},{"expr":"sum(rate(pilot_xds_push_context_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Push Context Errors","refId":"K"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Push Timeouts","refId":"G"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Errors","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the total time it takes to push a config update to a proxy","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":15},"id":624,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"histogram_quantile(0.5, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p50 ","refId":"A"},{"expr":"histogram_quantile(0.9, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p90","refId":"B"},{"expr":"histogram_quantile(0.99, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99","refId":"C"},{"expr":"histogram_quantile(0.999, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99.9","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Proxy Push Time","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"s","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":23},"id":45,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null as zero","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"pilot_conflict_inbound_listener{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Inbound Listeners","refId":"B"},{"expr":"pilot_conflict_outbound_listener_http_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (http over current tcp)","refId":"A"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current tcp)","refId":"C"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_http{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current http)","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Conflicts","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":23},"id":47,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(pilot_virt_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Virtual Services","refId":"A"},{"expr":"avg(pilot_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Services","refId":"B"},{"expr":"sum(pilot_xds{app=\"istiod\"}) by (pod)","format":"time_series","intervalFactor":1,"legendFormat":"Connected Endpoints {{pod}}","refId":"E"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"ADS Monitoring","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":64,"panels":[],"title":"Envoy Information","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows details about Envoy proxies in the mesh","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":32},"id":40,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(envoy_cluster_upstream_cx_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connections","refId":"C"},{"expr":"sum(irate(envoy_cluster_upstream_cx_connect_fail{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connection Failures","refId":"A"},{"expr":"sum(increase(envoy_server_hot_restart_epoch[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Envoy Restarts","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Envoy Details","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":32},"id":41,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})","format":"time_series","intervalFactor":2,"legendFormat":"XDS Active Connections","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Active Connections","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the size of XDS requests and responses","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":32},"id":42,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"max(rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Max","refId":"D"},{"expr":"quantile(0.5, rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Average","refId":"B"},{"expr":"max(rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Max","refId":"A"},{"expr":"quantile(.5, rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Average","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Requests Size","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":null,"gridPos":{"h":1,"w":24,"x":0,"y":40},"id":626,"panels":[],"title":"Webhooks","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":41},"hiddenSeries":false,"id":629,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(galley_validation_passed[1m]))","interval":"","legendFormat":"Validations (Success)","refId":"A"},{"expr":"sum(rate(galley_validation_failed[1m]))","interval":"","legendFormat":"Validation (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Configuration Validation","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"description":"","fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":41},"hiddenSeries":false,"id":630,"legend":{"avg":false,"current":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(sidecar_injection_success_total[1m]))","interval":"","legendFormat":"Injections (Success)","refId":"A"},{"expr":"sum(rate(sidecar_injection_failure_total[1m]))","interval":"","legendFormat":"Injections (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Sidecar Injection","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Control Plane Dashboard","uid":"3--MLVZZk","version":11} -kind: ConfigMap -metadata: - creationTimestamp: null - name: istio-grafana-dashboards - namespace: istio-system - ---- - -apiVersion: v1 -data: - istio-extension-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":0},"id":3,"panels":[],"title":"Wasm VMs","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"","fieldConfig":{"defaults":{"custom":{"align":null},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":1},"hiddenSeries":false,"id":2,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_active)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_active)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Active","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:123","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:124","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":1},"hiddenSeries":false,"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_created)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_created)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Created","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:68","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:69","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":9},"id":7,"panels":[],"title":"Wasm Module Remote Load","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":0,"y":10},"hiddenSeries":false,"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_entries)","interval":"","legendFormat":"entries","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Entry","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:178","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:179","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":8,"y":10},"hiddenSeries":false,"id":8,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_hits)","interval":"","legendFormat":"hits","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_cache_misses)","interval":"","legendFormat":"misses","refId":"B"},{"expr":"avg(envoy_wasm_remote_load_cache_negative_hits)","interval":"","legendFormat":"negative hits","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Visit","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:233","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:234","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":16,"y":10},"hiddenSeries":false,"id":10,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_fetch_failures)","interval":"","legendFormat":"failures","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_fetch_successes)","interval":"","legendFormat":"successes","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Remote Fetch","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:288","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:289","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":18},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":19},"hiddenSeries":false,"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:396","format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:397","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":19},"hiddenSeries":false,"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:447","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:448","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":false,"schemaVersion":26,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["10s","30s","1m","5m","15m","30m","1h","2h","1d"]},"timezone":"","title":"Istio Wasm Extension Dashboard","uid":"7PAV7ctGz","version":17} - istio-mesh-dashboard.json: | - {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[{"content":"
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to secure,\n connect, and \n monitor microservices.\n
\n Need help? Join the Istio community.\n
\n
","gridPos":{"h":3,"w":24,"x":0,"y":0},"height":"50px","id":13,"links":[],"mode":"html","style":{"font-size":"18pt"},"title":"","transparent":true,"type":"text"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":3},"id":20,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"round(sum(irate(istio_requests_total{reporter=\"source\"}[1m])), 0.001)","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"Global Request Volume","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"percentunit","gauge":{"maxValue":100,"minValue":80,"show":false,"thresholdLabels":false,"thresholdMarkers":false},"gridPos":{"h":3,"w":6,"x":6,"y":3},"id":21,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"95, 99, 99.5","title":"Global Success Rate (non-5xx responses)","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":3},"id":22,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"4.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"4xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":3},"id":23,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"5.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"5xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":113,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Virtual Services","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":114,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Destination Rules","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":115,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Gateways","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":116,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Workload Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":117,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Service Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":90,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"PeerAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":91,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"RequestAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":92,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Authorization Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":21,"w":24,"x":0,"y":9},"hideTimeOverride":false,"id":73,"links":[],"pageSize":null,"repeat":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"Workload dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Requests","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[],"type":"number","unit":"ops"},{"alias":"P50 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"s"},{"alias":"P90 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #C","thresholds":[],"type":"number","unit":"s"},{"alias":"P99 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #D","thresholds":[],"type":"number","unit":"s"},{"alias":"Success Rate","colorMode":"cell","colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #E","thresholds":[".95"," 1.00"],"type":"number","unit":"percentunit"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-workload=${__cell_2:raw}&var-namespace=${__cell_3:raw}","pattern":"destination_workload_var","thresholds":[],"type":"number","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_requests_total{reporter=\"source\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"A"},{"expr":"label_join((histogram_quantile(0.50, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"B"},{"expr":"label_join((histogram_quantile(0.90, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"C"},{"expr":"label_join((histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"D"},{"expr":"label_join((sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"interval":"","intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"E"}],"timeFrom":null,"title":"HTTP/GRPC Workloads","transform":"table","type":"table"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":18,"w":24,"x":0,"y":30},"hideTimeOverride":false,"id":109,"links":[],"pageSize":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"Bytes Sent","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[""],"type":"number","unit":"Bps"},{"alias":"Bytes Received","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"Bps"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload_var","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"number","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"A"},{"expr":"label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"B"}],"timeFrom":null,"title":"TCP Workloads","transform":"table","type":"table"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":9,"w":24,"x":0,"y":48},"id":111,"legend":{"alignAsTable":false,"avg":false,"current":false,"max":false,"min":false,"rightSide":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Mesh Dashboard","uid":"G8wLrJIZk","version":5} - istio-service-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- - Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations - & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1595591291797,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":106,\"panels\":[{\"content\":\"
\\nSERVICE: $service\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE: $service\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, - 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Client - Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, - 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, - 99, 99.5\",\"title\":\"Client Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Client - Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, - 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":4},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP - Received Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, - 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":8},\"id\":97,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Server - Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, - 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":8},\"id\":98,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) - / sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, - 99, 99.5\",\"title\":\"Server Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":8},\"hiddenSeries\":false,\"id\":99,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) - by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Server - Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, - 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":8},\"id\":100,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP - Sent Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":104,\"panels\":[{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":2},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":5},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null - as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=~\\\"$qrep\\\",source_workload=~\\\"$srcwl\\\",source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace, - response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":5},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":11},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":11},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":11},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response - Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Client - Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":102,\"panels\":[{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":3},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":6},\"hiddenSeries\":false,\"id\":90,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null - as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=\\\"destination\\\",destination_workload=~\\\"$dstwl\\\",destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} : {{ response_code - }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", reporter=\\\"destination\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[5m])) by (destination_workload, - destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} : {{ response_code - }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Requests By Destination Workload And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":6},\"hiddenSeries\":false,\"id\":91,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) - by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Success Rate (non-5xx responses) By Destination Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":12},\"hiddenSeries\":false,\"id\":94,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, - sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Duration By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":12},\"hiddenSeries\":false,\"id\":95,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":12},\"hiddenSeries\":false,\"id\":96,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response - Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":18},\"hiddenSeries\":false,\"id\":92,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", - destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) - by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{ destination_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":18},\"hiddenSeries\":false,\"id\":93,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, - destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", - destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, - destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_workload }}.{{destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Service - Workloads\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Service\",\"multi\":false,\"name\":\"service\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{}) - by (destination_service) or sum(istio_tcp_sent_bytes_total{}) by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Cluster\",\"multi\":true,\"name\":\"srccluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=\\\"$service\\\"}) by (source_cluster) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}) by (source_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=\\\"$service\\\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\"}) by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client - Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) - by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) - by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload Cluster\",\"multi\":true,\"name\":\"dstcluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", - destination_service=\\\"$service\\\"}) by (destination_cluster) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", - destination_service=~\\\"$service\\\"}) by (destination_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload Namespace\",\"multi\":true,\"name\":\"dstns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", - destination_service=\\\"$service\\\"}) by (destination_workload_namespace) or - sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\"}) - by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service - Workload\",\"multi\":true,\"name\":\"dstwl\",\"options\":[],\"query\":\"query_result( - sum(istio_requests_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", - destination_cluster=~\\\"$dstcluster\\\", destination_workload_namespace=~\\\"$dstns\\\"}) - by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", - destination_service=~\\\"$service\\\", destination_cluster=~\\\"$dstcluster\\\", - destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio - Service Dashboard\",\"uid\":\"LJ_uJAvmk\",\"version\":1}\n" - istio-workload-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- - Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations - & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1531345461465,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":95,\"panels\":[{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, - 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":8,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m])), - 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Incoming - Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, - 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":8,\"x\":8,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\"}[5m])) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, - 99, 99.5\",\"title\":\"Incoming Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":8,\"x\":16,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or - histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Request - Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, - 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":0,\"y\":8},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\"}[1m])) - + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP - Server Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, - 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":12,\"y\":8},\"id\":85,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value - to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, - 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\"}[1m])) - + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP - Client Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":93,\"panels\":[{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null - as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) - / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) - by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming - Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", - destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", - destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", - source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, - le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} - P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response - Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", - connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", - destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", - source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) - by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Inbound - Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":91,\"panels\":[{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":14},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":70,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null - as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal=~\\\"spiffe.*\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, - response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal!~\\\"spiffe.*\\\", - source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, - response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing - Requests By Destination And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":71,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) - by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing - Success Rate (non-5xx responses) By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":23},\"hiddenSeries\":false,\"id\":72,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, - sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", - source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing - Request Duration By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":23},\"hiddenSeries\":false,\"id\":73,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing - Request Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":23},\"hiddenSeries\":false,\"id\":74,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, - sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response - Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":29},\"hiddenSeries\":false,\"id\":76,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy=\\\"mutual_tls\\\", - reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", - reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", - destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Sent on Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":29},\"hiddenSeries\":false,\"id\":78,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", - source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) - by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ - destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes - Received from Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Outbound - Services\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Namespace\",\"multi\":false,\"name\":\"namespace\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total) - by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*_namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Workload\",\"multi\":false,\"name\":\"workload\",\"options\":[],\"query\":\"query_result((sum(istio_requests_total{destination_workload_namespace=~\\\"$namespace\\\"}) - by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\\\"$namespace\\\"}) - by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload)))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound - Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) - by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound - Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", - destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", - source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Destination - Service\",\"multi\":true,\"name\":\"dstsvc\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"source\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) - by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", - source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) - by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio - Workload Dashboard\",\"uid\":\"UbsSZTDik\",\"version\":1}\n" -kind: ConfigMap -metadata: - creationTimestamp: null - name: istio-services-grafana-dashboards - namespace: istio-system diff --git a/istio-1.18.2/samples/addons/jaeger.yaml b/istio-1.18.2/samples/addons/jaeger.yaml deleted file mode 100644 index 41896ee19..000000000 --- a/istio-1.18.2/samples/addons/jaeger.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jaeger - namespace: istio-system - labels: - app: jaeger -spec: - selector: - matchLabels: - app: jaeger - template: - metadata: - labels: - app: jaeger - sidecar.istio.io/inject: "false" - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "14269" - spec: - containers: - - name: jaeger - image: "docker.io/jaegertracing/all-in-one:1.35" - env: - - name: BADGER_EPHEMERAL - value: "false" - - name: SPAN_STORAGE_TYPE - value: "badger" - - name: BADGER_DIRECTORY_VALUE - value: "/badger/data" - - name: BADGER_DIRECTORY_KEY - value: "/badger/key" - - name: COLLECTOR_ZIPKIN_HOST_PORT - value: ":9411" - - name: MEMORY_MAX_TRACES - value: "50000" - - name: QUERY_BASE_PATH - value: /jaeger - livenessProbe: - httpGet: - path: / - port: 14269 - readinessProbe: - httpGet: - path: / - port: 14269 - volumeMounts: - - name: data - mountPath: /badger - resources: - requests: - cpu: 10m - volumes: - - name: data - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - labels: - app: jaeger -spec: - type: ClusterIP - ports: - - name: http-query - port: 80 - protocol: TCP - targetPort: 16686 - # Note: Change port name if you add '--query.grpc.tls.enabled=true' - - name: grpc-query - port: 16685 - protocol: TCP - targetPort: 16685 - selector: - app: jaeger ---- -# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. -apiVersion: v1 -kind: Service -metadata: - labels: - name: zipkin - name: zipkin - namespace: istio-system -spec: - ports: - - port: 9411 - targetPort: 9411 - name: http-query - selector: - app: jaeger ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-collector - namespace: istio-system - labels: - app: jaeger -spec: - type: ClusterIP - ports: - - name: jaeger-collector-http - port: 14268 - targetPort: 14268 - protocol: TCP - - name: jaeger-collector-grpc - port: 14250 - targetPort: 14250 - protocol: TCP - - port: 9411 - targetPort: 9411 - name: http-zipkin - selector: - app: jaeger diff --git a/istio-1.18.2/samples/addons/kiali.yaml b/istio-1.18.2/samples/addons/kiali.yaml deleted file mode 100644 index 41ab9672d..000000000 --- a/istio-1.18.2/samples/addons/kiali.yaml +++ /dev/null @@ -1,551 +0,0 @@ ---- -# Source: kiali-server/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kiali - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -... ---- -# Source: kiali-server/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: kiali - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -data: - config.yaml: | - auth: - openid: {} - openshift: - client_id_prefix: kiali - strategy: anonymous - deployment: - accessible_namespaces: - - '**' - additional_service_yaml: {} - affinity: - node: {} - pod: {} - pod_anti: {} - configmap_annotations: {} - custom_secrets: [] - host_aliases: [] - hpa: - api_version: autoscaling/v2beta2 - spec: {} - image_digest: "" - image_name: quay.io/kiali/kiali - image_pull_policy: Always - image_pull_secrets: [] - image_version: v1.67 - ingress: - additional_labels: {} - class_name: nginx - override_yaml: - metadata: {} - ingress_enabled: false - instance_name: kiali - logger: - log_format: text - log_level: info - sampler_rate: "1" - time_field_format: 2006-01-02T15:04:05Z07:00 - namespace: istio-system - node_selector: {} - pod_annotations: {} - pod_labels: - sidecar.istio.io/inject: "false" - priority_class_name: "" - replicas: 1 - resources: - limits: - memory: 1Gi - requests: - cpu: 10m - memory: 64Mi - secret_name: kiali - security_context: {} - service_annotations: {} - service_type: "" - tolerations: [] - version_label: v1.67.0 - view_only_mode: false - external_services: - custom_dashboards: - enabled: true - istio: - root_namespace: istio-system - identity: - cert_file: "" - private_key_file: "" - istio_namespace: istio-system - kiali_feature_flags: - certificates_information_indicators: - enabled: true - secrets: - - cacerts - - istio-ca-secret - clustering: - autodetect_secrets: - enabled: true - label: kiali.io/multiCluster=true - clusters: [] - disabled_features: [] - validations: - ignore: - - KIA1201 - login_token: - signing_key: CHANGEME00000000 - server: - metrics_enabled: true - metrics_port: 9090 - port: 20001 - web_root: /kiali -... ---- -# Source: kiali-server/templates/role-viewer.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali-viewer - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -rules: -- apiGroups: [""] - resources: - - configmaps - - endpoints - - pods/log - verbs: - - get - - list - - watch -- apiGroups: [""] - resources: - - namespaces - - pods - - replicationcontrollers - - services - verbs: - - get - - list - - watch -- apiGroups: [""] - resources: - - pods/portforward - verbs: - - create - - post -- apiGroups: ["extensions", "apps"] - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch -- apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch -- apiGroups: - - networking.istio.io - - security.istio.io - - extensions.istio.io - - telemetry.istio.io - - gateway.networking.k8s.io - resources: ["*"] - verbs: - - get - - list - - watch -- apiGroups: ["apps.openshift.io"] - resources: - - deploymentconfigs - verbs: - - get - - list - - watch -- apiGroups: ["project.openshift.io"] - resources: - - projects - verbs: - - get -- apiGroups: ["route.openshift.io"] - resources: - - routes - verbs: - - get -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: - - create -... ---- -# Source: kiali-server/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -rules: -- apiGroups: [""] - resources: - - configmaps - - endpoints - - pods/log - verbs: - - get - - list - - watch -- apiGroups: [""] - resources: - - namespaces - - pods - - replicationcontrollers - - services - verbs: - - get - - list - - watch - - patch -- apiGroups: [""] - resources: - - pods/portforward - verbs: - - create - - post -- apiGroups: ["extensions", "apps"] - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch - - patch -- apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch - - patch -- apiGroups: - - networking.istio.io - - security.istio.io - - extensions.istio.io - - telemetry.istio.io - - gateway.networking.k8s.io - resources: ["*"] - verbs: - - get - - list - - watch - - create - - delete - - patch -- apiGroups: ["apps.openshift.io"] - resources: - - deploymentconfigs - verbs: - - get - - list - - watch - - patch -- apiGroups: ["project.openshift.io"] - resources: - - projects - verbs: - - get -- apiGroups: ["route.openshift.io"] - resources: - - routes - verbs: - - get -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: - - create -... ---- -# Source: kiali-server/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kiali -subjects: -- kind: ServiceAccount - name: kiali - namespace: istio-system -... ---- -# Source: kiali-server/templates/role-controlplane.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kiali-controlplane - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -rules: -- apiGroups: [""] - resourceNames: - - cacerts - - istio-ca-secret - resources: - - secrets - verbs: - - get - - list - - watch -... ---- -# Source: kiali-server/templates/rolebinding-controlplane.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kiali-controlplane - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kiali-controlplane -subjects: -- kind: ServiceAccount - name: kiali - namespace: istio-system -... ---- -# Source: kiali-server/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: kiali - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" - annotations: -spec: - ports: - - name: http - appProtocol: http - protocol: TCP - port: 20001 - - name: http-metrics - appProtocol: http - protocol: TCP - port: 9090 - selector: - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali -... ---- -# Source: kiali-server/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kiali - namespace: istio-system - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - name: kiali - labels: - helm.sh/chart: kiali-server-1.67.0 - app: kiali - app.kubernetes.io/name: kiali - app.kubernetes.io/instance: kiali - version: "v1.67.0" - app.kubernetes.io/version: "v1.67.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: "kiali" - sidecar.istio.io/inject: "false" - annotations: - checksum/config: 88419f205248a3fdba75ba592ce095a39000318ed6056baaa08ea19d716e94c1 - prometheus.io/scrape: "true" - prometheus.io/port: "9090" - kiali.io/dashboards: go,kiali - spec: - serviceAccountName: kiali - containers: - - image: "quay.io/kiali/kiali:v1.67" - imagePullPolicy: Always - name: kiali - command: - - "/opt/kiali/kiali" - - "-config" - - "/kiali-configuration/config.yaml" - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - ports: - - name: api-port - containerPort: 20001 - - name: http-metrics - containerPort: 9090 - readinessProbe: - httpGet: - path: /kiali/healthz - port: api-port - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 30 - livenessProbe: - httpGet: - path: /kiali/healthz - port: api-port - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 30 - env: - - name: ACTIVE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LOG_LEVEL - value: "info" - - name: LOG_FORMAT - value: "text" - - name: LOG_TIME_FIELD_FORMAT - value: "2006-01-02T15:04:05Z07:00" - - name: LOG_SAMPLER_RATE - value: "1" - volumeMounts: - - name: kiali-configuration - mountPath: "/kiali-configuration" - - name: kiali-cert - mountPath: "/kiali-cert" - - name: kiali-secret - mountPath: "/kiali-secret" - - name: kiali-cabundle - mountPath: "/kiali-cabundle" - resources: - limits: - memory: 1Gi - requests: - cpu: 10m - memory: 64Mi - volumes: - - name: kiali-configuration - configMap: - name: kiali - - name: kiali-cert - secret: - secretName: istio.kiali-service-account - optional: true - - name: kiali-secret - secret: - secretName: kiali - optional: true - - name: kiali-cabundle - configMap: - name: kiali-cabundle - optional: true -... diff --git a/istio-1.18.2/samples/addons/loki.yaml b/istio-1.18.2/samples/addons/loki.yaml deleted file mode 100644 index edabc36a0..000000000 --- a/istio-1.18.2/samples/addons/loki.yaml +++ /dev/null @@ -1,283 +0,0 @@ ---- -# Source: loki/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: loki - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true ---- -# Source: loki/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -data: - config.yaml: | - auth_enabled: false - common: - compactor_address: 'loki' - path_prefix: /var/loki - replication_factor: 1 - storage: - filesystem: - chunks_directory: /var/loki/chunks - rules_directory: /var/loki/rules - limits_config: - enforce_metric_name: false - max_cache_freshness_per_query: 10m - reject_old_samples: true - reject_old_samples_max_age: 168h - split_queries_by_interval: 15m - memberlist: - join_members: - - loki-memberlist - query_range: - align_queries_with_step: true - ruler: - storage: - type: local - runtime_config: - file: /etc/loki/runtime-config/runtime-config.yaml - schema_config: - configs: - - from: "2022-01-11" - index: - period: 24h - prefix: loki_index_ - object_store: filesystem - schema: v12 - store: boltdb-shipper - server: - grpc_listen_port: 9095 - http_listen_port: 3100 - storage_config: - hedging: - at: 250ms - max_per_second: 20 - up_to: 3 - table_manager: - retention_deletes_enabled: false - retention_period: 0 ---- -# Source: loki/templates/runtime-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: loki-runtime - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -data: - runtime-config.yaml: | - - {} ---- -# Source: loki/templates/service-memberlist.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-memberlist - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp - port: 7946 - targetPort: http-memberlist - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/part-of: memberlist ---- -# Source: loki/templates/single-binary/service-headless.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki-headless - namespace: istio-system - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm - variant: headless - prometheus.io/service-monitor: "false" -spec: - clusterIP: None - ports: - - name: http-metrics - port: 3100 - targetPort: http-metrics - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki ---- -# Source: loki/templates/single-binary/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: loki - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - name: http-metrics - port: 3100 - targetPort: http-metrics - protocol: TCP - - name: grpc - port: 9095 - targetPort: grpc - protocol: TCP - selector: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary ---- -# Source: loki/templates/single-binary/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: loki - labels: - helm.sh/chart: loki-4.8.0 - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/version: "2.7.3" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: single-binary - app.kubernetes.io/part-of: memberlist -spec: - replicas: 1 - podManagementPolicy: Parallel - updateStrategy: - rollingUpdate: - partition: 0 - serviceName: loki-headless - revisionHistoryLimit: 10 - - persistentVolumeClaimRetentionPolicy: - whenDeleted: Delete - whenScaled: Delete - selector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - template: - metadata: - annotations: - checksum/config: a9239b6352e34bbfc748669ed46cb24211fc3491ee7f2c6381af805f8f08fe29 - labels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - app.kubernetes.io/part-of: memberlist - spec: - serviceAccountName: loki - automountServiceAccountToken: true - enableServiceLinks: true - - securityContext: - fsGroup: 10001 - runAsGroup: 10001 - runAsNonRoot: true - runAsUser: 10001 - terminationGracePeriodSeconds: 30 - containers: - - name: loki - image: docker.io/grafana/loki:2.7.3 - imagePullPolicy: IfNotPresent - args: - - -config.file=/etc/loki/config/config.yaml - - -target=all - ports: - - name: http-metrics - containerPort: 3100 - protocol: TCP - - name: grpc - containerPort: 9095 - protocol: TCP - - name: http-memberlist - containerPort: 7946 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - readinessProbe: - httpGet: - path: /ready - port: http-metrics - initialDelaySeconds: 30 - timeoutSeconds: 1 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: config - mountPath: /etc/loki/config - - name: runtime-config - mountPath: /etc/loki/runtime-config - - name: storage - mountPath: /var/loki - resources: - {} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: loki - app.kubernetes.io/instance: loki - app.kubernetes.io/component: single-binary - topologyKey: kubernetes.io/hostname - - volumes: - - name: tmp - emptyDir: {} - - name: config - configMap: - name: loki - - name: runtime-config - configMap: - name: loki-runtime - volumeClaimTemplates: - - metadata: - name: storage - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "10Gi" diff --git a/istio-1.18.2/samples/addons/prometheus.yaml b/istio-1.18.2/samples/addons/prometheus.yaml deleted file mode 100644 index f11e794a5..000000000 --- a/istio-1.18.2/samples/addons/prometheus.yaml +++ /dev/null @@ -1,531 +0,0 @@ ---- -# Source: prometheus/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus - namespace: istio-system - annotations: - {} ---- -# Source: prometheus/templates/cm.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus - namespace: istio-system -data: - allow-snippet-annotations: "false" - alerting_rules.yml: | - {} - alerts: | - {} - prometheus.yml: | - global: - evaluation_interval: 1m - scrape_interval: 15s - scrape_timeout: 10s - rule_files: - - /etc/config/recording_rules.yml - - /etc/config/alerting_rules.yml - - /etc/config/rules - - /etc/config/alerts - scrape_configs: - - job_name: prometheus - static_configs: - - targets: - - localhost:9090 - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-apiservers - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: default;kubernetes;https - source_labels: - - __meta_kubernetes_namespace - - __meta_kubernetes_service_name - - __meta_kubernetes_endpoint_port_name - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes-cadvisor - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - replacement: kubernetes.default.svc:443 - target_label: __address__ - - regex: (.+) - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - source_labels: - - __meta_kubernetes_node_name - target_label: __metrics_path__ - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - - honor_labels: true - job_name: kubernetes-service-endpoints - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape - - action: drop - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (.+?)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: service - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node - - honor_labels: true - job_name: kubernetes-service-endpoints-slow - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (.+?)(?::\d+)?;(\d+) - replacement: $1:$2 - source_labels: - - __address__ - - __meta_kubernetes_service_annotation_prometheus_io_port - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_service_name - target_label: service - - action: replace - source_labels: - - __meta_kubernetes_pod_node_name - target_label: node - scrape_interval: 5m - scrape_timeout: 30s - - honor_labels: true - job_name: prometheus-pushgateway - kubernetes_sd_configs: - - role: service - relabel_configs: - - action: keep - regex: pushgateway - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - honor_labels: true - job_name: kubernetes-services - kubernetes_sd_configs: - - role: service - metrics_path: /probe - params: - module: - - http_2xx - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_service_annotation_prometheus_io_probe - - source_labels: - - __address__ - target_label: __param_target - - replacement: blackbox - target_label: __address__ - - source_labels: - - __param_target - target_label: instance - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - source_labels: - - __meta_kubernetes_service_name - target_label: service - - honor_labels: true - job_name: kubernetes-pods - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape - - action: drop - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: pod - - action: drop - regex: Pending|Succeeded|Failed|Completed - source_labels: - - __meta_kubernetes_pod_phase - - honor_labels: true - job_name: kubernetes-pods-slow - kubernetes_sd_configs: - - role: pod - relabel_configs: - - action: keep - regex: true - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow - - action: replace - regex: (https?) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_scheme - target_label: __scheme__ - - action: replace - regex: (.+) - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_path - target_label: __metrics_path__ - - action: replace - regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) - replacement: '[$2]:$1' - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: replace - regex: (\d+);((([0-9]+?)(\.|$)){4}) - replacement: $2:$1 - source_labels: - - __meta_kubernetes_pod_annotation_prometheus_io_port - - __meta_kubernetes_pod_ip - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) - replacement: __param_$1 - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - action: replace - source_labels: - - __meta_kubernetes_namespace - target_label: namespace - - action: replace - source_labels: - - __meta_kubernetes_pod_name - target_label: pod - - action: drop - regex: Pending|Succeeded|Failed|Completed - source_labels: - - __meta_kubernetes_pod_phase - scrape_interval: 5m - scrape_timeout: 30s - recording_rules.yml: | - {} - rules: | - {} ---- -# Source: prometheus/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - pods - - ingresses - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - - ingresses - verbs: - - get - - list - - watch - - nonResourceURLs: - - "/metrics" - verbs: - - get ---- -# Source: prometheus/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus -subjects: - - kind: ServiceAccount - name: prometheus - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus ---- -# Source: prometheus/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - ports: - - name: http - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - component: "server" - app: prometheus - release: prometheus - sessionAffinity: None - type: "ClusterIP" ---- -# Source: prometheus/templates/deploy.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - name: prometheus - namespace: istio-system -spec: - selector: - matchLabels: - component: "server" - app: prometheus - release: prometheus - replicas: 1 - strategy: - type: Recreate - rollingUpdate: null - template: - metadata: - labels: - component: "server" - app: prometheus - release: prometheus - chart: prometheus-19.6.1 - heritage: Helm - - sidecar.istio.io/inject: "false" - spec: - enableServiceLinks: true - serviceAccountName: prometheus - containers: - - name: prometheus-server-configmap-reload - image: "jimmidyson/configmap-reload:v0.8.0" - imagePullPolicy: "IfNotPresent" - args: - - --volume-dir=/etc/config - - --webhook-url=http://127.0.0.1:9090/-/reload - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - - name: prometheus-server - image: "prom/prometheus:v2.41.0" - imagePullPolicy: "IfNotPresent" - args: - - --storage.tsdb.retention.time=15d - - --config.file=/etc/config/prometheus.yml - - --storage.tsdb.path=/data - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 4 - failureThreshold: 3 - successThreshold: 1 - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - resources: - {} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: /data - subPath: "" - dnsPolicy: ClusterFirst - securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - terminationGracePeriodSeconds: 300 - volumes: - - name: config-volume - configMap: - name: prometheus - - name: storage-volume - emptyDir: - {} diff --git a/istio-1.18.2/samples/bookinfo/README.md b/istio-1.18.2/samples/bookinfo/README.md deleted file mode 100644 index 7683b21b0..000000000 --- a/istio-1.18.2/samples/bookinfo/README.md +++ /dev/null @@ -1,100 +0,0 @@ -# Bookinfo Sample - -See . - -**Note**: We need the owner of the PR to perform the appropriate testing with built/pushed images to their own docker repository before we would build/push images to the official Istio repository. - -## Build docker images - -```bash -cd samples/bookinfo -src/build-services.sh -``` - -Where `` is the tag and `` is the docker registry to tag the images. - -For example: - -```bash -$ src/build-services.sh 1.16.3 docker.io/shamsher31 -Sending build context to Docker daemon 1.218MB -Step 1/16 : FROM python:3.7.7-slim -3.7.7-slim: Pulling from library/python -8559a31e96f4: Pull complete -... -Successfully built 1b293582cc2e -Successfully tagged shamsher31/examples-bookinfo-ratings-v2:1.16.3 -Successfully tagged shamsher31/examples-bookinfo-ratings-v2:latest -``` - -The bookinfo versions are different from Istio versions since the sample should work with any version of Istio. - -## Push docker images to docker hub - -After the local build is successful, you need to update the YAML file with the latest tag that you used during the build eg: `1.16.3`. - -Run the following script to build the docker images, push them to docker hub, and to update the YAML files in one step. - -```bash -./build_push_update_images.sh -``` - -For example: - -```bash -$ ./build_push_update_images.sh 1.16.3 --prefix=shamsher31 -... -1.16.3: digest: sha256:70634d3847a190b9826975c8 size: 3883 -Pushing: shamsher31/examples-bookinfo-reviews-v2:1.16.3 -The push refers to a repository [docker.io/shamsher31/examples-bookinfo-reviews-v2] -... -``` - -Verify that expected tag eg: `1.16.3` is updated in `platform/kube/bookinfo*.yaml` files. - -## Tests - -Test that the bookinfo samples work with the latest tag eg: `1.16.3` that you pushed. - -```bash -$ cd ../../ -$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -serviceaccount/bookinfo-details created -deployment.apps/details-v1 created -serviceaccount/bookinfo-ratings created -... -``` - -Wait for all the pods to be in `Running` start. - -```bash -$ kubectl get pods -NAME READY STATUS RESTARTS AGE -details-v1-7f556f5c6b-485l2 2/2 Running 0 10m -productpage-v1-84c8f95c8d-tlml2 2/2 Running 0 10m -ratings-v1-66777f856b-2ls78 2/2 Running 0 10m -reviews-v1-64c47f4f44-rx642 2/2 Running 0 10m -reviews-v2-66b6b95f44-s5nt6 2/2 Running 0 10m -reviews-v3-7f69dd7fd4-zjvc8 2/2 Running 0 10m -``` - -Once all the pods are in the `Running` state. Test if the bookinfo works through cli. - -```bash -$ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o ".*" -Simple Bookstore App -``` - -You can also test it by hitting productpage in the browser. - -```bash -http://192.168.39.116:31395/productpage -``` - -You should see the following in the browser. - -![star](https://user-images.githubusercontent.com/2920003/86032538-212ff900-ba55-11ea-9492-d4bc90656a02.png) - -**Note**: If everything works as mentioned above, request a new official set of images be built and pushed from the reviewer, and add another commit to the original PR with the version changes. - -Bookinfo is tested by istio.io integration tests. You can find them under [tests](https://github.com/istio/istio.io/tree/master/tests) in the [istio/istio.io](https://github.com/istio/istio.io) repository. diff --git a/istio-1.18.2/samples/bookinfo/build_push_update_images.sh b/istio-1.18.2/samples/bookinfo/build_push_update_images.sh deleted file mode 100755 index dfdff985a..000000000 --- a/istio-1.18.2/samples/bookinfo/build_push_update_images.sh +++ /dev/null @@ -1,130 +0,0 @@ -#!/bin/bash -# -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit - -display_usage() { - echo - echo "USAGE: ./build_push_update_images.sh [-h|--help] [--prefix=value] [--scan-images] [--multiarch-images]" - echo " version: Version of the sample app images (Required)" - echo " -h|--help: Prints usage information" - echo " --prefix: Use the value as the prefix for image names. By default, 'istio' is used" - echo -e " --scan-images: Enable security vulnerability scans for docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled." - echo -e " --multiarch-images : Enables building and pushing multiarch docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled." -} - -# Print usage information for help -if [[ "$1" == "-h" || "$1" == "--help" ]]; then - display_usage - exit 0 -fi - -# Check if there is at least one input argument -if [[ -z "$1" ]] ; then - echo "Missing version parameter" - display_usage - exit 1 -else - VERSION="$1" - shift -fi - -# Process the input arguments. By default, image scanning is disabled. -PREFIX=istio -ENABLE_IMAGE_SCAN=false -ENABLE_MULTIARCH_IMAGES=false -echo "$@" -for i in "$@" -do - case "$i" in - --prefix=* ) - PREFIX="${i#--prefix=}" ;; - --scan-images ) - ENABLE_IMAGE_SCAN=true ;; - --multiarch-images ) - ENABLE_MULTIARCH_IMAGES=true ;; - -h|--help ) - echo - echo "Build the docker images for bookinfo sample apps, push them to docker hub and update the yaml files." - display_usage - exit 0 ;; - * ) - echo "Unknown argument: $i" - display_usage - exit 1 ;; - esac -done - -# Build docker images -ENABLE_MULTIARCH_IMAGES="${ENABLE_MULTIARCH_IMAGES}" src/build-services.sh "${VERSION}" "${PREFIX}" - -# Currently the `--load` argument does not work for multi arch images -# Remove this once https://github.com/docker/buildx/issues/59 is addressed. -if [[ "${ENABLE_MULTIARCH_IMAGES}" == "false" ]]; then - # Get all the new image names and tags - for v in ${VERSION} "latest" - do - IMAGES+=$(docker images -f reference="${PREFIX}/examples-bookinfo*:$v" --format "{{.Repository}}:$v") - IMAGES+=" " - done - - # Check that $IMAGES contains the images we've just built - if [[ "${IMAGES}" =~ ^\ +$ ]] ; then - echo "Found no images matching prefix \"${PREFIX}/examples-bookinfo\"." - echo "Try running the script without specifying the image registry in --prefix (e.g. --prefix=/foo instead of --prefix=docker.io/foo)." - exit 1 - fi -fi - -# -# Run security vulnerability scanning on bookinfo sample app images using -# trivy. If the image has vulnerabilities, the file will have a .failed -# suffix. A successful scan will have a .passed suffix. -function run_vulnerability_scanning() { - RESULT_DIR="vulnerability_scan_results" - mkdir -p "$RESULT_DIR" - # skip-dir added to prevent timeout of review images - set +e - trivy image --ignore-unfixed --no-progress --exit-code 2 --skip-dirs /opt/ol/wlp --output "$RESULT_DIR/$1_$VERSION.failed" "$2" - test $? -ne 0 || mv "$RESULT_DIR/$1_$VERSION.failed" "$RESULT_DIR/$1_$VERSION.passed" - set -e -} - -# Push images. Scan images if ENABLE_IMAGE_SCAN is true. -for IMAGE in ${IMAGES}; -do - # Multiarch images have already been pushed using buildx build - if [[ "${ENABLE_MULTIARCH_IMAGES}" == "false" ]]; then - echo "Pushing: ${IMAGE}" - docker push "${IMAGE}"; - fi - - # $IMAGE has the following format: istio/examples-bookinfo*:"$v". - # We want to get the sample app name from $IMAGE (the examples-bookinfo* portion) - # to create the file to store the results of the scan for that image. The first - # part of the $IMAGE_NAME gets examples-bookinfo*:"$v", and the second part gets - # 'examples-bookinfo*'. - if [[ "$ENABLE_IMAGE_SCAN" == "true" ]]; then - echo "Scanning ${IMAGE} for security vulnerabilities" - IMAGE_NAME=${IMAGE#*/} - IMAGE_NAME=${IMAGE_NAME%:*} - run_vulnerability_scanning "${IMAGE_NAME}" "${IMAGE}" - fi -done - -# Update image references in the yaml files -find ./platform -name "*bookinfo*.yaml" -exec sed -i.bak "s#image:.*\\(\\/examples-bookinfo-.*\\):.*#image: ${PREFIX//\//\\/}\\1:$VERSION#g" {} + - diff --git a/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml b/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml deleted file mode 100644 index 4edaba404..000000000 --- a/istio-1.18.2/samples/bookinfo/demo-profile-no-gateways.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# IOP configuration used to install the demo profile without gateways. -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - profile: demo - components: - ingressGateways: - - name: istio-ingressgateway - enabled: false - egressGateways: - - name: istio-egressgateway - enabled: false diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml deleted file mode 100644 index 3870a4cc3..000000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/bookinfo-gateway.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: bookinfo-gateway -spec: - gatewayClassName: istio - listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: bookinfo -spec: - parentRefs: - - name: bookinfo-gateway - rules: - - matches: - - path: - type: Exact - value: /productpage - - path: - type: PathPrefix - value: /static - - path: - type: Exact - value: /login - - path: - type: Exact - value: /logout - - path: - type: PathPrefix - value: /api/v1/products - backendRefs: - - name: productpage - port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml deleted file mode 100644 index 9496ed2e5..000000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-all-v1.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: productpage -spec: - parentRefs: - - kind: Service - name: productpage - port: 9080 - rules: - - backendRefs: - - name: productpage-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: ratings -spec: - parentRefs: - - kind: Service - name: ratings - port: 9080 - rules: - - backendRefs: - - name: ratings-v1 - port: 9080 ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: details -spec: - parentRefs: - - kind: Service - name: details - port: 9080 - rules: - - backendRefs: - - name: details-v1 - port: 9080 ---- diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml deleted file mode 100644 index 76bbea8f7..000000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-50-v3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 - weight: 50 - - name: reviews-v3 - port: 9080 - weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml deleted file mode 100644 index f74349fe4..000000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-90-10.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 - weight: 90 - - name: reviews-v2 - port: 9080 - weight: 10 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml deleted file mode 100644 index 8e11bcd92..000000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v1 - port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml b/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml deleted file mode 100644 index b5515fd1b..000000000 --- a/istio-1.18.2/samples/bookinfo/gateway-api/route-reviews-v3.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: reviews -spec: - parentRefs: - - kind: Service - name: reviews - port: 9080 - rules: - - backendRefs: - - name: reviews-v3 - port: 9080 diff --git a/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml b/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml deleted file mode 100644 index 948682dc5..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/bookinfo-gateway.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: bookinfo-gateway -spec: - # The selector matches the ingress gateway pod labels. - # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: bookinfo -spec: - hosts: - - "*" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 diff --git a/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml b/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml deleted file mode 100644 index 3fa653780..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/certmanager-gateway.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: cert-manager-gateway - namespace: istio-system -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: cert-manager - namespace: istio-system -spec: - hosts: - - "*" - gateways: - - cert-manager-gateway - http: - - match: - - uri: - prefix: /.well-known/acme-challenge/ - route: - - destination: - host: cert-manager-resolver - port: - number: 8089 diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml deleted file mode 100644 index 2a19c3fb4..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all-mtls.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: productpage -spec: - host: productpage - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: ratings -spec: - host: ratings - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v2-mysql - labels: - version: v2-mysql - - name: v2-mysql-vm - labels: - version: v2-mysql-vm ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: details -spec: - host: details - trafficPolicy: - tls: - mode: ISTIO_MUTUAL - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml deleted file mode 100644 index 96be6993a..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-all.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: productpage -spec: - host: productpage - subsets: - - name: v1 - labels: - version: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: ratings -spec: - host: ratings - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v2-mysql - labels: - version: v2-mysql - - name: v2-mysql-vm - labels: - version: v2-mysql-vm ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: details -spec: - host: details - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml b/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml deleted file mode 100644 index 69f30f1d9..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/destination-rule-reviews.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: reviews -spec: - host: reviews - trafficPolicy: - loadBalancer: - simple: RANDOM - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - - name: v3 - labels: - version: v3 diff --git a/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml b/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml deleted file mode 100644 index d35e3ac1d..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/egress-rule-google-apis.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: googleapis -spec: - hosts: - - www.googleapis.com - ports: - - number: 80 - name: http - protocol: HTTP - - number: 443 - name: https - protocol: HTTPS - resolution: DNS ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: rewrite-port-for-googleapis -spec: - hosts: - - www.googleapis.com - http: - - match: - - port: 80 - route: - - destination: - host: www.googleapis.com - port: - number: 443 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: originate-tls-for-googleapis -spec: - host: www.googleapis.com - trafficPolicy: - loadBalancer: - simple: ROUND_ROBIN - portLevelSettings: - - port: - number: 443 - tls: - mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com diff --git a/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml b/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml deleted file mode 100644 index c45509256..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/fault-injection-details-v1.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - fault: - abort: - httpStatus: 555 - percentage: - value: 100 - route: - - destination: - host: details - subset: v1 - - route: - - destination: - host: details - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: details -spec: - host: details - subsets: - - name: v1 - labels: - version: v1 \ No newline at end of file diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml deleted file mode 100644 index 6811e31d9..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-all-v1.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: productpage -spec: - hosts: - - productpage - http: - - route: - - destination: - host: productpage - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - route: - - destination: - host: details - subset: v1 ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml deleted file mode 100644 index 5f21fa530..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-details-v2.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: details -spec: - hosts: - - details - http: - - route: - - destination: - host: details - subset: v2 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml deleted file mode 100644 index 1698ec247..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-db.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2 ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml deleted file mode 100644 index fdf882702..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2-mysql-vm ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml deleted file mode 100644 index 03a700ead..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - route: - - destination: - host: ratings - subset: v2-mysql ---- diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml deleted file mode 100644 index 51c6fe9c6..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - match: - - headers: - end-user: - exact: jason - fault: - abort: - percentage: - value: 100.0 - httpStatus: 500 - route: - - destination: - host: ratings - subset: v1 - - route: - - destination: - host: ratings - subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml deleted file mode 100644 index 6c4e19dad..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: ratings -spec: - hosts: - - ratings - http: - - match: - - headers: - end-user: - exact: jason - fault: - delay: - percentage: - value: 100.0 - fixedDelay: 7s - route: - - destination: - host: ratings - subset: v1 - - route: - - destination: - host: ratings - subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml deleted file mode 100644 index aad8c3175..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 50 - - destination: - host: reviews - subset: v3 - weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml deleted file mode 100644 index 7304d867d..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 80 - - destination: - host: reviews - subset: v2 - weight: 20 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml deleted file mode 100644 index d211dd16a..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v1 - weight: 90 - - destination: - host: reviews - subset: v2 - weight: 10 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml deleted file mode 100644 index fb3571368..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - match: - - headers: - end-user: - exact: jason - route: - - destination: - host: reviews - subset: v2 - - route: - - destination: - host: reviews - subset: v3 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml deleted file mode 100644 index ea07efb29..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - match: - - headers: - end-user: - exact: jason - route: - - destination: - host: reviews - subset: v2 - - route: - - destination: - host: reviews - subset: v1 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml deleted file mode 100644 index 7ae7b8042..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v2 - weight: 50 - - destination: - host: reviews - subset: v3 - weight: 50 diff --git a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml b/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml deleted file mode 100644 index 5da999d4f..000000000 --- a/istio-1.18.2/samples/bookinfo/networking/virtual-service-reviews-v3.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: reviews -spec: - hosts: - - reviews - http: - - route: - - destination: - host: reviews - subset: v3 diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/README.md b/istio-1.18.2/samples/bookinfo/platform/kube/README.md deleted file mode 100644 index d1189bec3..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/README.md +++ /dev/null @@ -1,2 +0,0 @@ -See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio -docs for instructions on how to run this demo application. diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml deleted file mode 100644 index bce874dcd..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-certificate.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging - namespace: istio-system -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: stage@istio.io - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - # Enable the HTTP-01 challenge provider - http01: {} ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Certificate -metadata: - name: istio-ingressgateway-certs - namespace: istio-system -spec: - secretName: istio-ingressgateway-certs - issuerRef: - name: letsencrypt-staging - kind: ClusterIssuer - commonName: bookinfo.example.com - dnsNames: - - bookinfo.example.com - acme: - config: - - http01: - ingressClass: none - domains: - - bookinfo.example.com diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml deleted file mode 100644 index 474410c8c..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-db.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: mongodb - labels: - app: mongodb - service: mongodb -spec: - ports: - - port: 27017 - name: mongo - selector: - app: mongodb ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mongodb-v1 - labels: - app: mongodb - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: mongodb - version: v1 - template: - metadata: - labels: - app: mongodb - version: v1 - spec: - containers: - - name: mongodb - image: docker.io/istio/examples-bookinfo-mongodb:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 27017 - volumeMounts: - - name: data-db - mountPath: /data/db - volumes: - - name: data-db - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml deleted file mode 100644 index e5a0e73c2..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Details service v2 -################################################################################################## -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v2 - labels: - app: details - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v2 - template: - metadata: - labels: - app: details - version: v2 - spec: - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v2:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - env: - - name: DO_NOT_ENCRYPT - value: "true" - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml deleted file mode 100644 index 6cb7db364..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-details.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml deleted file mode 100644 index e2143399f..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -########################################################################### -# Ingress resource (gateway) -########################################################################## -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: gateway - annotations: - kubernetes.io/ingress.class: "istio" -spec: - rules: - - http: - paths: - - path: /productpage - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /static/ - pathType: Prefix - backend: - service: - name: productpage - port: - number: 9080 - - path: /login - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /logout - pathType: Exact - backend: - service: - name: productpage - port: - number: 9080 - - path: /api/v1/products - pathType: Prefix - backend: - service: - name: productpage - port: - number: 9080 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml deleted file mode 100644 index 073fee460..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-mysql.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Mysql db services -# credentials: root/password -################################################################################################## -apiVersion: v1 -kind: Secret -metadata: - name: mysql-credentials -type: Opaque -data: - rootpasswd: cGFzc3dvcmQ= ---- -apiVersion: v1 -kind: Service -metadata: - name: mysqldb - labels: - app: mysqldb - service: mysqldb -spec: - ports: - - port: 3306 - name: tcp - selector: - app: mysqldb ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mysqldb-v1 - labels: - app: mysqldb - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: mysqldb - version: v1 - template: - metadata: - labels: - app: mysqldb - version: v1 - spec: - containers: - - name: mysqldb - image: docker.io/istio/examples-bookinfo-mysqldb:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 3306 - env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: mysql-credentials - key: rootpasswd - args: ["--default-authentication-plugin","mysql_native_password"] - volumeMounts: - - name: var-lib-mysql - mountPath: /var/lib/mysql - volumes: - - name: var-lib-mysql - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml deleted file mode 100644 index 5b65de634..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-psa.yaml +++ /dev/null @@ -1,369 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# This file defines the same services, service accounts, and deployments as bookinfo.yaml with -# added securityContext fields to allow the bookinfo demo to run on a PodSecurityAdmission -# enabled cluster that enforces the baseline policy. -################################################################################################## - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true ---- -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true ---- -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9080" - prometheus.io/path: "/metrics" - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsNonRoot: true - volumes: - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml deleted file mode 100644 index 61c4b7f10..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml deleted file mode 100644 index 1024c75c9..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2-mysql-vm - labels: - app: ratings - version: v2-mysql-vm -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2-mysql-vm - template: - metadata: - labels: - app: ratings - version: v2-mysql-vm - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - # This assumes you registered your mysql vm as - # istioctl register -n vm mysqldb 1.2.3.4 3306 - - name: DB_TYPE - value: "mysql" - - name: MYSQL_DB_HOST - value: mysqldb.vm.svc.cluster.local - - name: MYSQL_DB_PORT - value: "3306" - - name: MYSQL_DB_USER - value: root - - name: MYSQL_DB_PASSWORD - value: password - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml deleted file mode 100644 index 09c4610a2..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2-mysql - labels: - app: ratings - version: v2-mysql -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2-mysql - template: - metadata: - labels: - app: ratings - version: v2-mysql - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - # ratings-v2 will use mongodb as the default db backend. - # if you would like to use mysqldb then you can use this file - # which sets DB_TYPE = 'mysql' and the rest of the parameters shown - # here and also create the # mysqldb service using bookinfo-mysql.yaml - # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml - - name: DB_TYPE - value: "mysql" - - name: MYSQL_DB_HOST - value: mysqldb - - name: MYSQL_DB_PORT - value: "3306" - - name: MYSQL_DB_USER - value: root - - name: MYSQL_DB_PASSWORD - value: password - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml deleted file mode 100644 index a645d19ac..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings-v2 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v2 - labels: - app: ratings - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v2 - template: - metadata: - labels: - app: ratings - version: v2 - spec: - serviceAccountName: bookinfo-ratings-v2 - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - # ratings-v2 will use mongodb as the default db backend. - # if you would like to use mysqldb then set DB_TYPE = 'mysql', set - # the rest of the parameters shown here and also create the - # mysqldb service using bookinfo-mysql.yaml - # - name: DB_TYPE #default to - # value: "mysql" - # - name: MYSQL_DB_HOST - # value: mysqldb - # - name: MYSQL_DB_PORT - # value: "3306" - # - name: MYSQL_DB_USER - # value: root - # - name: MYSQL_DB_PASSWORD - # value: password - - name: MONGO_DB_URL - value: mongodb://mongodb:27017/test - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml deleted file mode 100644 index 08c9040d8..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-ratings.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml deleted file mode 100644 index 4acc6b264..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Reviews service v2 -################################################################################################## -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml deleted file mode 100644 index c374bbee7..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo-versions.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: reviews-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: reviews-v2 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v2 ---- -apiVersion: v1 -kind: Service -metadata: - name: reviews-v3 -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews - version: v3 ---- -apiVersion: v1 -kind: Service -metadata: - name: productpage-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: ratings-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: details-v1 -spec: - ports: - - port: 9080 - name: http - selector: - app: details - version: v1 ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml deleted file mode 100644 index 4699e3e79..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/bookinfo.yaml +++ /dev/null @@ -1,347 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# This file defines the services, service accounts, and deployments for the Bookinfo sample. -# -# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -# -# Alternatively, you can deploy any resource separately: -# -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount -# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment -################################################################################################## - -################################################################################################## -# Details service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: details - labels: - app: details - service: details -spec: - ports: - - port: 9080 - name: http - selector: - app: details ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-details - labels: - account: details ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: details-v1 - labels: - app: details - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: details - version: v1 - template: - metadata: - labels: - app: details - version: v1 - spec: - serviceAccountName: bookinfo-details - containers: - - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- -################################################################################################## -# Ratings service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: ratings - labels: - app: ratings - service: ratings -spec: - ports: - - port: 9080 - name: http - selector: - app: ratings ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-ratings - labels: - account: ratings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratings-v1 - labels: - app: ratings - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: ratings - version: v1 - template: - metadata: - labels: - app: ratings - version: v1 - spec: - serviceAccountName: bookinfo-ratings - containers: - - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - securityContext: - runAsUser: 1000 ---- -################################################################################################## -# Reviews service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: reviews - labels: - app: reviews - service: reviews -spec: - ports: - - port: 9080 - name: http - selector: - app: reviews ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-reviews - labels: - account: reviews ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v1 - labels: - app: reviews - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v1 - template: - metadata: - labels: - app: reviews - version: v1 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v2 - labels: - app: reviews - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v2 - template: - metadata: - labels: - app: reviews - version: v2 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reviews-v3 - labels: - app: reviews - version: v3 -spec: - replicas: 1 - selector: - matchLabels: - app: reviews - version: v3 - template: - metadata: - labels: - app: reviews - version: v3 - spec: - serviceAccountName: bookinfo-reviews - containers: - - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0 - imagePullPolicy: IfNotPresent - env: - - name: LOG_DIR - value: "/tmp/logs" - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: wlp-output - mountPath: /opt/ibm/wlp/output - securityContext: - runAsUser: 1000 - volumes: - - name: wlp-output - emptyDir: {} - - name: tmp - emptyDir: {} ---- -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - ports: - - port: 9080 - name: http - selector: - app: productpage ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bookinfo-productpage - labels: - account: productpage ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productpage-v1 - labels: - app: productpage - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: productpage - version: v1 - template: - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9080" - prometheus.io/path: "/metrics" - labels: - app: productpage - version: v1 - spec: - serviceAccountName: bookinfo-productpage - containers: - - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0 - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9080 - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} ---- diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh b/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh deleted file mode 100755 index bdf700d11..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/cleanup.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -# only ask if in interactive mode -if [[ -t 0 && -z ${NAMESPACE} ]];then - echo -n "namespace ? [default] " - read -r NAMESPACE -fi - -# verify if the namespace exists, otherwise use default namespace -if [[ -n ${NAMESPACE} ]];then - ns=$(kubectl get namespace "${NAMESPACE}" --no-headers --output=go-template="{{.metadata.name}}" 2>/dev/null) - if [[ -z ${ns} ]];then - echo "NAMESPACE ${NAMESPACE} not found." - NAMESPACE=default - fi -fi - -# if no namespace is provided, use default namespace -if [[ -z ${NAMESPACE} ]];then - NAMESPACE=default -fi - -echo "using NAMESPACE=${NAMESPACE}" - -# clean up Istio traffic management resources that may have been used -protos=( destinationrules virtualservices gateways ) -for proto in "${protos[@]}"; do - for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do - kubectl delete -n "${NAMESPACE}" "$resource"; - done -done - -# clean up Gateway API resources that may have been used -if kubectl get crd gateways.gateway.networking.k8s.io >/dev/null 2>&1; then - protos=( httproutes gateways.gateway.networking.k8s.io ) - for proto in "${protos[@]}"; do - for resource in $(kubectl get -n "${NAMESPACE}" "$proto" -o name); do - kubectl delete -n "${NAMESPACE}" "$resource"; - done - done - kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo-versions.yaml" >/dev/null 2>&1 -fi - -OUTPUT=$(mktemp) -export OUTPUT -echo "Application cleanup may take up to one minute" -kubectl delete -n "${NAMESPACE}" -f "$SCRIPTDIR/bookinfo.yaml" > "${OUTPUT}" 2>&1 -ret=$? -function cleanup() { - rm -f "${OUTPUT}" -} - -trap cleanup EXIT - -if [[ ${ret} -eq 0 ]];then - cat "${OUTPUT}" -else - # ignore NotFound errors - OUT2=$(grep -v NotFound "${OUTPUT}") - if [[ -n ${OUT2} ]];then - cat "${OUTPUT}" - exit ${ret} - fi -fi - -# wait for 30 sec for bookinfo to clean up -sleep 30 - -echo "Application cleanup successful" diff --git a/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml b/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml deleted file mode 100644 index aadba2e0c..000000000 --- a/istio-1.18.2/samples/bookinfo/platform/kube/productpage-nodeport.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Productpage services -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: productpage - labels: - app: productpage - service: productpage -spec: - type: NodePort - ports: - - port: 9080 - name: http - selector: - app: productpage ---- diff --git a/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml b/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml deleted file mode 100644 index ef96dc56b..000000000 --- a/istio-1.18.2/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: filter-ratelimit - namespace: istio-system -spec: - workloadSelector: - # select by label in the same namespace - labels: - istio: ingressgateway - configPatches: - # The Envoy config you want to modify - - applyTo: HTTP_FILTER - match: - context: GATEWAY - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: envoy.ratelimit - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit - # domain can be anything! Match it to the ratelimter service config - domain: productpage-ratelimit - failure_mode_deny: true - rate_limit_service: - grpc_service: - envoy_grpc: - cluster_name: rate_limit_cluster - timeout: 10s - - applyTo: CLUSTER - match: - cluster: - service: ratelimit.default.svc.cluster.local - patch: - operation: ADD - value: - name: rate_limit_cluster - type: STRICT_DNS - connect_timeout: 10s - lb_policy: ROUND_ROBIN - http2_protocol_options: {} - load_assignment: - cluster_name: rate_limit_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: ratelimit.default.svc.cluster.local - port_value: 8081 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: filter-ratelimit-svc - namespace: istio-system -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: VIRTUAL_HOST - match: - context: GATEWAY - routeConfiguration: - vhost: - name: "" - route: - action: ANY - patch: - operation: MERGE - value: - rate_limits: - - actions: # any actions in here - # Multiple actions nest the descriptors - # - generic_key: - # descriptor_value: "test" - - request_headers: - header_name: ":path" - descriptor_key: "PATH" - # - remote_address: {} - # - destination_cluster: {} \ No newline at end of file diff --git a/istio-1.18.2/samples/bookinfo/src/build-services.sh b/istio-1.18.2/samples/bookinfo/src/build-services.sh deleted file mode 100755 index aa3d64325..000000000 --- a/istio-1.18.2/samples/bookinfo/src/build-services.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -ox errexit - -display_usage() { - echo - echo "USAGE: ./build-services.sh [-h|--help]" - echo " -h|--help: Prints usage information" - echo " version: Version of the sample app images (Required)" - echo " prefix: Use the value as the prefix for image names (Required)" -} - -if [ "$#" -ne 2 ]; then - if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - display_usage - exit 0 - else - echo "Incorrect parameters" "$@" - display_usage - exit 1 - fi -fi - -VERSION=$1 -PREFIX=$2 -SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -# Docker build variables -ENABLE_MULTIARCH_IMAGES=${ENABLE_MULTIARCH_IMAGES:-"false"} - -if [ "${ENABLE_MULTIARCH_IMAGES}" == "true" ]; then - PLATFORMS="linux/arm64,linux/amd64" - DOCKER_BUILD_ARGS="docker buildx build --platform ${PLATFORMS} --push" - # Install QEMU emulators - docker run --rm --privileged tonistiigi/binfmt --install all - docker buildx rm multi-builder || : - docker buildx create --use --name multi-builder --platform ${PLATFORMS} - docker buildx use multi-builder -else - DOCKER_BUILD_ARGS="docker build" -fi - -pushd "$SCRIPTDIR/productpage" - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-productpage-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v1:latest" . - # flooding - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:latest" --build-arg flood_factor=100 . -popd - -pushd "$SCRIPTDIR/details" - # plain build -- no calling external book service to fetch topics - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-details-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v1:latest" --build-arg service_version=v1 . - # with calling external book service to fetch topic for the book - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-details-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v2:latest" --build-arg service_version=v2 \ - --build-arg enable_external_book_service=true . -popd - - -pushd "$SCRIPTDIR/reviews" - # java build the app. - docker run --rm -u root -v "$(pwd)":/home/gradle/project -w /home/gradle/project gradle:4.8.1 gradle clean build - - pushd reviews-wlpcfg - # plain build -- no ratings - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v1:latest" --build-arg service_version=v1 . - # with ratings black stars - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v2:latest" --build-arg service_version=v2 \ - --build-arg enable_ratings=true . - # with ratings red stars - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-reviews-v3:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v3:latest" --build-arg service_version=v3 \ - --build-arg enable_ratings=true --build-arg star_color=red . - popd -popd - -pushd "$SCRIPTDIR/ratings" - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v1:latest" --build-arg service_version=v1 . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v2:latest" --build-arg service_version=v2 . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:latest" --build-arg service_version=v-faulty . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:latest" --build-arg service_version=v-delayed . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:latest" --build-arg service_version=v-unavailable . - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:latest" --build-arg service_version=v-unhealthy . -popd - -pushd "$SCRIPTDIR/mysql" - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-mysqldb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mysqldb:latest" . -popd - -pushd "$SCRIPTDIR/mongodb" - ${DOCKER_BUILD_ARGS} --pull -t "${PREFIX}/examples-bookinfo-mongodb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mongodb:latest" . -popd diff --git a/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json b/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json deleted file mode 100644 index b4563b50c..000000000 --- a/istio-1.18.2/samples/bookinfo/src/mongodb/ratings_data.json +++ /dev/null @@ -1,2 +0,0 @@ -{rating: 5} -{rating: 4} diff --git a/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh b/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh deleted file mode 100644 index 7e230ee5a..000000000 --- a/istio-1.18.2/samples/bookinfo/src/mongodb/script.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e -mongoimport --host localhost --db test --collection ratings --drop --file /app/data/ratings_data.json diff --git a/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt b/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt deleted file mode 100644 index 5e5ddf224..000000000 --- a/istio-1.18.2/samples/bookinfo/src/productpage/requirements.txt +++ /dev/null @@ -1,32 +0,0 @@ -certifi==2022.12.7 -chardet==3.0.4 -Click==7.0 -contextlib2==0.5.5 -dominate==2.3.5 -Flask==2.1.1 -Flask-Bootstrap==3.3.7.1 -Flask-JSON==0.3.3 -future==0.17.1 -futures==3.1.1 -gevent==21.12.0 -greenlet==1.1.2 -idna==2.8 -itsdangerous==1.1.0 -jaeger-client==3.13.0 -Jinja2==2.11.3 -json2html==1.2.1 -MarkupSafe==0.23 -nose==1.3.7 -opentracing==1.2.2 -opentracing-instrumentation==2.4.3 -prometheus-client==0.15.0 -requests==2.28.1 -simplejson==3.16.0 -six==1.12.0 -threadloop==1.0.2 -thrift==0.11.0 -tornado==5.1 -urllib3==1.26.5 -visitor==0.1.3 -Werkzeug==2.2.3 -wrapt==1.11.1 diff --git a/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt b/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt deleted file mode 100644 index f756640f2..000000000 --- a/istio-1.18.2/samples/bookinfo/src/productpage/test-requirements.txt +++ /dev/null @@ -1 +0,0 @@ -requests-mock==1.5.2 diff --git a/istio-1.18.2/samples/bookinfo/src/ratings/package.json b/istio-1.18.2/samples/bookinfo/src/ratings/package.json deleted file mode 100644 index f0498224c..000000000 --- a/istio-1.18.2/samples/bookinfo/src/ratings/package.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "scripts": { - "start": "node ratings.js" - }, - "dependencies": { - "httpdispatcher": "1.0.0", - "mongodb": "^3.6.0", - "mysql": "^2.15.0" - }, - "private": true -} diff --git a/istio-1.18.2/samples/bookinfo/swagger.yaml b/istio-1.18.2/samples/bookinfo/swagger.yaml deleted file mode 100644 index 6782e732f..000000000 --- a/istio-1.18.2/samples/bookinfo/swagger.yaml +++ /dev/null @@ -1,248 +0,0 @@ -swagger: "2.0" -info: - description: "This is the API of the Istio BookInfo sample application." - version: "1.0.0" - title: "BookInfo API" - termsOfService: "https://istio.io/" - license: - name: "Apache 2.0" - url: "http://www.apache.org/licenses/LICENSE-2.0.html" -basePath: "/api/v1" -tags: -- name: "product" - description: "Information about a product (in this case a book)" -- name: "review" - description: "Review information for a product" -- name: "rating" - description: "Rating information for a product" -externalDocs: - description: "Learn more about the Istio BookInfo application" - url: "https://istio.io/docs/samples/bookinfo.html" -paths: - /products: - get: - tags: - - "product" - summary: "List all products" - description: "List all products available in the application with a minimum amount of information." - operationId: "getProducts" - consumes: - - "application/json" - produces: - - "application/json" - responses: - 200: - description: "successful operation" - schema: - type: "array" - items: - $ref: "#/definitions/Product" - /products/{id}: - get: - tags: - - "product" - summary: "Get individual product" - description: "Get detailed information about an individual product with the given id." - operationId: "getProduct" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductDetails" - 400: - description: "Invalid product id" - /products/{id}/reviews: - get: - tags: - - "review" - summary: "Get reviews for a product" - description: "Get reviews for a product, including review text and possibly ratings information." - operationId: "getProductReviews" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductReviews" - 400: - description: "Invalid product id" - /products/{id}/ratings: - get: - tags: - - "rating" - summary: "Get ratings for a product" - description: "Get ratings for a product, including stars and their color." - operationId: "getProductRatings" - consumes: - - "application/json" - produces: - - "application/json" - parameters: - - name: "id" - in: "path" - description: "Product id" - required: true - type: "integer" - format: "int32" - responses: - 200: - description: "successful operation" - schema: - $ref: "#/definitions/ProductRatings" - 400: - description: "Invalid product id" - - -definitions: - Product: - type: "object" - description: "Basic information about a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - title: - type: "string" - description: "Title of the book" - descriptionHtml: - type: "string" - description: "Description of the book - may contain HTML tags" - required: - - "id" - - "title" - - "descriptionHtml" - ProductDetails: - type: "object" - description: "Detailed information about a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - publisher: - type: "string" - description: "Publisher of the book" - language: - type: "string" - description: "Language of the book" - author: - type: "string" - description: "Author of the book" - ISBN-10: - type: "string" - description: "ISBN-10 of the book" - ISBN-13: - type: "string" - description: "ISBN-13 of the book" - year: - type: "integer" - format: "int32" - description: "Year the book was first published in" - type: - type: "string" - enum: - - "paperback" - - "hardcover" - description: "Type of the book" - pages: - type: "integer" - format: "int32" - description: "Number of pages of the book" - required: - - "id" - - "publisher" - - "language" - - "author" - - "ISBN-10" - - "ISBN-13" - - "year" - - "type" - - "pages" - ProductReviews: - type: "object" - description: "Object containing reviews for a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - reviews: - type: "array" - description: "List of reviews" - items: - $ref: "#/definitions/Review" - required: - - "id" - - "reviews" - Review: - type: "object" - description: "Review of a product" - properties: - reviewer: - type: "string" - description: "Name of the reviewer" - text: - type: "string" - description: "Review text" - rating: - $ref: "#/definitions/Rating" - required: - - "reviewer" - - "text" - Rating: - type: "object" - description: "Rating of a product" - properties: - stars: - type: "integer" - format: "int32" - minimum: 1 - maximum: 5 - description: "Number of stars" - color: - type: "string" - enum: - - "red" - - "black" - description: "Color in which stars should be displayed" - required: - - "stars" - - "color" - ProductRatings: - type: "object" - description: "Object containing ratings of a product" - properties: - id: - type: "integer" - format: "int32" - description: "Product id" - ratings: - type: "object" - description: "A hashmap where keys are reviewer names, values are number of stars" - additionalProperties: - type: "string" - required: - - "id" - - "ratings" \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/README.md b/istio-1.18.2/samples/certs/README.md deleted file mode 100644 index 6daeaab48..000000000 --- a/istio-1.18.2/samples/certs/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Istio plugin CA sample certificates - -This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such -a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. -Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/). - -The included sample files are: - -- `root-cert.pem`: root CA certificate. -- `root-cert-alt.pem`: alterative CA certificate. -- `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. -- `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key. -- `cert-chain.pem`: certificate trust chain. -- `cert-chain-alt.pem`: alternative certificate chain. -- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. -- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. -- `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate. -- `workload-bar-root-certs.pem`: root and intermediate CA certificates for bar workload certificate. -- `leaf-workload-foo-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo`. -- `leaf-workload-bar-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar`. - -The workload cert and key are generated by: - -```shell script - ./generate-workload.sh foo - ./generate-workload.sh bar -``` - -To generate certs signed by the alternative root `root-cert-alt.pem` - -```shell script -./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root -./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root -``` diff --git a/istio-1.18.2/samples/certs/ca-cert-alt.pem b/istio-1.18.2/samples/certs/ca-cert-alt.pem deleted file mode 100644 index b790d1d21..000000000 --- a/istio-1.18.2/samples/certs/ca-cert-alt.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFVjCCAz6gAwIBAgIUPTPKZWcaC54iCXmHXS7VUFrQpJswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw -MDM1NjM3WhcNMzMwMjE3MDM1NjM3WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE -AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJcfHGT0wipRUckkWR1GXs51+Tl017K1Yza4 -eExg+iEFFmzGW/qpH+g2uUk8g/fqEOQrFbtQsFZgH/PtqJDM19tM+sVj9MWVNHTu -f8yb9pjP2Y6O6xTySAYfnZFwfdOt7ewFRBXu+vHKpPzXrrJdJWQG+NoPuYLany5a -I2hgHxPOCKxYlwbyjwdN8PgUlcj7m/bEW3rhwkyWBIw/Cp+/YZIwxCSWl1MBDrjw -srzrVmM+76BJO4twKjqtJR7+j6PSNk7NDjSCItfmtCNDSiSfaPWPwmhTkGPov6Bd -PopnkoGgqDtSBqBRMuS0sEMhjsI2/e2+X6+musRYdTgxSSy2LEg3//nETbC4c+q5 -TrgOTerjO0J28i3iBSS5PVDYr63v02C35Tyn38TRgmp/QETkYAfITrcSnZnTQoR4 -4Nnd8d5qw6XN3cRR/R9A4cccaTAmNVDm+iZk1jNiV6sJ/P1fDHDQACPpyYntduy0 -UCUHeaasbFdfl4eST9/uPALZygS9se7tjm7xTFZcQ7wGqu2DOMWw6ocPL/Mv6nX9 -NJpY98qCAwhE29LUqq+ptDhSQZCVh5dfrrx9nA3UmANylO6AXNc3oxerS6izJLe5 -bQA4FHIZQeqyWqPR+wEpyEUgO1N6+uMlviwMvchAHGYXbzH3o6Z/mOuunn/MVbGW -f0wU2+9lAgMBAAGjaTBnMB0GA1UdDgQWBBTfaZR3DtzO/E6WWIgn2snHJL/BRzAS -BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdp -c3Rpb2QuaXN0aW8tc3lzdGVtLnN2YzANBgkqhkiG9w0BAQsFAAOCAgEAPxOeQAxC -dEkFQgdmUl/6g6PbqNardN63rzt3el3gVC27RtctI9RgyAOS9Yw/GodQTfao2k1a -WcdqdmK12/eTBccuoJCDuHQx5NgCnIciaOcjE/IdCkNAtZY8T3mRJ0avnm0nxVwo -A3o313NzpJJuZAco8RlaIeM6o7jxD3Z9Pi70xegYwMdopGgm1eVg3kL/TzGhVHty -tFHIuc8LZijQmxFcez28o/eDc5obCRjTOJOe0LYF7CmpkiGiEU0VmfG+iW3rZBKw -JM9/P0dWZZMzaSeDHVWBJPeEZJmKmp2SVtL+4flTj2cQjaboFYINggIO7MzUufcr -xeJ/A2sR2z4zJxBWtiTo5wB7uZju09l6Be4r8p/4OtAxBr/4zSo1iZ7rEyP5wS+k -KevhhHfsnZ/YVEFUcaNqSgJddXjM1RSIssJywvIwQh/6VlUlLNYW/89nEcd+agYz -kBazZIQOUefnvMnEWWlZovabqwVEPBhJ74zTtOn1Z333GnomjJK2vHh5cVMbqxD1 -sTgFx1W+RICgctPWAJxbxOhWunX6edXY1q0pb/dMnAqyIxRg32TEHrHXMCVEP5Hk -Vf6HHDDV7UKhq+S3PVOdo6MHimz6OZenA8cgjyf4jrkd25MrXXL4ergzMEliRg2D -wa4gQqdWzPHE8uCBSAWEAxZCMJ2l2vULltU= ------END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/ca-cert.pem b/istio-1.18.2/samples/certs/ca-cert.pem deleted file mode 100644 index a460e036b..000000000 --- a/istio-1.18.2/samples/certs/ca-cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/ca-key-alt.pem b/istio-1.18.2/samples/certs/ca-key-alt.pem deleted file mode 100644 index 872543dd4..000000000 --- a/istio-1.18.2/samples/certs/ca-key-alt.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEAlx8cZPTCKlFRySRZHUZeznX5OXTXsrVjNrh4TGD6IQUWbMZb -+qkf6Da5STyD9+oQ5CsVu1CwVmAf8+2okMzX20z6xWP0xZU0dO5/zJv2mM/Zjo7r -FPJIBh+dkXB9063t7AVEFe768cqk/Neusl0lZAb42g+5gtqfLlojaGAfE84IrFiX -BvKPB03w+BSVyPub9sRbeuHCTJYEjD8Kn79hkjDEJJaXUwEOuPCyvOtWYz7voEk7 -i3AqOq0lHv6Po9I2Ts0ONIIi1+a0I0NKJJ9o9Y/CaFOQY+i/oF0+imeSgaCoO1IG -oFEy5LSwQyGOwjb97b5fr6a6xFh1ODFJLLYsSDf/+cRNsLhz6rlOuA5N6uM7Qnby -LeIFJLk9UNivre/TYLflPKffxNGCan9ARORgB8hOtxKdmdNChHjg2d3x3mrDpc3d -xFH9H0DhxxxpMCY1UOb6JmTWM2JXqwn8/V8McNAAI+nJie127LRQJQd5pqxsV1+X -h5JP3+48AtnKBL2x7u2ObvFMVlxDvAaq7YM4xbDqhw8v8y/qdf00mlj3yoIDCETb -0tSqr6m0OFJBkJWHl1+uvH2cDdSYA3KU7oBc1zejF6tLqLMkt7ltADgUchlB6rJa -o9H7ASnIRSA7U3r64yW+LAy9yEAcZhdvMfejpn+Y666ef8xVsZZ/TBTb72UCAwEA -AQKCAgAkT5pf+5uH1YBER1KOQTFYhGo8zwFg9EqBhHOLTqXrNzC7NDI3mVmMT1HX -8g13jSs/18Zh+rJUHsaussUU/dND40xCD5FpxD8VdZUJkdP/xbltkpOTtd9ucTxI -DPJ+4UTQuDcy2fg8Dsfz5NMaEl2AmlhC9RJLCcLDvW7Sjn4JITFeT+8CAVgylhy3 -TyLqZuKDuYyNix9HjahMFn20AqUsHkGS1QhJLnDeKR+ZWyantCCZr9750xqifKX1 -u47B+ymHZ6fpH/fFTq6r5mgzQoZSspcwwBtqlistGhqD4P0H3pVto3jqHniPEYdk -qfSGX/ZFoL+XEgXAVczckqMVdjRPS3eq23xLlp3kkSN7I1JVGxfEbatVUSy+WBT6 -IatSXUenbloD9NTcE2v08OTLG2xgAFNl6gC4kTxEnJuXAccFIMXMrbcmiZh4xZxq -SLv/HwRENy3MjE3WMocAZ7ypfUbKEIsVYMaTvyQzXEr7yyTT9qpL2gJRCqaimUbb -YoUXc/RreGgDY3S5S6OETdFXHeps2ObTXUqMWU1pF+X1lKA5c2H7bl5PBRu0KJ9s -uPEln0tmZ02299S1ropCeqjA7YQcrqQnEsbIwt64pynRnFCUJyTSYmUX1C/ewYIa -2AC7CiMQf7eBUZlTuR9G6zqhimEqgd0ZIPvOvDzkBWG51WrMJQKCAQEAxWgZ4jzQ -RBTfXRIpjFZ93KM2Jy8RCDPesTnXvPK73h7AyvMx32ygm6j0m6yUHV8RN75CE2rM -Vb1ogeL1LHgFjZLsM+3SrQUSfW7uZZ4+Fkm/JYF4Qmflch4jJH4MnPy/HgO75nRs -ai2xMil8YnR8QZFpvTrutRkTRK6bSm8N98vjV+bbVw8eFL/dVgLHpdHTLoFBo4Zd -o7CaA4Aje8AabeWd7Yp0cjTGWHWLHFzxDnD9gfWN5eL8ay1QZwW3BFUw+eLuIrRu -UbC54e8RK0lXSAwbGCbof8+nfd7i+vh4lwM5D0HLMmmvpRs5+2BVuOI8gwtxxrwn -T4SFlIEdRRjxDwKCAQEAw/oLsYDrVPzATQkQ6Kec7ayGBWf9+G209MKOHkRNJdC0 -kms7yMckqTWEs5tMgBD8V0BrajmB8cbjR0g6Fe2M2W+mFZ+x55Lw8j/qNEbHKNor -p3W50leiSlWbntuaIAnzKDR2QamtEToz6IhMG3mtpxVZBf+fRRoaB/dK098BGHQ9 -J7uTeydf19kwGZoaVZ1EGSsVZTGMQEsNhZzFHbqOUaxiD3+UykyIZ1hO8jNlTdB0 -6yqBbgdetcb1Op6vFVVWswxMeJzDUc5S1ehGYXkthHHbIAXAy4iBEo+fVdxFs5nZ -zk3uauyyKZQ7qM2Cu8sa5TrsRd4GncKNdubNO/2wSwKCAQEAspMiXxMuP3g2OsZU -SXxwbOhD85xTJv1tJRszOtzF8AAX3T+0TO3COC3V4QF0F0HJnIiC03fYEnO+F0lN -CoYkV9ahz7QC0bt153wzMj+84IKj5HTDaib8W4hBuCBCnrzQ0oEEOEv3SvG8iqkW -uSWwxcuaQLEQAUkGsinVlrbxhsitBvZyUsX9Kz4JJmZrXmh6RmZtD1VcXdhC6om/ -D5JPFj0R6TFHd4ygJKNoTScSdULnQOn2DBCS0Q1z304/Ki86l8KeM0zPQxzAek6+ -VE8LIsS4uddwmTYqyOWYpPmidNFYi6G0BA2w84W2pNyXjyExJkZzDRll4jv6bsWB -yeDvJwKCAQEAvp/CrgbLYaB0YLpX0yXudBUjS7DqjbIQmR+BY5lmPUkzy1Q5E8P5 -OgnPqXB+yfc7rJcBpJKJfibKPjTYIyosnfeG4nOydaEtc0WORwktgeQtIDdX52zM -dGeu9qd+1Hk5JrtY5+fmauJlSWMCPJtvuRz/ueD6CBoqheMZytqY0zOFpNdEzj7v -cCJXMh/+S5asfZq1tferB4K5hWSHK7Kh6nm17INZtCkbaQKxz88EU9tXTsPKn77V -dhUvxbRCc4rNyV1GKO+64SDC3ESR6RAYoUKqNQzDinadrfM7tiWLOvaEsLKHHURc -zCremQRFjOsznxNgbVlYsC1ksuovaZIK3wKCAQAHEUZJwbsr1FJ0qmBOjY6ZbssG -icHEweWdXlxaFKjXj+iRdUWRRnmZRhNB1jMCub1jqXweoAnhq3xq3DyVMe0oZMrh -7C5zzsiJYdOuv+PKw0jm+/jylyVxS9FYv++gBZvAwMUt1NFgNgSb2Que+hVPXfwW -MVaVRCKaA38e18WjNeILOTVD0+NeViAaxhBZPz3kTIuLEPiRJxxeC9XQbjPkUz6k -iDxGSc+Epi+TcOqtYjCC/jQiHExcZD3vlIcnXH3tX/mnPdnM8rPnVoEmx/VUHnq1 -/4JPVP8XBMQABRG3BWgn2OqJiPssLk5DukomAWGxSXzGVjUIaxWzwyFD+ZTR ------END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/ca-key.pem b/istio-1.18.2/samples/certs/ca-key.pem deleted file mode 100644 index faa77f388..000000000 --- a/istio-1.18.2/samples/certs/ca-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1 -3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd -Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd -PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs -ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ -t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B -C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN -ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU -8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg -oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf -QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w -J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp -FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/ -CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e -DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE -Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN -cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt -yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO -wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY -qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D -Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5 -cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7 -mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa -8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+ -lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw== ------END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/cert-chain-alt.pem b/istio-1.18.2/samples/certs/cert-chain-alt.pem deleted file mode 100644 index dbbd50396..000000000 --- a/istio-1.18.2/samples/certs/cert-chain-alt.pem +++ /dev/null @@ -1,61 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFVjCCAz6gAwIBAgIUPTPKZWcaC54iCXmHXS7VUFrQpJswDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw -MDM1NjM3WhcNMzMwMjE3MDM1NjM3WjA9MQ4wDAYDVQQKDAVJc3RpbzEYMBYGA1UE -AwwPSW50ZXJtZWRpYXRlIENBMREwDwYDVQQHDAhjbHVzdGVyMTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJcfHGT0wipRUckkWR1GXs51+Tl017K1Yza4 -eExg+iEFFmzGW/qpH+g2uUk8g/fqEOQrFbtQsFZgH/PtqJDM19tM+sVj9MWVNHTu -f8yb9pjP2Y6O6xTySAYfnZFwfdOt7ewFRBXu+vHKpPzXrrJdJWQG+NoPuYLany5a -I2hgHxPOCKxYlwbyjwdN8PgUlcj7m/bEW3rhwkyWBIw/Cp+/YZIwxCSWl1MBDrjw -srzrVmM+76BJO4twKjqtJR7+j6PSNk7NDjSCItfmtCNDSiSfaPWPwmhTkGPov6Bd -PopnkoGgqDtSBqBRMuS0sEMhjsI2/e2+X6+musRYdTgxSSy2LEg3//nETbC4c+q5 -TrgOTerjO0J28i3iBSS5PVDYr63v02C35Tyn38TRgmp/QETkYAfITrcSnZnTQoR4 -4Nnd8d5qw6XN3cRR/R9A4cccaTAmNVDm+iZk1jNiV6sJ/P1fDHDQACPpyYntduy0 -UCUHeaasbFdfl4eST9/uPALZygS9se7tjm7xTFZcQ7wGqu2DOMWw6ocPL/Mv6nX9 -NJpY98qCAwhE29LUqq+ptDhSQZCVh5dfrrx9nA3UmANylO6AXNc3oxerS6izJLe5 -bQA4FHIZQeqyWqPR+wEpyEUgO1N6+uMlviwMvchAHGYXbzH3o6Z/mOuunn/MVbGW -f0wU2+9lAgMBAAGjaTBnMB0GA1UdDgQWBBTfaZR3DtzO/E6WWIgn2snHJL/BRzAS -BgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdp -c3Rpb2QuaXN0aW8tc3lzdGVtLnN2YzANBgkqhkiG9w0BAQsFAAOCAgEAPxOeQAxC -dEkFQgdmUl/6g6PbqNardN63rzt3el3gVC27RtctI9RgyAOS9Yw/GodQTfao2k1a -WcdqdmK12/eTBccuoJCDuHQx5NgCnIciaOcjE/IdCkNAtZY8T3mRJ0avnm0nxVwo -A3o313NzpJJuZAco8RlaIeM6o7jxD3Z9Pi70xegYwMdopGgm1eVg3kL/TzGhVHty -tFHIuc8LZijQmxFcez28o/eDc5obCRjTOJOe0LYF7CmpkiGiEU0VmfG+iW3rZBKw -JM9/P0dWZZMzaSeDHVWBJPeEZJmKmp2SVtL+4flTj2cQjaboFYINggIO7MzUufcr -xeJ/A2sR2z4zJxBWtiTo5wB7uZju09l6Be4r8p/4OtAxBr/4zSo1iZ7rEyP5wS+k -KevhhHfsnZ/YVEFUcaNqSgJddXjM1RSIssJywvIwQh/6VlUlLNYW/89nEcd+agYz -kBazZIQOUefnvMnEWWlZovabqwVEPBhJ74zTtOn1Z333GnomjJK2vHh5cVMbqxD1 -sTgFx1W+RICgctPWAJxbxOhWunX6edXY1q0pb/dMnAqyIxRg32TEHrHXMCVEP5Hk -Vf6HHDDV7UKhq+S3PVOdo6MHimz6OZenA8cgjyf4jrkd25MrXXL4ergzMEliRg2D -wa4gQqdWzPHE8uCBSAWEAxZCMJ2l2vULltU= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUXl9kIYp2G+37cwt+ruWqmKHpFVkwDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw -MDM1NjI2WhcNMzMwMjE3MDM1NjI2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMS9oq7l -OR+vqj+99FcquCZiZB9d3AGmn4CUIzUsHLKwG/H4OZucHNaI+C/2IE+cHpqHq1RV -XqOdE5fMoBsHTjRN24K/WMHVr76IiTdla3e5OGvb8XtFTqH80bPcahWU6J5SKaP5 -nuj6D0OCDuPgV5fDNkMBp6qH3b+zbSBLDKLyepMeHUdfUXKuUjAFCRzPuKuCzJy+ -xNHu61OuRzILSUL7O8kTSK/1iz0mIFAqSxeS6AFDGsQIJRhKEhQSbmH924dGGQ5p -7bm8mFEYPYzyEw7l6zqaEKYEzoVhQrulJzUEVITVK9npW/GAREQK8KcabCakJf6L -wiTMZkWzrY2h7d7U/4Ib/7N3/1HREG6rLjZy08owaf09PNhKE1eqc32rwcJUdbsq -PiRqPRuIuGtNG69/CT+4I7liKoErJrxy4GfAxLRcFrkTA9Smo8lHsShbW/RvCEdr -2eXHolxmfgogDr3kYkrG3jYgUyYqaNIdasVQwRkfQByQpxp3ItL66NLLd1jn9ImO -IHAfWF2CCXdJtXKzksswOs/UW8gu8Y33YzfHZMxRQu5MlDEgKR6TJMDymYVedFAf -BeqpJepIN4zhpV/DnfC4qfhKf5KWCPWHkZgOKwl6sxOVk25ozDeiatXMfHFztTJI -1hWRF9cQNWdmHwVx19Yi2VfMwpgsnLDbeb+/AgMBAAGjQjBAMB0GA1UdDgQWBBQV -XzlSBYPXo+qiYX/1gUkx+t9GrTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAQj5EFGuY8jnXsvrcDEyo3kl+GAar60p3 -OB8BvMQzywYzmalztRluQr77dsTCDo9w+SL7/AKsJqljNJmzQg0Yst0YzPFAFUgt -8PdCFDgjuSfzlrKukcRj7yd2rzs+MQP3amOuWIj5gq7lUWAPNMp0bhU1lIS2eAk7 -Ew8s4BkgMI2fW8z22uEw49j+720n9q3xIpmfGA7SISe32Z3bu10fXrsIii++Zo9p -ItX7B5pKaLCwANjUejzC3NZ5HdL+yV9dXWXrVZrTvdFxRiqhNJtV64YTsSH+kVp8 -cCYyNA90CBVQU8ZyomNnOxqOsrBL1NvZllBmX1f3SnVa2Kw+RxJLtEx9lmKT3aiX -v0kPPhoU+qpA3eOVvbT0CbSBEl56wclPMd7xYMykkNU/AVc3lZ7YFcjb19YNxzff -AKktnJrFx3FHf03aeAnvJ35FxitrcpV4NvLvq5ViCHVw6IMO5h274Z/HoGHVvcle -OPtLRiI5Fkaexa6Y/+SPMDFsCfQJzL4ZWmnGSA+Z6YMD5atviQGEbSP4bCwIgOax -dsSyRo1cTRaOVCGVxed/s+ChbRnvljPd35zl79o+1zOOxJ2ttswYJRkjSsvn+BCL -GZj8c/5MkLtTwvL62wZVhCIHtZoS4LNUqdkyYvRJMZTV72YuEPTfl8NKhmMislqR -5LPKUi9adm4= ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/cert-chain.pem b/istio-1.18.2/samples/certs/cert-chain.pem deleted file mode 100644 index a460e036b..000000000 --- a/istio-1.18.2/samples/certs/cert-chain.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/generate-workload.sh b/istio-1.18.2/samples/certs/generate-workload.sh deleted file mode 100755 index 2ff08c8e9..000000000 --- a/istio-1.18.2/samples/certs/generate-workload.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -name=${1:-foo} -ns=${2:-$name} -sa=${3:-$name} -tmp=${4:-""} -rootselect=${5:-""} -san="spiffe://trust-domain-$name/ns/$ns/sa/$sa" - -DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) - -FINAL_DIR=$DIR -if [ -n "$tmp" ]; then - if [ -d "$tmp" ]; then - FINAL_DIR=$tmp - cp "$DIR"/root-cert.pem "$FINAL_DIR" - cp "$DIR"/ca-cert.pem "$FINAL_DIR" - cp "$DIR"/ca-key.pem "$FINAL_DIR" - cp "$DIR"/cert-chain.pem "$FINAL_DIR" - - cp "$DIR"/root-cert-alt.pem "$FINAL_DIR" - cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR" - cp "$DIR"/ca-key-alt.pem "$FINAL_DIR" - cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR" - - else - echo "tmp argument is not a directory: $tmp" - exit 1 - fi -fi - -function cleanup() { - if [ -f "$FINAL_DIR"/.srl ]; then - rm "$FINAL_DIR"/.srl - fi - if [ -f "$FINAL_DIR"/ca-cert.srl ]; then - rm "$FINAL_DIR"/ca-cert.srl - fi - if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then - rm "$FINAL_DIR"/ca-cert-alt.srl - fi - if [ -f "$FINAL_DIR"/workload.cfg ]; then - rm "$FINAL_DIR"/workload.cfg - fi - if [ -f "$FINAL_DIR"/workload.csr ]; then - rm "$FINAL_DIR"/workload.csr - fi -} - -trap cleanup EXIT - -openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048 - -cat > "$FINAL_DIR"/workload.cfg <> "$FINAL_DIR/workload-$sa-cert.pem" -cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem" -cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem" - -echo "Generated workload-$sa-[cert|key].pem with URI SAN $san" -openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem" - diff --git a/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem b/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem deleted file mode 100644 index b5f4752c6..000000000 --- a/istio-1.18.2/samples/certs/leaf-workload-bar-cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd -GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR -91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI -j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE -OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw -Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv -bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre -gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C -FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ -4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT -ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE -JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 -8w== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem b/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem deleted file mode 100644 index fee6dcf87..000000000 --- a/istio-1.18.2/samples/certs/leaf-workload-foo-cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp -tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er -3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh -MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 -IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG -+PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v -bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV -WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC -FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ -q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og -MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE -Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT -bw== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/root-cert-alt.pem b/istio-1.18.2/samples/certs/root-cert-alt.pem deleted file mode 100644 index 8dc20f9dc..000000000 --- a/istio-1.18.2/samples/certs/root-cert-alt.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIUXl9kIYp2G+37cwt+ruWqmKHpFVkwDQYJKoZIhvcNAQEL -BQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjMwMjIw -MDM1NjI2WhcNMzMwMjE3MDM1NjI2WjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE -AwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMS9oq7l -OR+vqj+99FcquCZiZB9d3AGmn4CUIzUsHLKwG/H4OZucHNaI+C/2IE+cHpqHq1RV -XqOdE5fMoBsHTjRN24K/WMHVr76IiTdla3e5OGvb8XtFTqH80bPcahWU6J5SKaP5 -nuj6D0OCDuPgV5fDNkMBp6qH3b+zbSBLDKLyepMeHUdfUXKuUjAFCRzPuKuCzJy+ -xNHu61OuRzILSUL7O8kTSK/1iz0mIFAqSxeS6AFDGsQIJRhKEhQSbmH924dGGQ5p -7bm8mFEYPYzyEw7l6zqaEKYEzoVhQrulJzUEVITVK9npW/GAREQK8KcabCakJf6L -wiTMZkWzrY2h7d7U/4Ib/7N3/1HREG6rLjZy08owaf09PNhKE1eqc32rwcJUdbsq -PiRqPRuIuGtNG69/CT+4I7liKoErJrxy4GfAxLRcFrkTA9Smo8lHsShbW/RvCEdr -2eXHolxmfgogDr3kYkrG3jYgUyYqaNIdasVQwRkfQByQpxp3ItL66NLLd1jn9ImO -IHAfWF2CCXdJtXKzksswOs/UW8gu8Y33YzfHZMxRQu5MlDEgKR6TJMDymYVedFAf -BeqpJepIN4zhpV/DnfC4qfhKf5KWCPWHkZgOKwl6sxOVk25ozDeiatXMfHFztTJI -1hWRF9cQNWdmHwVx19Yi2VfMwpgsnLDbeb+/AgMBAAGjQjBAMB0GA1UdDgQWBBQV -XzlSBYPXo+qiYX/1gUkx+t9GrTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAQj5EFGuY8jnXsvrcDEyo3kl+GAar60p3 -OB8BvMQzywYzmalztRluQr77dsTCDo9w+SL7/AKsJqljNJmzQg0Yst0YzPFAFUgt -8PdCFDgjuSfzlrKukcRj7yd2rzs+MQP3amOuWIj5gq7lUWAPNMp0bhU1lIS2eAk7 -Ew8s4BkgMI2fW8z22uEw49j+720n9q3xIpmfGA7SISe32Z3bu10fXrsIii++Zo9p -ItX7B5pKaLCwANjUejzC3NZ5HdL+yV9dXWXrVZrTvdFxRiqhNJtV64YTsSH+kVp8 -cCYyNA90CBVQU8ZyomNnOxqOsrBL1NvZllBmX1f3SnVa2Kw+RxJLtEx9lmKT3aiX -v0kPPhoU+qpA3eOVvbT0CbSBEl56wclPMd7xYMykkNU/AVc3lZ7YFcjb19YNxzff -AKktnJrFx3FHf03aeAnvJ35FxitrcpV4NvLvq5ViCHVw6IMO5h274Z/HoGHVvcle -OPtLRiI5Fkaexa6Y/+SPMDFsCfQJzL4ZWmnGSA+Z6YMD5atviQGEbSP4bCwIgOax -dsSyRo1cTRaOVCGVxed/s+ChbRnvljPd35zl79o+1zOOxJ2ttswYJRkjSsvn+BCL -GZj8c/5MkLtTwvL62wZVhCIHtZoS4LNUqdkyYvRJMZTV72YuEPTfl8NKhmMislqR -5LPKUi9adm4= ------END CERTIFICATE----- \ No newline at end of file diff --git a/istio-1.18.2/samples/certs/root-cert.pem b/istio-1.18.2/samples/certs/root-cert.pem deleted file mode 100644 index 64c3fd50c..000000000 --- a/istio-1.18.2/samples/certs/root-cert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-bar-cert.pem b/istio-1.18.2/samples/certs/workload-bar-cert.pem deleted file mode 100644 index 1b59e9c5b..000000000 --- a/istio-1.18.2/samples/certs/workload-bar-cert.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUJS8Ge239oviRxEdt1/drPcAB194wDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1MVoXDTMzMDEzMDE4MjA1MVowADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAOqfOu1GdBXNbvC9iWsqHOWIEQeKTO8UTSYOzflXKQHd -GCC42TSu+uRRH808Qnyz8Ce6eJJ1UwP+m7S2zZfNbY1L2VJvWboQtFC7egbxp2eR -91rJ2WmRiQO6ZoAmQG+UVaVMjqWtrOyJ/tkzjXSskZXcbUkWkrPPAkxsSBRWoCXI -j230dRKggvzZgIgBm4NfDjrdj7AmwEZA0tziPFy/5h+6XJEqD8cFOzKj0Sop80GE -OzSB8zDnZComFz8CZv2WUkJjngj7rOD+coC1LoWJiUlTFMdAngwSWPsyaqpZtDDw -Ct+Cs51lhkQQXC6b3t9D9bHbXAxYsEcHaqR+dKVVHIsCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv -bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjwguC0yf0YavkVJripre -gVkzLMFSn5MeTxbnHxwDGJAHs+0znOXPrCnAxQ6tU7Z1QwpDLlHEekFKGTLdOz4C -FT/kDz7ec7SXt2HkPopRSKY+x0FKuxRcYrDTctMliKul5SFU8h3hcT+hIw9ynPU/ -4+I8WxJjpbw91FTddhMCOD2c23xMS9HNENtCxMlR9vrmkKXcim9M0RlPbuMEMbcT -ntDtdfoHeOC++DdY+41ulGzsbs1NiKdcJu2trxw8axgUFpENo9+xGjmaUdo5AjIE -JjsPVxRStETMko/pV5i6/hTnE5ZejV/o80OMLXvdIdHVxLO0N0X7fR0xDv45bmY9 -8w== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-bar-key.pem b/istio-1.18.2/samples/certs/workload-bar-key.pem deleted file mode 100644 index 1b7889a95..000000000 --- a/istio-1.18.2/samples/certs/workload-bar-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA6p867UZ0Fc1u8L2Jayoc5YgRB4pM7xRNJg7N+VcpAd0YILjZ -NK765FEfzTxCfLPwJ7p4knVTA/6btLbNl81tjUvZUm9ZuhC0ULt6BvGnZ5H3WsnZ -aZGJA7pmgCZAb5RVpUyOpa2s7In+2TONdKyRldxtSRaSs88CTGxIFFagJciPbfR1 -EqCC/NmAiAGbg18OOt2PsCbARkDS3OI8XL/mH7pckSoPxwU7MqPRKinzQYQ7NIHz -MOdkKiYXPwJm/ZZSQmOeCPus4P5ygLUuhYmJSVMUx0CeDBJY+zJqqlm0MPAK34Kz -nWWGRBBcLpve30P1sdtcDFiwRwdqpH50pVUciwIDAQABAoIBABVjCmYSpAZQwaok -POCN6DBsJNFBJB4vBZFQjCoMbeqDku14rCQHR0uEsZdtxMnFRUD52H/RPg4BKYRh -nYAW88OLhHXlPJKfbzBkxozXfmEMhzW5bJ4Y7Bpw5WMNGZaSOPRmdCJaIIc3VQnL -jztxd5vnifa9ngXR+u2oeTGRa+vFncwtf+lDjid6KOsclFEOVRquT9e3BgccwWJL -O7k8GZzHCWj+jxeExrcoD5NMulHZGDTc49ZZeqpVIwQnhFEe+e6LcZ7jaHs1AgUK -v3cHVQUoeHa+NYATeoyXWUJzD0vW6fTgxUrf+GNrtdmbwaoGW4+FmsYKB0YD2FO3 -bQ5cQWECgYEA+sXSllaDmrwFhX7Tga7nHN74maGk0V4eUnVQ2rkwRXgwaUh+V3K7 -5jJ1ZTZuWYbAWup+rVt0cAb0Ja8zBnnkHRdwe0gQqtoj+5YdD8RAluBJePFigp77 -pK+JfdiYnA0JC3Z+7gkeWM/uY9ojDuasX83yVf7Kgm+7HMUrh5dGaDMCgYEA74M5 -Q32oM8zxGm9ck82rh7ox0NwTeIrwr5U42QFqT0h26nR3m51l8odj3rz0WnRtOfAl -sjJ3y5tygdVLMzwpuHzpA/iq7YRY04+g7Q5MoVAImLKzKJzIxZra+6eo2ctcQCBO -U90+jY4C4/YgvTYKnndFvlVXcXXNyhPJKlfLAkkCgYEA8yOWmHjtRLuERvi+rYAd -SJrPQnW9TdoJYD2q1Ua0jMaJear2BGeT0w+dTzLFLzw9iGjPxdlkPbIgSeFigabx -C1vMjVtD/cNfG/Fh4AWR8jcoRYEU2Dy5E+W2UzQMU1E4McsEKlrg948zPdEkKLBy -9LjDe6l8Q5d9PdnV6LM9ao0CgYAnY7NVMCMrcbbtHAdjn11oUuzCZo8lMeRnW+kf -dyYep9I2uLS6+OW9PxrjlLuy7JbSAnaQmdAtwgDQ7V0SrgBGgPRpXMnvieZ51JMo -qUNc/CaNxkXElhRGuzLsVCRmvRUMzsNS833IFeTPzLiRpYOVkBP+O1bIKBGR/DMH -La0LUQKBgQD0Jea309Qr3CZIDp8IYnthYHIezDPmRBbyMKK5kTj/GC19JIXJoonw -nUw9vpVp+WdBy+ZP/567eUp9RrG9xP+OrirWeUT8UFdmpc+JbI54b2tX0UgUePKm -oKXf/DlOM5K2gDaIL+wlFYuxdrLtFCxvFP+7ihueivunjbtENQqdGA== ------END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/workload-bar-root-certs.pem b/istio-1.18.2/samples/certs/workload-bar-root-certs.pem deleted file mode 100644 index 9a43073e2..000000000 --- a/istio-1.18.2/samples/certs/workload-bar-root-certs.pem +++ /dev/null @@ -1,46 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-foo-cert.pem b/istio-1.18.2/samples/certs/workload-foo-cert.pem deleted file mode 100644 index 50197b987..000000000 --- a/istio-1.18.2/samples/certs/workload-foo-cert.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXTCCAkWgAwIBAgIUVrmTEZowmbvjxihqy0tqCb6CDJEwDQYJKoZIhvcNAQEL -BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT -CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X -DTIzMDIwMjE4MjA1N1oXDTMzMDEzMDE4MjA1N1owADCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMRFee8ym0dNiLEaK46r3axHmSaPEu+8weYsq5Jz++pp -tpLYrRxV79UPKzKqMLmfca1KUs6PYkCipf/hsvNjLwkQf1RRpdScHk17VK/Aa0Er -3maIDw5TzReqd7MfgsIUStmy6T0WVyzMHVAjDV/aRkTwzWwp29bJgfkvI2/Qy9Mh -MONNOZ3+m+UcIK4opgg7GmNwynfrPxhWfUsgtYEpaTXEbJOjqQh/8Io56IK4AbS5 -IvNFfN2RKLi0wg9Yzgd+odoifpumaTP6iuJpohSyCgphr8a3jX5DuUNXduveiwMG -+PESc0QSGzAWA11/PWC1v0nU45oWTB31ibduGWenm2cCAwEAAaN2MHQwDgYDVR0P -AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v -bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAVwpzfheyDDAitN9zVirV -WZtk70CMabWPxEMk76/70MK2LBZmC1v1Zhjt9NOj1viTRA8jbi/WtNJhfkdH6UzC -FaHhPdg8FidIuSazyrXEfiP88L9BLQ2qvJEQq3+ZoyQoCX8bWLOh/8vqm+CgwJR/ -q9JzdYf4rjvXmrm3leHI9Q1AgC83bvNn1FUXBNoMyhHzPYB5/u0j2nlnaeSjc6og -MSgcq/yrq8CpLK4ZS3E5dk8DQPOlTtACFRCSahRn7O7aqZn3QKZ2dXVzu2Uo0GbE -Jgkh1hAemPL9zwSxcfz2uBF4J//ecfDM3xccXuBRaXs6qaDwoM1n+84R9VODKLqT -bw== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/certs/workload-foo-key.pem b/istio-1.18.2/samples/certs/workload-foo-key.pem deleted file mode 100644 index bac90f1ed..000000000 --- a/istio-1.18.2/samples/certs/workload-foo-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpgIBAAKCAQEAxEV57zKbR02IsRorjqvdrEeZJo8S77zB5iyrknP76mm2ktit -HFXv1Q8rMqowuZ9xrUpSzo9iQKKl/+Gy82MvCRB/VFGl1JweTXtUr8BrQSveZogP -DlPNF6p3sx+CwhRK2bLpPRZXLMwdUCMNX9pGRPDNbCnb1smB+S8jb9DL0yEw4005 -nf6b5RwgriimCDsaY3DKd+s/GFZ9SyC1gSlpNcRsk6OpCH/wijnogrgBtLki80V8 -3ZEouLTCD1jOB36h2iJ+m6ZpM/qK4mmiFLIKCmGvxreNfkO5Q1d2696LAwb48RJz -RBIbMBYDXX89YLW/SdTjmhZMHfWJt24ZZ6ebZwIDAQABAoIBAQC+W0vZrFFhpFcw -vVsFcrb6Qi7NcPJCxeWhIi39SrRHM+Q5JCExXD/RenbBGsNLJNMR6QXLBNGcMqOh -OvtehxG1TuTPmKinPgs9xqHqG0tq1+tJsig4ExrVGyYg+izNovS9k4IXFzXRYt4D -PRvZnU+NyabSgv6OoL2IOim6Zt1olBIHK0u57bNEFLoLJBHi+/qxVo1H1ZxW4eg/ -/hCkg8IlT7G1wrT9uwAU5ld6wpG6OYub4uHLPsoyWB4E2vl1/liZq4MnUJG0M5m5 -QWHy9wL3jow/LtjVvcn/I09YIJKI9BocUi6/ze/Boy1zo4cL+cryLpfplIhZ0u/N -a/S/222BAoGBAPPXTLJyfSEt70+H2iYPKEBMVo8UBAW2rSICOCMvKZJuCuqccB75 -Jy6h+BQtIJZf+rnNzlG4EH6Vjb4mC/YYBf0U1inpCsdKcw96hv7+EYzBtKf/lK9N -au+AEAgngr1xgA+M84jMWnosFMNw88pO6j260y1aMUmLD8onrnglPcEHAoGBAM4O -79WMqTXipgvQzx66KeQQs6Gf1nwh4Ut9NYs2nk4KQrkAHd4zuURFlxdnqr/mC4wb -nsLCdFOOZaiWIIG93lp0Ox0dLar2jJK88WfCzzerUBljMRv8xJZBLOe7rv5iawVC -mBnZE606m1kTrj6wY5M7TsZiIIeYQcmlJNmW9ZqhAoGBAMY+iqqiDj2FfQTp7F/4 -/r6X0d/tY//JLyVxLHbehyv3r4Riv31PD54ILQsqTU40pkGdo1opDa/8owqvIBZq -HaRO5neYchzo2HcDJPH3WglYCypyzk1f4crqER6wEMk4l+cMr4rOqdieMhtbn7kh -Q6wAUmSS6XNjTekLLfucO4LNAoGBAIjIgYxQg0Kx4WeWhObwzT4HmDaB0+8yzks+ -Inz3FL7ZMNF9slX+H82iJFn1BvO70Y6ABzNhwbZ1oCX5Ajsdvqxs25DH/bivUUFX -CyjFuKhLoDA6GC9r61OSkCyD+fYDfudO/YirANTNQrIuzkvu6yqhA/nMyas49vLU -HVITU5YBAoGBANJVeCLwpjoK2ROM6mIQrHtBR5Ft0a5DhjQWT/6FrsUXGYH3nsdt -cEUCJsBU7z46GcByRIT25xGimoitQppsw6Wcf0gtjNyqbF56aejjEkd5LNtm77gz -9wNya77NzyrtiAjG9TCnDPJUX7satEoXgEGMxmtoiQ+pbD3nvJsFjkZQ ------END RSA PRIVATE KEY----- diff --git a/istio-1.18.2/samples/certs/workload-foo-root-certs.pem b/istio-1.18.2/samples/certs/workload-foo-root-certs.pem deleted file mode 100644 index 9a43073e2..000000000 --- a/istio-1.18.2/samples/certs/workload-foo-root-certs.pem +++ /dev/null @@ -1,46 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT -CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x -ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 -iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z -APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K -M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom -ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 -LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T -BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC -AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w -A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 -PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y -05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN -Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn -aFKltOc+RAjzDklcUPeG4Y6eMA== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl -MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD -QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx -OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv -MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB -FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN -8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu -IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw -uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv -YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw -zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh -euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ -ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W -tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK -WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy -AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx -xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a -3g== ------END CERTIFICATE----- diff --git a/istio-1.18.2/samples/cicd/skaffold/README.md b/istio-1.18.2/samples/cicd/skaffold/README.md deleted file mode 100644 index a8fa19abb..000000000 --- a/istio-1.18.2/samples/cicd/skaffold/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# Skaffold - -This is intended for demonstration only, and is not tuned for performance or security. - -skaffold is a tool that enables fast development iteration and controls deployment to local or remote clusters - -If running `skaffold run` for deployment, manifests are pulled from remote charts, if running `skaffold dev` for development and hot reload, manifests are pulled from current branch. - -## Quick Start - -skaffold is built around modules and profiles - -1) istio-base + istio - - ```bash - skaffold run -m istiod - ``` - -2) istio-base + istio + ingress - - ```bash - skaffold run -m ingress - ``` - -3) istio-base + istio + ingress + kiali - - ```bash - skaffold run -m ingress,kiali - ``` - -4) istio-base + istio + ingress + kiali + bookinfo - - ```bash - skaffold run -m ingress,kiali,bookinfo - ``` - -## References - -- Github: [github.com/GoogleContainerTools/skaffold](https://github.com/GoogleContainerTools/skaffold) -- Site: [skaffold.dev](https://skaffold.dev/) - -### TODO - -- Add build and test stage for images in istiod (pilot and proxy) -- Addons diff --git a/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml b/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml deleted file mode 100644 index b67aa2891..000000000 --- a/istio-1.18.2/samples/cicd/skaffold/skaffold.yaml +++ /dev/null @@ -1,145 +0,0 @@ -# Skaffold - https://skaffold.dev/ -# ------------------------------------------------ # -# This is for illustration purposes only -# ------------------------------------------------ # -# Installation options & modules -# ------------------------------------------------ # -# istio - `skaffold run -m istiod` -# ingress - `skaffold run -m ingress` -# Addons: -# - kiali - `skaffold run -m kiali` -# - prometheus - `skaffold run -m prometheus` -# Demos: -# - bookinfo - `skaffold run -m bookinfo` -# ------------------------------------------------ # -# Development mode - skaffold dev # -# ------------------------------------------------- # -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: istio-base -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istio-base - chartPath: ../../../manifests/charts/base - namespace: istio-system - createNamespace: true - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istio-base - remoteChart: base - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system - createNamespace: true ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: istiod -requires: - - configs: [istio-base] -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istiod - chartPath: ../../../manifests/charts/istio-control/istio-discovery - namespace: istio-system - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istiod - remoteChart: istiod - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: ingress -requires: - - configs: [istiod] -profiles: - - name: dev - activation: - - command: dev - deploy: - helm: - releases: - - name: istio-ingressgateway - chartPath: ../../../manifests/charts/gateway - namespace: istio-system - - name: run - activation: - - command: run - deploy: - helm: - releases: - - name: istio-ingressgateway - remoteChart: gateway - repo: https://istio-release.storage.googleapis.com/charts - namespace: istio-system ---- -# https://istio.io/latest/docs/ops/integrations/prometheus/ -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: prometheus -requires: - - configs: [istiod] -deploy: - kubectl: - manifests: ["../../../samples/addons/prometheus.yaml"] ---- -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: kiali -requires: - - configs: [prometheus] -deploy: - helm: - releases: - - name: kiali-server - remoteChart: kiali-server - repo: https://kiali.org/helm-charts - namespace: istio-system - version: v1.44.0 - valuesFiles: [../../../manifests/addons/values-kiali.yaml] ---- -# Config for https://istio.io/latest/docs/examples/bookinfo/ -apiVersion: skaffold/v2beta22 -kind: Config -metadata: - name: bookinfo -requires: - - configs: [ingress] -deploy: - kubectl: - hooks: - before: - - host: - command: ["sh", "-c", "kubectl label namespace default istio-injection=enabled --overwrite"] - os: [darwin, linux] - - host: - command: ["cmd.exe", "/C", "kubectl label namespace default istio-injection=enabled --overwrite"] - os: [windows] - manifests: - - "../../../samples/bookinfo/platform/kube/bookinfo.yaml" - - "../../../samples/bookinfo/networking/bookinfo-gateway.yaml" - - "../../../samples/bookinfo/networking/destination-rule-all.yaml" diff --git a/istio-1.18.2/samples/custom-bootstrap/README.md b/istio-1.18.2/samples/custom-bootstrap/README.md deleted file mode 100644 index 814e7dcc2..000000000 --- a/istio-1.18.2/samples/custom-bootstrap/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# Custom Envoy Bootstrap Configuration - -This sample creates a simple helloworld service that bootstraps the Envoy proxy with a custom configuration file. - -## Starting the service - -First, we need to create a `ConfigMap` resource with our bootstrap configuration. - -```bash -kubectl apply -f custom-bootstrap.yaml -``` - -Next, we can create a service that uses this bootstrap configuration. - -To do this, we need to add an annotation, `sidecar.istio.io/bootstrapOverride`, with the name of our ConfigMap as the value. - -We can create our helloworld app, using the custom config, with: - -```bash -kubectl apply -f example-app.yaml -``` - -If you don't have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) -set in your cluster you will need to manually inject it to the services instead: - -```bash -istioctl kube-inject -f example-app.yaml -o example-app-istio.yaml -kubectl apply -f example-app-istio.yaml -``` - -## Checking the Bootstrap Configuration - -To see what bootstrap configuration a pod is using: - -```bash -istioctl proxy-config bootstrap -``` - -## Customizing the Bootstrap - -The configuration provided will be passed to envoy using the [`--config-yaml`](https://www.envoyproxy.io/docs/envoy/v1.7.1/operations/cli#cmdoption-config-yaml) flag. - -This will merge the passed in configuration with the default configuration. Singular values will replace the default values, while repeated values will be appended. - -For reference, [the default bootstrap configuration](../../tools/packaging/common/envoy_bootstrap.json) and Envoy's [configuration reference](https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration#config) may be useful - -## Cleanup - -```bash -kubectl delete -f custom-bootstrap.yaml -kubectl delete -f example-app.yaml -``` diff --git a/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml b/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml deleted file mode 100644 index 5f4069762..000000000 --- a/istio-1.18.2/samples/custom-bootstrap/custom-bootstrap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-custom-bootstrap-config - namespace: default -data: - custom_bootstrap.json: | - "tracing": { - "http": { - "name": "envoy.tracers.zipkin", - "typed_config": { - "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig", - "collector_cluster": "zipkin", - "collector_endpoint": "/api/v1/spans/custom", - "collector_endpoint_version": "HTTP_JSON", - "trace_id_128bit": true, - "shared_span_context": false - } - } - } diff --git a/istio-1.18.2/samples/custom-bootstrap/example-app.yaml b/istio-1.18.2/samples/custom-bootstrap/example-app.yaml deleted file mode 100644 index 3a351a318..000000000 --- a/istio-1.18.2/samples/custom-bootstrap/example-app.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-v1 - labels: - app: helloworld - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - version: v1 - template: - metadata: - annotations: - sidecar.istio.io/bootstrapOverride: "istio-custom-bootstrap-config" - labels: - app: helloworld - version: v1 - spec: - containers: - - name: helloworld - image: docker.io/istio/examples-helloworld-v1 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 5000 diff --git a/istio-1.18.2/samples/extauthz/README.md b/istio-1.18.2/samples/extauthz/README.md deleted file mode 100644 index 1aba62b63..000000000 --- a/istio-1.18.2/samples/extauthz/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Ext Authz Service - -[Ext Authz server](cmd/extauthz) implements the external server for the [Envoy ext_authz filter](https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/security/ext_authz_filter) -as an example of integrating custom authorization system into Istio. - -The Ext Authz server supports authorization check request using either HTTP (port 8000) or gRPC v2/v3 (port 9000) API and -will allow the request if it includes the header `x-ext-authz: allow` or if the service account of the source workload is `a`. -Note that `a` is just a default value for testing. It can be changed with the flag `-allow_service_account` when running the ext authz server. - -## Usage - -1. Deploy the Ext Authz service in a dedicated pod: - - ```console - $ kubectl apply -f ext-authz.yaml - service/ext-authz created - deployment.apps/ext-authz created - ``` - - Note, you can also deploy the Ext Authz service locally with the application container in the same pod, see the example in `local-ext-authz.yaml`. - -1. Verify the Ext Authz server is up and running: - - Deploy a sleep pod to send the request: - - ```console - $ kubectl apply -f ../sleep/sleep.yaml - ``` - - Send a check request with header `x-ext-authz: allow` to the Ext Authz server: - - ```console - $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: allow" - * Trying 10.97.88.183:8000... - * Connected to ext-authz-server (10.97.88.183) port 8000 (#0) - > GET / HTTP/1.1 - > Host: ext-authz-server:8000 - > User-Agent: curl/7.73.0-DEV - > Accept: */* - > x-ext-authz: allow - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 200 OK - < x-ext-authz-result: allowed - < date: Tue, 03 Nov 2020 03:06:11 GMT - < content-length: 0 - < x-envoy-upstream-service-time: 19 - < server: envoy - < - * Connection #0 to host ext-authz-server left intact - ``` - - As you observe, the check request with header `x-ext-authz: allow` is allowed by the Ext Authz server. - - Send another check request with `x-ext-authz: blabla` to the Ext Authz server: - - ```console - $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: bla" - > GET / HTTP/1.1 - > Host: ext-authz-server:8000 - > User-Agent: curl/7.73.0-DEV - > Accept: */* - > x-ext-authz: allowx - > - * Mark bundle as not supporting multiuse - < HTTP/1.1 403 Forbidden - < x-ext-authz-check-result: denied - < date: Tue, 03 Nov 2020 03:14:02 GMT - < content-length: 76 - < content-type: text/plain; charset=utf-8 - < x-envoy-upstream-service-time: 44 - < server: envoy - < - * Connection #0 to host ext-authz-server left intact - denied by ext_authz for not found header `x-ext-authz: allow` in the request - ``` - - As you observe, the check request with header `x-ext-authz: bla` is denied by the Ext Authz server. - -1. To clean up, execute the following commands: - - ```console - $ kubectl delete -f ../sleep/sleep.yaml - $ kubectl delete -f ext-authz.yaml - ``` - -## Advanced features - -The Ext Authz server supports the following advanced features that are useful for testing: - -- The ext authz server will add the `x-ext-authz-check-received` header to the user request. The content is the dump of - the check request it received from the ext-authz filter. This header is useful in verifying the ext-authz filter sending - the expected request to the ext authz server. - -- The ext authz server will add (or override if it already exists) the header `x-ext-authz-additional-header-override` to - the user request. The value of the header depends on the type of ext-authz server. - The ext authz HTTP server will set it to the value of the same `x-ext-authz-additional-header-override` header in the - check request. The ext authz gRPC server will set it to the constant value `grpc-additional-header-override-value`. - This header is useful in verifying the header override behavior in the ext-authz filter. diff --git a/istio-1.18.2/samples/extauthz/ext-authz.yaml b/istio-1.18.2/samples/extauthz/ext-authz.yaml deleted file mode 100644 index 0860df5c0..000000000 --- a/istio-1.18.2/samples/extauthz/ext-authz.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Example configurations for deploying ext-authz server separately in the mesh. - -apiVersion: v1 -kind: Service -metadata: - name: ext-authz - labels: - app: ext-authz -spec: - ports: - - name: http - port: 8000 - targetPort: 8000 - - name: grpc - port: 9000 - targetPort: 9000 - selector: - app: ext-authz ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ext-authz -spec: - replicas: 1 - selector: - matchLabels: - app: ext-authz - template: - metadata: - labels: - app: ext-authz - spec: - containers: - - image: gcr.io/istio-testing/ext-authz:latest - imagePullPolicy: IfNotPresent - name: ext-authz - ports: - - containerPort: 8000 - - containerPort: 9000 ---- diff --git a/istio-1.18.2/samples/extauthz/local-ext-authz.yaml b/istio-1.18.2/samples/extauthz/local-ext-authz.yaml deleted file mode 100644 index 60a9bf85b..000000000 --- a/istio-1.18.2/samples/extauthz/local-ext-authz.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Example configurations for deploying ext-authz server locally with the application container in the same pod. - -# Define the service entry for the local ext-authz service on port 8000. -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: httpbin-ext-authz-http -spec: - hosts: - - "ext-authz-http.local" - endpoints: - - address: "127.0.0.1" - ports: - - name: http - number: 8000 - protocol: HTTP - resolution: STATIC ---- -# Define the service entry for the local ext-authz service on port 9000. -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: httpbin-ext-authz-grpc -spec: - hosts: - - "ext-authz-grpc.local" - endpoints: - - address: "127.0.0.1" - ports: - - name: grpc - number: 9000 - protocol: GRPC - resolution: STATIC ---- -# Deploy the ext-authz server locally with the application container in the same pod. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: httpbin -spec: - replicas: 1 - selector: - matchLabels: - app: httpbin - version: v1 - template: - metadata: - labels: - app: httpbin - version: v1 - spec: - serviceAccountName: httpbin - containers: - - image: docker.io/kong/httpbin - imagePullPolicy: IfNotPresent - name: httpbin - ports: - - containerPort: 80 - - image: gcr.io/istio-testing/ext-authz:latest - imagePullPolicy: IfNotPresent - name: ext-authz - ports: - - containerPort: 8000 - - containerPort: 9000 ---- -apiVersion: v1 -kind: Service -metadata: - name: httpbin - labels: - app: httpbin - service: httpbin -spec: - ports: - - name: http - port: 8000 - targetPort: 80 - selector: - app: httpbin ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: httpbin ---- diff --git a/istio-1.18.2/samples/external/README.md b/istio-1.18.2/samples/external/README.md deleted file mode 100644 index e17198b8d..000000000 --- a/istio-1.18.2/samples/external/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# External Services - -By default Istio-enabled services are unable to access services and URLs outside of the cluster. Pods use iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations. - -See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for -information on configuring Istio to contact external services. - -This directory contains samples showing how to enable pods to contact a few well -known services. - -If Istio is not configured to allow pods to contact external services, the pods will -see errors such as 404s, HTTPS connection problems, and TCP connection problems. If -ServiceEntries are misconfigured pods may see problems with server names. - -## Try it out - -After an operator runs `kubectl create -f aptget.yaml` pods will be able to -succeed with `apt-get update` and `apt-get install`. - -After an operator runs `kubectl create -f github.yaml` pods will be able to -succeed with `git clone https://github.com/fortio/fortio.git`. - -Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`. - -It is not a best practice to enable pods to update libraries dynamically. -We are providing these samples -because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud -services. - -### Enable communication by default - -Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique -discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will -allow external communication for ports 80 and 22. diff --git a/istio-1.18.2/samples/external/aptget.yaml b/istio-1.18.2/samples/external/aptget.yaml deleted file mode 100644 index fa24fa451..000000000 --- a/istio-1.18.2/samples/external/aptget.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# This ServiceEntry exposes the hosts needed for installing packages with apt-get. -# After applying this file, Istio-enabled pods (configured apt-get) be able to execute -# `apt-get upgrade` and `apt-get install`. If this is not installed you may get -# "404 Not Found" - -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: make-aptget-work -spec: - hosts: - - deb.debian.org - - cdn-fastly.deb.debian.org - - security.debian.org - - archive.ubuntu.com - - security.ubuntu.com - ports: - - number: 80 - name: http - protocol: HTTP diff --git a/istio-1.18.2/samples/external/github.yaml b/istio-1.18.2/samples/external/github.yaml deleted file mode 100644 index 832cbc379..000000000 --- a/istio-1.18.2/samples/external/github.yaml +++ /dev/null @@ -1,53 +0,0 @@ -# This ServiceEntry exposes the hosts needed for github.com. -# After applying this file, Istio-enabled pods will be able to execute -# `git clone https://github.com/istio/api.git` and (with local identification -# config and certificate) `git clone git@github.com:istio/api.git` - -# HTTP and TLS, the host must be specified -# See https://istio.io/docs/tasks/traffic-management/egress/ -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: github-https -spec: - hosts: - - github.com - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# For TCP services the IP ranges SHOULD be specified to avoid problems -# if multiple SEs use the same port number. -# See https://istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: github-tcp -spec: - hosts: - - dummy.github.com # not used - addresses: # from https://help.github.com/articles/about-github-s-ip-addresses/ - - "13.229.188.59/32" - - "13.250.177.223/32" - - "140.82.112.0/20" - - "18.194.104.89/32" - - "18.195.85.27/32" - - "185.199.108.0/22" - - "185.199.108.153/32" - - "185.199.109.153/32" - - "185.199.110.153/32" - - "185.199.111.153/32" - - "192.30.252.0/22" - - "192.30.252.153/32" - - "192.30.252.154/32" - - "23.20.92.3/32" - - "35.159.8.160/32" - - "52.74.223.119/32" - - "54.166.52.62/32" - - "54.87.5.173/32" - ports: - - name: tcp - number: 22 - protocol: tcp - location: MESH_EXTERNAL diff --git a/istio-1.18.2/samples/external/pypi.yaml b/istio-1.18.2/samples/external/pypi.yaml deleted file mode 100644 index 7f457a5af..000000000 --- a/istio-1.18.2/samples/external/pypi.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This ServiceEntry exposes the hosts needed for Python `pip`. -# After applying this file, Istio-enabled pods will be able to execute -# `pip search istio`. - -# HTTP and TLS, the host must be specified -# See https://istio.io/docs/tasks/traffic-management/egress/ - -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: python-https -spec: - hosts: - - pypi.python.org - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# pypi.python.org may 301 redirect to pypi.org, so we need this too. -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: pypi-https -spec: - hosts: - - pypi.org - ports: - - number: 443 - name: https - protocol: HTTPS ---- -# pip install may fetch files from files.pythonhosted.org -apiVersion: networking.istio.io/v1alpha3 -kind: ServiceEntry -metadata: - name: pythonhosted-https -spec: - hosts: - - files.pythonhosted.org - ports: - - number: 443 - name: https - protocol: HTTPS diff --git a/istio-1.18.2/samples/grpc-echo/README.md b/istio-1.18.2/samples/grpc-echo/README.md deleted file mode 100644 index 466316988..000000000 --- a/istio-1.18.2/samples/grpc-echo/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# grpc-echo - -This sample demonstrates Istio's Proxyless gRPC support with a special injection template `grpc-agent`. -The template injects the `istio-proxy` sidecar, but the sidecar will only run `pilot-agent` and not envoy. - -See the [gRPC xDS feature status](https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md) for more -information. diff --git a/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml b/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml deleted file mode 100644 index fb3899c36..000000000 --- a/istio-1.18.2/samples/grpc-echo/grpc-echo.yaml +++ /dev/null @@ -1,197 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: echo - name: echo - namespace: echo-grpc -spec: - selector: - app: echo - type: ClusterIP - ports: - - name: http - port: 80 - targetPort: 18080 - - name: grpc - port: 7070 - targetPort: 17070 - - name: tcp - port: 9090 - targetPort: 19090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: echo-v1 - namespace: echo-grpc -spec: - replicas: 1 - selector: - matchLabels: - app: echo - version: v1 - template: - metadata: - annotations: - inject.istio.io/templates: grpc-agent - proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' - labels: - app: echo - version: v1 - spec: - containers: - - args: - - --metrics=15014 - - --port - - "18080" - - --tcp - - "19090" - - --xds-grpc-server=17070 - - --grpc - - "17070" - - --grpc - - "17171" - - --port - - "3333" - - --port - - "8080" - - --version - - v1 - - --crt=/cert.crt - - --key=/cert.key - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: gcr.io/istio-testing/app:latest - imagePullPolicy: Always - livenessProbe: - failureThreshold: 10 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 - name: app - ports: - - containerPort: 17070 - protocol: TCP - - containerPort: 17171 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 3333 - name: tcp-health-port - protocol: TCP - readinessProbe: - failureThreshold: 10 - httpGet: - path: / - port: 8080 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - runAsGroup: 1338 - runAsUser: 1338 - startupProbe: - failureThreshold: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: echo-v2 - namespace: echo-grpc -spec: - replicas: 1 - selector: - matchLabels: - app: echo - version: v2 - template: - metadata: - annotations: - inject.istio.io/templates: grpc-agent - proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}' - labels: - app: echo - version: v2 - spec: - containers: - - args: - - --metrics=15014 - - --xds-grpc-server=17070 - - --port - - "18080" - - --tcp - - "19090" - - --grpc - - "17070" - - --grpc - - "17171" - - --port - - "3333" - - --port - - "8080" - - --version - - v2 - - --crt=/cert.crt - - --key=/cert.key - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: gcr.io/istio-testing/app:latest - imagePullPolicy: Always - livenessProbe: - failureThreshold: 10 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 - name: app - ports: - - containerPort: 17070 - protocol: TCP - - containerPort: 17171 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 3333 - name: tcp-health-port - protocol: TCP - readinessProbe: - failureThreshold: 10 - httpGet: - path: / - port: 8080 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - runAsGroup: 1338 - runAsUser: 1338 - startupProbe: - failureThreshold: 10 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: tcp-health-port - timeoutSeconds: 1 diff --git a/istio-1.18.2/samples/health-check/liveness-command.yaml b/istio-1.18.2/samples/health-check/liveness-command.yaml deleted file mode 100644 index 247b55e5a..000000000 --- a/istio-1.18.2/samples/health-check/liveness-command.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Liveness service -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: liveness - labels: - app: liveness - service: liveness -spec: - ports: - - port: 80 - name: http - selector: - app: liveness ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: liveness -spec: - selector: - matchLabels: - app: liveness - template: - metadata: - labels: - app: liveness - spec: - containers: - - name: liveness - image: registry.k8s.io/busybox - args: - - /bin/sh - - -c - - touch /tmp/healthy; sleep 3600 - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - initialDelaySeconds: 5 - periodSeconds: 5 diff --git a/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml b/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml deleted file mode 100644 index a39a3ff11..000000000 --- a/istio-1.18.2/samples/health-check/liveness-http-same-port.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: liveness-http - labels: - app: liveness-http - service: liveness-http -spec: - ports: - - name: http - port: 8001 - selector: - app: liveness-http ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: liveness-http -spec: - selector: - matchLabels: - app: liveness-http - version: v1 - template: - metadata: - labels: - app: liveness-http - version: v1 - spec: - containers: - - name: liveness-http - image: docker.io/istio/health:example - ports: - - containerPort: 8001 - livenessProbe: - httpGet: - path: /foo - port: 8001 - initialDelaySeconds: 5 - periodSeconds: 5 diff --git a/istio-1.18.2/samples/helloworld/README.md b/istio-1.18.2/samples/helloworld/README.md deleted file mode 100644 index e41bd1679..000000000 --- a/istio-1.18.2/samples/helloworld/README.md +++ /dev/null @@ -1,110 +0,0 @@ -# Helloworld service - -This sample includes two versions of a simple helloworld service that returns its version -and instance (hostname) when called. -It can be used as a test service when experimenting with version routing. - -This service is also used to demonstrate canary deployments working in conjunction with autoscaling. -See [Canary deployments using Istio](https://istio.io/blog/2017/0.1-canary). - -## Start the helloworld service - -The following commands assume you have -[automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) -enabled in your cluster. -If not, you'll need to modify them to include -[manual sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection). - -To run both versions of the helloworld service, use the following command: - -```bash -kubectl apply -f helloworld.yaml -``` - -Alternatively, you can run just one version at a time by first defining the service: - -```bash -kubectl apply -f helloworld.yaml -l service=helloworld -``` - -and then deploying version v1, v2, or both: - -```bash -kubectl apply -f helloworld.yaml -l version=v1 -kubectl apply -f helloworld.yaml -l version=v2 -``` - -For even more flexibility, there is also a script, `gen-helloworld.sh`, that will -generate YAML for the helloworld service. This script takes the following -arguments: - -Argument | Default | Description --------- | ------- | ----------- -`-h`,`--help` | | Prints usage information. -`--version` | `v1` | Specifies the version that will be returned by the helloworld service. -`--includeService` | `true` | If `true` the service will be included in the YAML. -`--includeDeployment` | `true` | If `true` the deployment will be included in the YAML. - -You can use this script to deploy a custom version: - -```bash -./gen-helloworld.sh --version customversion | \ - kubectl apply -f - -``` - -## Configure the helloworld gateway - -*___Note:___ Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). You can use the Gateway API to configure the helloworld service, instead of the classic Istio configuration model, by following the instructions in [./gateway-api/README.md](./gateway-api/README.md), instead of the instructions below.* - -Apply the helloworld gateway configuration: - -```bash -kubectl apply -f helloworld-gateway.yaml -``` - -Follow [these instructions](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) -to set the INGRESS_HOST and INGRESS_PORT variables and then confirm the sample is running using curl: - -```bash -export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT -curl http://$GATEWAY_URL/hello -``` - -## Autoscale the services - -Note that a Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) -only works if all containers in the pods request cpu. In this sample the deployment -containers in `helloworld.yaml` are configured with the request. -The injected istio-proxy containers also include cpu requests, -making the helloworld service ready for autoscaling. - -Enable autoscaling on both versions of the service: - -```bash -kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10 -kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10 -kubectl get hpa -``` - -## Generate load - -```bash -./loadgen.sh & -./loadgen.sh & # run it twice to generate lots of load -``` - -Wait for about 2 minutes and then check the number of replicas: - -```bash -kubectl get hpa -``` - -If the autoscaler is functioning correctly, the `REPLICAS` column should have a value > 1. - -## Cleanup - -```bash -kubectl delete -f helloworld.yaml -kubectl delete -f helloworld-gateway.yaml -kubectl delete hpa helloworld-v1 helloworld-v2 -``` diff --git a/istio-1.18.2/samples/helloworld/gateway-api/README.md b/istio-1.18.2/samples/helloworld/gateway-api/README.md deleted file mode 100644 index ee37810e0..000000000 --- a/istio-1.18.2/samples/helloworld/gateway-api/README.md +++ /dev/null @@ -1,74 +0,0 @@ -# Configure helloworld using the Kubernetes Gateway API - -Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management [in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). -You can use the following instructions to configure the ingress gateway and routing for the helloworld sample. - -## Before you begin - -The Gateway API CRDs do not come installed by default on most Kubernetes clusters, so install them if not present: - -```bash -kubectl get crd gateways.gateway.networking.k8s.io || \ - { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; } -``` - -Also make sure you are running two versions (v1 and v2) of the helloworld service: - -```bash -kubectl apply -f ../helloworld.yaml -``` - -## Configure the helloworld gateway - -Apply the helloworld gateway configuration: - -```bash -kubectl apply -f ./helloworld-gateway.yaml -``` - -Note that unlike an Istio `Gateway`, creating a Kubernetes `Gateway` resource will, by default, also [deploy an associated controller](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment). - -Set the INGRESS_HOST environment variables to the address of the helloworld gateway: - -```bash -kubectl wait --for=condition=ready gtw helloworld-gateway -export INGRESS_HOST=$(kubectl get gtw helloworld-gateway -o jsonpath='{.status.addresses[*].value}') -``` - -Confirm the sample is running using curl: - -```bash -for run in {1..10}; do curl http://$INGRESS_HOST/hello; done -``` - -Since no version routing has been configured, you should see an equal split of traffic, about half handled by helloworld-v1 and the other half handled by helloworld-v2. - -## Configure weight-based routing - -Declare the helloworld versions (Gateway API requires backend service definitions, unlike the Istio API which uses DestinationRule subsets for this): - -```bash -kubectl apply -f ./helloworld-versions.yaml -``` - -Apply the following route rule to distribute the helloworld traffic 90% to v1, 10% to v2: - -```bash -kubectl apply -f ./helloworld-route.yaml -``` - -Run the previous curl commands again: - -```bash -for run in {1..10}; do curl http://$INGRESS_HOST/hello; done -``` - -Now you should see about 9 out of 10 requests handled by helloworld-v1 and only about 1 in 10 handled by helloworld-v2. - -## Cleanup - -```bash -kubectl delete -f ./helloworld-gateway.yaml -kubectl delete -f ./helloworld-versions.yaml -kubectl delete -f ../helloworld.yaml -``` diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml deleted file mode 100644 index c4c8a8a63..000000000 --- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-gateway.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - gatewayClassName: istio - listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same ---- -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: helloworld -spec: - parentRefs: - - name: helloworld-gateway - rules: - - matches: - - path: - type: Exact - value: /hello - backendRefs: - - name: helloworld - port: 5000 diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml deleted file mode 100644 index 1e316f958..000000000 --- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-route.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: HTTPRoute -metadata: - name: helloworld -spec: - parentRefs: - - name: helloworld-gateway - rules: - - matches: - - path: - type: Exact - value: /hello - backendRefs: - - name: helloworld-v1 - port: 5000 - weight: 90 - - name: helloworld-v2 - port: 5000 - weight: 10 diff --git a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml b/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml deleted file mode 100644 index fc218515b..000000000 --- a/istio-1.18.2/samples/helloworld/gateway-api/helloworld-versions.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld-v1 -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: helloworld-v2 -spec: - ports: - - port: 5000 - name: http - selector: - app: helloworld - version: v2 diff --git a/istio-1.18.2/samples/helloworld/gen-helloworld.sh b/istio-1.18.2/samples/helloworld/gen-helloworld.sh deleted file mode 100755 index 8634ddc7b..000000000 --- a/istio-1.18.2/samples/helloworld/gen-helloworld.sh +++ /dev/null @@ -1,131 +0,0 @@ -#!/bin/bash -# -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -euo pipefail - -display_usage() { - echo - echo "USAGE: ./gen-helloworld.sh [--version] [--includeService value] [--includeDeployment value]" - echo " -h|--help: Prints usage information" - echo " --version: Specifies the version that will be returned by the helloworld service, default: 'v1'" - echo " --includeService: If 'true' the service will be included in the YAML, default: 'true'" - echo " --includeDeployment: If 'true' the deployment will be included in the YAML, default: 'true'" -} - -INCLUDE_SERVICE=${INCLUDE_SERVICE:-"true"} -INCLUDE_DEPLOYMENT=${INCLUDE_DEPLOYMENT:-"true"} -SERVICE_VERSION=${SERVICE_VERSION:-"v1"} -while (( "$#" )); do - case "$1" in - -h|--help) - display_usage - exit 0 - ;; - - --version) - SERVICE_VERSION=$2 - shift 2 - ;; - - --includeService) - INCLUDE_SERVICE=$2 - shift 2 - ;; - - --includeDeployment) - INCLUDE_DEPLOYMENT=$2 - shift 2 - ;; - - *) - echo "Error: Unsupported flag $1" >&2 - display_usage - exit 1 - ;; - esac -done - -SERVICE_YAML=$(cat </dev/null || true) -if [[ "${ENVOS}" != "Linux" ]]; then - echo "Your system is not supported by this script. Only Linux is supported" - exit 1 -fi - -# Check prerequisites -REQUISITES=("kubectl" "kind" "docker") -for item in "${REQUISITES[@]}"; do - if [[ -z $(which "${item}") ]]; then - echo "${item} cannot be found on your system, please install ${item}" - exit 1 - fi -done - -# Function to print the usage message -function printHelp() { - echo "Usage: " - echo " $0 --cluster-name cluster1 --k8s-release 1.22.1 --ip-space 255" - echo "" - echo "Where:" - echo " -n|--cluster-name - name of the k8s cluster to be created" - echo " -r|--k8s-release - the release of the k8s to setup, latest available if not given" - echo " -s|--ip-space - the 2rd to the last part for public ip addresses, 255 if not given, valid range: 0-255" - echo " -i|--ip-family - ip family to be supported, default is ipv4 only. Value should be ipv4, ipv6, or dual" - echo " -h|--help - print the usage of this script" -} - -# Setup default values -CLUSTERNAME="cluster1" -K8SRELEASE="" -IPSPACE=255 -IPFAMILY="ipv4" - -# Handling parameters -while [[ $# -gt 0 ]]; do - optkey="$1" - case $optkey in - -h|--help) - printHelp; exit 0;; - -n|--cluster-name) - CLUSTERNAME="$2"; shift 2;; - -r|--k8s-release) - K8SRELEASE="--image=kindest/node:v$2"; shift 2;; - -s|--ip-space) - IPSPACE="$2"; shift 2;; - -i|--ip-family) - IPFAMILY="${2,,}";shift 2;; - -m|--mode) - MODE="$2"; shift 2;; - *) # unknown option - echo "parameter $1 is not supported"; printHelp; exit 1;; - esac -done - -# This block is to setup kind to have a local image repo to push -# images using localhost:5000, to use this feature, start up -# a registry container such as gcr.io/istio-testing/registry, then -# connect it to the docker network where kind nodes are running on -# which normally will be called kind -FEATURES=$(cat << EOF -featureGates: - MixedProtocolLBService: true - GRPCContainerProbe: true -kubeadmConfigPatches: - - | - apiVersion: kubeadm.k8s.io/v1beta2 - kind: ClusterConfiguration - metadata: - name: config - etcd: - local: - # Run etcd in a tmpfs (in RAM) for performance improvements - dataDir: /tmp/kind-cluster-etcd - # We run single node, drop leader election to reduce overhead - controllerManagerExtraArgs: - leader-elect: "false" - schedulerExtraArgs: - leader-elect: "false" - apiServer: - extraArgs: - "service-account-issuer": "kubernetes.default.svc" - "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" -containerdConfigPatches: - - |- - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] - endpoint = ["http://kind-registry:5000"] -EOF -) - -validIPFamilies=("ipv4" "ipv6" "dual") -# Validate if the ip family value is correct. -isValid="false" -for family in "${validIPFamilies[@]}"; do - if [[ "$family" == "${IPFAMILY}" ]]; then - isValid="true" - break - fi -done - -if [[ "${isValid}" == "false" ]]; then - echo "${IPFAMILY} is not valid ip family, valid values are ipv4, ipv6 or dual" - exit 1 -fi - -if [[ "${MODE}" == "ambient" ]]; then -NODES=$(cat << EOF -nodes: -- role: control-plane -- role: worker -- role: worker -EOF -) -else -NODES=$(cat << EOF -nodes: -- role: control-plane -EOF -) -fi - - -# Create k8s cluster using the giving release and name -if [[ -z "${K8SRELEASE}" ]]; then - cat << EOF | kind create cluster --config - -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -${FEATURES} -name: ${CLUSTERNAME} -${NODES} -networking: - ipFamily: ${IPFAMILY} -EOF -else - cat << EOF | kind create cluster "${K8SRELEASE}" --config - -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -${FEATURES} -name: ${CLUSTERNAME} -${NODES} -networking: - ipFamily: ${IPFAMILY} -EOF -fi - -# Setup cluster context -kubectl cluster-info --context "kind-${CLUSTERNAME}" - -# Setup metallb using v0.13.6 -kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.6/config/manifests/metallb-native.yaml - -addrName="IPAddress" -ipv4Prefix="" -ipv6Prefix="" - -# Get both ipv4 and ipv6 gateway for the cluster -gatewaystr=$(docker network inspect -f '{{range .IPAM.Config }}{{ .Gateway }} {{end}}' kind | cut -f1,2) -read -r -a gateways <<< "${gatewaystr}" -for gateway in "${gateways[@]}"; do - if [[ "$gateway" == *"."* ]]; then - ipv4Prefix=$(echo "${gateway}" |cut -d'.' -f1,2) - else - ipv6Prefix=$(echo "${gateway}" |cut -d':' -f1,2,3,4) - fi -done - -if [[ "${IPFAMILY}" == "ipv4" ]]; then - addrName="IPAddress" - ipv4Range="- ${ipv4Prefix}.$IPSPACE.200-${ipv4Prefix}.$IPSPACE.240" - ipv6Range="" -elif [[ "${IPFAMILY}" == "ipv6" ]]; then - ipv4Range="" - ipv6Range="- ${ipv6Prefix}::$IPSPACE:200-${ipv6Prefix}::$IPSPACE:240" - addrName="GlobalIPv6Address" -else - ipv4Range="- ${ipv4Prefix}.$IPSPACE.200-${ipv4Prefix}.$IPSPACE.240" - ipv6Range="- ${ipv6Prefix}::$IPSPACE:200-${ipv6Prefix}::$IPSPACE:240" -fi - -# utility function to wait for pods to be ready -function waitForPods() { - ns=$1 - lb=$2 - waittime=$3 - # Wait for the pods to be ready in the given namespace with lable - while : ; do - res=$(kubectl wait --context "kind-${CLUSTERNAME}" -n "${ns}" pod \ - -l "${lb}" --for=condition=Ready --timeout="${waittime}s" 2>/dev/null ||true) - if [[ "${res}" == *"condition met"* ]]; then - break - fi - echo "Waiting for pods in namespace ${ns} with label ${lb} to be ready..." - sleep "${waittime}" - done -} - -waitForPods metallb-system app=metallb 10 - -# Now configure the loadbalancer public IP range -cat <&2 - exit 1 - ;; - esac -done - - -# single-cluster installations may need this gateway to allow VMs to get discovery -# for non-single cluster, we add additional topology information -SINGLE_CLUSTER="${SINGLE_CLUSTER:-0}" -if [[ "${SINGLE_CLUSTER}" -eq 0 ]]; then - if [[ -z "${NETWORK:-}" ]]; then - echo "Must specify either --single-cluster or --network." - exit 1 - fi -fi - -# base -IOP=$(cat < apply -f ../otel.yaml -``` - -In this example, we use `otel-collector` as the namespace to deploy the `otel-collector` backend: - -```ba -kubectl -n otel-collector apply -f ../otel.yaml -``` - -The otel-collector will create a grpc receiver on port `4317`, and later the sidecars will report trace information to this grpc port. You can find more details from [here](https://github.com/open-telemetry/opentelemetry-collector). - -Below is the configuration: - -```yaml -receivers: - otlp: - protocols: - grpc: - http: -processors: - batch: -exporters: - logging: - loglevel: debug -service: - pipelines: - logs: - receivers: [otlp] - processors: [batch] - exporters: [logging] -``` - -In this example, `Jaeger` is the exporter for gathering the traces. Assuming you have already deployed Jaeger as your tracing system with [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation, you are good to go to the next steps. If you already have your own `Jaeger` deployed, you may need to modify the otel collector config. The configmap name is `opentelemetry-collector-conf` in the namespace you deployed the otel collector, and the related config is defined as: - -```yaml -exporters: - jaeger: - endpoint: jaeger-collector.istio-system.svc.cluster.local:14250 - tls: - insecure: true - sending_queue: - enabled: true - retry_on_failure: - enabled: true -service: - pipelines: - traces: - exporters: - - jaeger -``` - -You need to modify the jaeger exporter endpoint with the one you deployed, in this case it's `jaeger-collector.istio-system.svc.cluster.local:14250`. - -If you have not deployed the `Jaeger` service, you can follow [this](https://istio.io/latest/docs/ops/integrations/jaeger/) installation to install the service. - -You may also choose any existing tracing system if you have, and you should change the exporter settings in the configmap mentioned above. - -You may also choose to use your own otel collector if you have, and the key part is to have the `otlp` grpc protocol receiver to receive the traces. One important thing is to make sure your otel collector service's grpc port starts with `grpc-` prefix, which is like: - -```ya -spec: - ports: - - name: grpc-otlp - port: 4317 - protocol: TCP - targetPort: 4317 -``` - -Otherwise the traces may not be reported. - -## Update mesh config - -Install or update Istio with the `demo` profile to make sure you have the OpenTelemetry tracing provider enabled: - -```bash -istioctl install --set profile=demo -y -``` - -Or ensure you have the following additional mesh config set in your Istio: - -```yaml -mesh: |- - extensionProviders: - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local -``` - -Make sure the service name matches the one you deployed if you select a different namespace. - -## Apply the Telemetry resource to report traces - -Next, add a Telemetry resource that tells Istio to send trace records to the OpenTelemetry collector. - -```yaml -kubectl -n otel-collector apply -f ./telemetry.yaml -``` - -The core config is: - -```yaml -tracing: -- providers: - - name: otel-tracing - randomSamplingPercentage: 0 -``` - -As you see, the `randomSamplingPercentage` is 0, which means the tracing is still not enabled because of `0` sampling percentage. The tracing can be opt-on by increasing the `randomSamplingPercentage` value to `1-100`. The `Telemetry` resource can also be manipulated in workload/namespace/global levels, you can check [here](https://istio.io/latest/docs/reference/config/telemetry/) for more config examples. - -## Check tracing results - -If you have followed [this](https://istio.io/latest/docs/setup/getting-started/) getting started steps, you have the sample bookinfo applications installed. Try to make some requests to the productpage to generate some traces. - -Then open up the `Jaeger` dashboard with: - -```bash -istioctl dashboard jaeger -``` - -You will see the requests' trace records. - -## Cleanup - -```bash -kubectl -n otel-collector delete -f ./telemetry.yaml -kubectl -n otel-collector delete -f ../otel.yaml -``` diff --git a/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml b/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml deleted file mode 100644 index fd831a2b4..000000000 --- a/istio-1.18.2/samples/open-telemetry/tracing/telemetry.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: telemetry.istio.io/v1alpha1 -kind: Telemetry -metadata: - name: otel-demo -spec: - tracing: - - providers: - - name: otel-tracing - randomSamplingPercentage: 0 diff --git a/istio-1.18.2/samples/operator/cni-on.yaml b/istio-1.18.2/samples/operator/cni-on.yaml deleted file mode 100644 index ae850b4d2..000000000 --- a/istio-1.18.2/samples/operator/cni-on.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - cni: - enabled: true diff --git a/istio-1.18.2/samples/operator/default-install.yaml b/istio-1.18.2/samples/operator/default-install.yaml deleted file mode 100644 index 65a4d9b66..000000000 --- a/istio-1.18.2/samples/operator/default-install.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: istio-operator -spec: - profile: default - diff --git a/istio-1.18.2/samples/operator/pilot-advanced-override.yaml b/istio-1.18.2/samples/operator/pilot-advanced-override.yaml deleted file mode 100644 index 4b57fd846..000000000 --- a/istio-1.18.2/samples/operator/pilot-advanced-override.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - pilot: - k8s: - overlays: - - kind: Deployment - name: istiod - patches: - - path: spec.template.spec.containers.[name:discovery].args.[30m] - value: "60m" # OVERRIDDEN - - path: spec.template.spec.containers.[name:discovery].ports.[containerPort:8080].containerPort - value: 8090 # OVERRIDDEN - - kind: Service - name: istiod - patches: - - path: spec.ports.[name:grpc-xds].port - value: 15099 # OVERRIDDEN diff --git a/istio-1.18.2/samples/operator/pilot-k8s.yaml b/istio-1.18.2/samples/operator/pilot-k8s.yaml deleted file mode 100644 index 081f55ed5..000000000 --- a/istio-1.18.2/samples/operator/pilot-k8s.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - pilot: - k8s: - resources: - requests: - cpu: 1000m # override from default 500m - memory: 4096Mi # ... default 2048Mi - hpaSpec: - maxReplicas: 10 # ... default 5 - minReplicas: 2 # ... default 1 diff --git a/istio-1.18.2/samples/operator/values-global.yaml b/istio-1.18.2/samples/operator/values-global.yaml deleted file mode 100644 index 8726f27e1..000000000 --- a/istio-1.18.2/samples/operator/values-global.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - global: - logging: - level: "default:warning" # override from info diff --git a/istio-1.18.2/samples/operator/values-pilot.yaml b/istio-1.18.2/samples/operator/values-pilot.yaml deleted file mode 100644 index bca6c2eea..000000000 --- a/istio-1.18.2/samples/operator/values-pilot.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - pilot: - traceSampling: 0.1 # override from 1.0 diff --git a/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml b/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml deleted file mode 100644 index cfda9c76a..000000000 --- a/istio-1.18.2/samples/ratelimit/rate-limit-service.yaml +++ /dev/null @@ -1,151 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Redis service and deployment -# Ratelimit service and deployment - -# Note: a configmap is needed to make the rate limit deployment work properly, for example: -# -# apiVersion: v1 -# kind: ConfigMap -# metadata: -# name: ratelimit-config -# data: -# config.yaml: | -# domain: echo-ratelimit -# descriptors: -# - key: PATH -# value: "/" -# rate_limit: -# unit: minute -# requests_per_unit: 1 -# - key: PATH -# rate_limit: -# unit: minute -# requests_per_unit: 100 -################################################################################################## -apiVersion: v1 -kind: Service -metadata: - name: redis - labels: - app: redis -spec: - ports: - - name: redis - port: 6379 - selector: - app: redis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - image: redis:alpine - imagePullPolicy: Always - name: redis - ports: - - name: redis - containerPort: 6379 - restartPolicy: Always - serviceAccountName: "" ---- -apiVersion: v1 -kind: Service -metadata: - name: ratelimit - labels: - app: ratelimit -spec: - ports: - - name: http-port - port: 8080 - targetPort: 8080 - protocol: TCP - - name: grpc-port - port: 8081 - targetPort: 8081 - protocol: TCP - - name: http-debug - port: 6070 - targetPort: 6070 - protocol: TCP - selector: - app: ratelimit ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ratelimit -spec: - replicas: 1 - selector: - matchLabels: - app: ratelimit - strategy: - type: Recreate - template: - metadata: - labels: - app: ratelimit - spec: - containers: - - image: envoyproxy/ratelimit:9d8d70a8 # 2022/08/16 - imagePullPolicy: Always - name: ratelimit - command: ["/bin/ratelimit"] - env: - - name: LOG_LEVEL - value: debug - - name: REDIS_SOCKET_TYPE - value: tcp - - name: REDIS_URL - value: redis:6379 - - name: USE_STATSD - value: "false" - - name: RUNTIME_ROOT - value: /data - - name: RUNTIME_SUBDIRECTORY - value: ratelimit - - name: RUNTIME_WATCH_ROOT - value: "false" - - name: RUNTIME_IGNOREDOTFILES - value: "true" - - name: HOST - value: "::" - - name: GRPC_HOST - value: "::" - ports: - - containerPort: 8080 - - containerPort: 8081 - - containerPort: 6070 - volumeMounts: - - name: config-volume - mountPath: /data/ratelimit/config - volumes: - - name: config-volume - configMap: - name: ratelimit-config diff --git a/istio-1.18.2/samples/security/psp/sidecar-psp.yaml b/istio-1.18.2/samples/security/psp/sidecar-psp.yaml deleted file mode 100644 index f9612d6b0..000000000 --- a/istio-1.18.2/samples/security/psp/sidecar-psp.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: istio-sidecar -spec: - # Allow the istio sidecar injector to work - allowedCapabilities: - - NET_ADMIN - - NET_RAW - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-sidecar-psp -rules: - - apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - istio-sidecar - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-sidecar-psp -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-sidecar-psp -subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:serviceaccounts diff --git a/istio-1.18.2/samples/security/spire/README.md b/istio-1.18.2/samples/security/spire/README.md deleted file mode 100644 index b3e1978ff..000000000 --- a/istio-1.18.2/samples/security/spire/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# Integrating SPIRE as a CA through Envoy's SDS API - -This sample deploys a setup of [SPIRE](https://github.com/spiffe/spire) (the SPIFFE Runtime Environment) as an example of integrating with [Envoy's SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) API. For more information -on the SPIFFE specs, refer to the [SPIFFE Overview](https://spiffe.io/docs/latest/spiffe-about/overview/). - -Once SPIRE is deployed and integrated with Istio, this sample deploys a modified version of the [sleep](/samples/sleep/README.md) service and validates that its [identity](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid) was issued by SPIRE. Workload registration is handled by the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager). - -See [Istio CA Integration with SPIRE](https://istio.io/latest/docs/ops/integrations/spire) for further details about this integration. - -## Deploy the integration - -1. Deploy SPIRE. For proper socket injection, this **must** be done prior to installing Istio in your cluster: - - ```bash - $ kubectl apply -f spire-quickstart.yaml - ``` - -1. Ensure that the deployment is completed before moving to the next step. This can be verified by waiting on the `spire-agent` pod to become ready: - - ```bash - $ kubectl wait pod --for=condition=ready -n spire -l app=spire-agent - ``` - -1. Use the configuration profile provided to install Istio (requires istioctl v1.14+): - - ```bash - $ istioctl install -f istio-spire-config.yaml - ``` - -1. Create a ClusterSPIFFEID to create a registration entry for all workloads with the `spiffe.io/spire-managed-identity: true` label: - - ```bash - $ kubectl apply -f clusterspiffeid.yaml - ``` - -1. Add the `spiffe.io/spire-managed-identity: true` label to the Ingress-gateway Deployment: - - ```bash - $ kubectl patch deployment istio-ingressgateway -n istio-system -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spire-managed-identity": "true"}}}}}' - ``` - -1. Deploy the `sleep-spire.yaml` version of the [sleep](/samples/sleep/README.md) service, which injects the custom istio-agent template defined in `istio-spire-config.yaml` and has the `spiffe.io/spire-managed-identity: true` label. - - If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: - - ```bash - $ kubectl apply -f sleep-spire.yaml - ``` - - Otherwise, manually inject the sidecar before applying: - - ```bash - $ kubectl apply -f <(istioctl kube-inject -f sleep-spire.yaml) - ``` - -1. Retrieve sleep's SVID identity document using the `istioctl proxy-config secret` command: - - ```bash - $ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") - $ istioctl pc secret $SLEEP_POD -o json | jq -r \ - '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem - ``` - -1. Inspect the certificate content and verify that SPIRE was the issuer: - - ```bash - $ openssl x509 -in chain.pem -text | grep SPIRE - Subject: C = US, O = SPIRE, CN = sleep-5d6df95bbf-kt2tt - ``` - -## Tear down - -1. Delete all deployments and configurations for the SPIRE Agent, Server, and namespace: - - ```bash - $ kubectl delete namespace spire - ``` - -1. Delete the ClusterRole, ClusterRoleBinding, Role, RoleBindings, ValidatingWebhookConfiguration, CSIDriver, and CustomResourceDefinition: - - ```bash - $ kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role - $ kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding - $ kubectl delete role spire-server-role leader-election-role - $ kubectl delete rolebinding spire-server-role-binding leader-election-role-binding - $ kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook - $ kubectl delete csidriver csi.spiffe.io - $ kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io - $ kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io - ``` diff --git a/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml b/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml deleted file mode 100644 index bf67989e1..000000000 --- a/istio-1.18.2/samples/security/spire/clusterspiffeid.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: spire.spiffe.io/v1alpha1 -kind: ClusterSPIFFEID -metadata: - name: example -spec: - spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" - podSelector: - matchLabels: - spiffe.io/spire-managed-identity: "true" diff --git a/istio-1.18.2/samples/security/spire/istio-spire-config.yaml b/istio-1.18.2/samples/security/spire/istio-spire-config.yaml deleted file mode 100644 index 812c65eca..000000000 --- a/istio-1.18.2/samples/security/spire/istio-spire-config.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system -spec: - profile: default - meshConfig: - trustDomain: example.org - values: - global: - # This is used to customize the sidecar template - sidecarInjectorWebhook: - templates: - spire: | - spec: - containers: - - name: istio-proxy - volumeMounts: - - name: workload-socket - mountPath: /run/secrets/workload-spiffe-uds - readOnly: true - volumes: - - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - components: - ingressGateways: - - name: istio-ingressgateway - enabled: true - label: - istio: ingressgateway - k8s: - overlays: - - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - patches: - - path: spec.template.spec.volumes.[name:workload-socket] - value: - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket] - value: - name: workload-socket - mountPath: "/run/secrets/workload-spiffe-uds" - readOnly: true - - path: spec.template.spec.initContainers - value: - - name: wait-for-spire-socket - image: busybox:1.28 - volumeMounts: - - name: workload-socket - mountPath: /run/secrets/workload-spiffe-uds - readOnly: true - env: - - name: CHECK_FILE - value: /run/secrets/workload-spiffe-uds/socket - command: - - sh - - "-c" - - |- - echo `date -Iseconds` Waiting for: ${CHECK_FILE} - while [[ ! -e ${CHECK_FILE} ]] ; do - echo `date -Iseconds` File does not exist: ${CHECK_FILE} - sleep 15 - done - ls -l ${CHECK_FILE} diff --git a/istio-1.18.2/samples/security/spire/sleep-spire.yaml b/istio-1.18.2/samples/security/spire/sleep-spire.yaml deleted file mode 100644 index d1e1673f5..000000000 --- a/istio-1.18.2/samples/security/spire/sleep-spire.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spiffe.io/spire-managed-identity: "true" - # Injects custom sidecar template - annotations: - inject.istio.io/templates: "sidecar,spire" - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} ---- \ No newline at end of file diff --git a/istio-1.18.2/samples/security/spire/spire-quickstart.yaml b/istio-1.18.2/samples/security/spire/spire-quickstart.yaml deleted file mode 100644 index cff84d0d7..000000000 --- a/istio-1.18.2/samples/security/spire/spire-quickstart.yaml +++ /dev/null @@ -1,985 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: spire - ---- -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: "csi.spiffe.io" -spec: - # Only ephemeral, inline volumes are supported. There is no need for a - # controller to provision and attach volumes. - attachRequired: false - - # Request the pod information which the CSI driver uses to verify that an - # ephemeral mount was requested. - podInfoOnMount: true - - # Don't change ownership on the contents of the mount since the Workload API - # Unix Domain Socket is typically open to all (i.e. 0777). - fsGroupPolicy: None - - # Declare support for ephemeral volumes only. - volumeLifecycleModes: - - Ephemeral - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-server - namespace: spire - ---- -# ConfigMap for spire-agent bootstrapping. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-bundle - namespace: spire - ---- -# ClusterRole to allow spire-server to query k8s API server. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role -rules: - # allow TokenReview requests (to verify service account tokens for PSAT - # attestation) -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["get", "create"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-server service account. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-cluster-role-binding -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire -roleRef: - kind: ClusterRole - name: spire-server-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- -# Role for the SPIRE server. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: spire - name: spire-server-role -rules: - # allow "get" access to pods (to resolve selectors for PSAT attestation) -- apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE - # agent bootstrapping, see the spire-bundle ConfigMap) -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["spire-bundle"] - verbs: ["get", "patch"] - ---- -# RoleBinding granting the spire-server-role to the SPIRE server -# service account. -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-server-role-binding - namespace: spire -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire -roleRef: - kind: Role - name: spire-server-role - apiGroup: rbac.authorization.k8s.io - ---- -# ClusterRules for the SPIRE Controller Manager. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "patch", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterfederatedtrustdomains/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/finalizers"] - verbs: ["update"] - - apiGroups: ["spire.spiffe.io"] - resources: ["clusterspiffeids/status"] - verbs: ["get", "patch", "update"] - ---- -# Binds manager-role cluster role to spire-server service account. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire - ---- -# Permissions for the SPIRE server to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: leader-election-role - namespace: spire -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - ---- -# Binds leader-election-role to spire-server service account. -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: leader-election-role-binding - namespace: spire -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: leader-election-role -subjects: -- kind: ServiceAccount - name: spire-server - namespace: spire - ---- -# ConfigMap containing the SPIRE server configuration. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-server - namespace: spire -data: - server.conf: | - server { - bind_address = "0.0.0.0" - bind_port = "8081" - trust_domain = "example.org" - data_dir = "/run/spire/server/data" - log_level = "DEBUG" - federation { - bundle_endpoint { - address = "0.0.0.0" - port = 8443 - } - } - } - - plugins { - DataStore "sql" { - plugin_data { - database_type = "sqlite3" - connection_string = "/run/spire/server/data/datastore.sqlite3" - } - } - - NodeAttestor "k8s_psat" { - plugin_data { - clusters = { - # NOTE: Change this to your cluster name - "demo-cluster" = { - service_account_allow_list = ["spire:spire-agent"] - } - } - } - } - - KeyManager "disk" { - plugin_data { - keys_path = "/run/spire/server/data/keys.json" - } - } - - Notifier "k8sbundle" { - plugin_data { - namespace = "spire" - } - } - } - - health_checks { - listener_enabled = true - bind_address = "0.0.0.0" - bind_port = "8080" - live_path = "/live" - ready_path = "/ready" - } - ---- -# Configuration for the SPIRE Controller Manager. -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-controller-manager-config - namespace: spire -data: - spire-controller-manager-config.yaml: | - apiVersion: spire.spiffe.io/v1alpha1 - kind: ControllerManagerConfig - metrics: - bindAddress: 127.0.0.1:8082 - healthProbe: - bindAddress: 127.0.0.1:8083 - leaderElection: - leaderElect: true - resourceName: 98c9c988.spiffe.io - resourceNamespace: spire - clusterName: demo-cluster - trustDomain: example.org - ignoreNamespaces: - - kube-system - - kube-public - - spire - - local-path-storage - ---- -# SPIRE Server Deployment. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: spire-server - namespace: spire - labels: - app: spire-server -spec: - replicas: 1 - selector: - matchLabels: - app: spire-server - template: - metadata: - namespace: spire - labels: - app: spire-server - spec: - serviceAccountName: spire-server - shareProcessNamespace: true - containers: - - name: spire-server - image: ghcr.io/spiffe/spire-server:1.5.4 - imagePullPolicy: IfNotPresent - args: - - -config - - /run/spire/server/config/server.conf - livenessProbe: - httpGet: - path: /live - port: 8080 - failureThreshold: 2 - initialDelaySeconds: 15 - periodSeconds: 60 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 5 - ports: - - containerPort: 8081 - volumeMounts: - - name: spire-config - mountPath: /run/spire/server/config - readOnly: true - - name: spire-server-socket - mountPath: /tmp/spire-server/private - readOnly: false - - name: spire-controller-manager - image: ghcr.io/spiffe/spire-controller-manager:0.2.3 - imagePullPolicy: IfNotPresent - args: - - "--config=spire-controller-manager-config.yaml" - ports: - - containerPort: 9443 - volumeMounts: - - name: spire-server-socket - mountPath: /spire-server - readOnly: true - - name: spire-controller-manager-config - mountPath: /spire-controller-manager-config.yaml - subPath: spire-controller-manager-config.yaml - volumes: - - name: spire-config - configMap: - name: spire-server - - name: spire-server-socket - emptyDir: {} - - name: spire-controller-manager-config - configMap: - name: spire-controller-manager-config - ---- -# Service definition for SPIRE server defining the gRPC port. -apiVersion: v1 -kind: Service -metadata: - name: spire-server - namespace: spire -spec: - type: NodePort - ports: - - name: grpc - port: 8081 - targetPort: 8081 - protocol: TCP - selector: - app: spire-server - ---- -# Service definition for SPIRE server bundle endpoint. -apiVersion: v1 -kind: Service -metadata: - name: spire-server-bundle-endpoint - namespace: spire -spec: - type: NodePort - ports: - - name: tcp-api - port: 8443 - protocol: TCP - selector: - app: spire-server - ---- -# Service definition for SPIRE controller manager webhook. -apiVersion: v1 -kind: Service -metadata: - name: spire-controller-manager-webhook-service - namespace: spire -spec: - ports: - - name: tcp - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app: spire-server - ---- -# ClusterFederatedTrustDomains CRD. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: clusterfederatedtrustdomains.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterFederatedTrustDomain - listKind: ClusterFederatedTrustDomainList - plural: clusterfederatedtrustdomains - singular: clusterfederatedtrustdomain - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.trustDomain - name: Trust Domain - type: string - - jsonPath: .spec.bundleEndpointURL - name: Endpoint URL - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterFederatedTrustDomainSpec defines the desired state - of ClusterFederatedTrustDomain - properties: - bundleEndpointProfile: - description: BundleEndpointProfile is the profile for the bundle endpoint. - properties: - endpointSPIFFEID: - description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. - It is required for the "https_spiffe" profile. - type: string - type: - description: Type is the type of the bundle endpoint profile. - enum: - - https_spiffe - - https_web - type: string - required: - - type - type: object - bundleEndpointURL: - description: BundleEndpointURL is the URL of the bundle endpoint. - It must be an HTTPS URL and cannot contain userinfo (i.e. username/password). - type: string - trustDomain: - description: TrustDomain is the name of the trust domain to federate - with (e.g. example.org) - pattern: '[a-z0-9._-]{1,255}' - type: string - trustDomainBundle: - description: TrustDomainBundle is the contents of the bundle for the - referenced trust domain. This field is optional when the resource - is created. - type: string - required: - - bundleEndpointProfile - - bundleEndpointURL - - trustDomain - type: object - status: - description: ClusterFederatedTrustDomainStatus defines the observed state - of ClusterFederatedTrustDomain - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# ClusterSPIFFEID CRD. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: clusterspiffeids.spire.spiffe.io -spec: - group: spire.spiffe.io - names: - kind: ClusterSPIFFEID - listKind: ClusterSPIFFEIDList - plural: clusterspiffeids - singular: clusterspiffeid - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSPIFFEID is the Schema for the clusterspiffeids API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID - properties: - admin: - description: Admin indicates whether or not the SVID can be used to - access the SPIRE administrative APIs. Extra care should be taken - to only apply this SPIFFE ID to admin workloads. - type: boolean - dnsNameTemplates: - description: DNSNameTemplate represents templates for extra DNS names - that are applicable to SVIDs minted for this ClusterSPIFFEID. The - node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - downstream: - description: Downstream indicates that the entry describes a downstream SPIRE server. - type: boolean - federatesWith: - description: FederatesWith is a list of trust domain names that workloads - that obtain this SPIFFE ID will federate with. - items: - type: string - type: array - namespaceSelector: - description: NamespaceSelector selects the namespaces that are targeted - by this CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - podSelector: - description: PodSelector selects the pods that are targeted by this - CRD. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - spiffeIDTemplate: - description: SPIFFEID is the SPIFFE ID template. The node and pod - spec are made available to the template under .NodeSpec, .PodSpec - respectively. - type: string - ttl: - description: TTL indicates an upper-bound time-to-live for SVIDs minted - for this ClusterSPIFFEID. If unset, a default will be chosen. - type: string - workloadSelectorTemplates: - description: WorkloadSelectorTemplates are templates to produce arbitrary - workload selectors that apply to a given workload before it will - receive this SPIFFE ID. The rendered value is interpreted by SPIRE - and are of the form type:value, where the value may, and often does, - contain semicolons, .e.g., k8s:container-image:docker/hello-world - The node and pod spec are made available to the template under .NodeSpec, - .PodSpec respectively. - items: - type: string - type: array - required: - - spiffeIDTemplate - type: object - status: - description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID - properties: - stats: - description: Stats produced by the last entry reconciliation run - properties: - entriesMasked: - description: How many entries were masked by entries for other - ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs - produce an entry for the same pod with the same set of workload - selectors. - type: integer - entriesToSet: - description: How many entries are to be set for this ClusterSPIFFEID. - In nominal conditions, this should reflect the number of pods - selected, but not always if there were problems encountered - rendering an entry for the pod (RenderFailures) or entries are - masked (EntriesMasked). - type: integer - entryFailures: - description: How many entries were unable to be set due to failures - to create or update the entries via the SPIRE Server API. - type: integer - namespacesIgnored: - description: How many (selected) namespaces were ignored (based - on configuration). - type: integer - namespacesSelected: - description: How many namespaces were selected. - type: integer - podEntryRenderFailures: - description: How many failures were encountered rendering an entry - selected pods. This could be due to either a bad template in - the ClusterSPIFFEID or Pod metadata that when applied to the - template did not produce valid entry values. - type: integer - podsSelected: - description: How many pods were selected out of the namespaces. - type: integer - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# ValidatingWebhookConfiguration for validating ClusterSPIFFEID and -# ClusterFederatedTrustDomain custom resources. -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: spire-controller-manager-webhook -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire - path: /validate-spire-spiffe-io-v1alpha1-clusterfederatedtrustdomain - failurePolicy: Fail - name: vclusterfederatedtrustdomain.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterfederatedtrustdomains"] - sideEffects: None - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: spire-controller-manager-webhook-service - namespace: spire - path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid - failurePolicy: Fail - name: vclusterspiffeid.kb.io - rules: - - apiGroups: ["spire.spiffe.io"] - apiVersions: ["v1alpha1"] - operations: ["CREATE", "UPDATE"] - resources: ["clusterspiffeids"] - sideEffects: None - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: spire-agent - namespace: spire - ---- -# Required cluster role to allow spire-agent to query k8s API server. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role -rules: -- apiGroups: [""] - resources: ["pods","nodes","nodes/proxy"] - verbs: ["get"] - ---- -# Binds above cluster role to spire-agent service account. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: spire-agent-cluster-role-binding -subjects: -- kind: ServiceAccount - name: spire-agent - namespace: spire -roleRef: - kind: ClusterRole - name: spire-agent-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- -# ConfigMap for the SPIRE agent featuring: -# 1) PSAT node attestation -# 2) K8S Workload Attestation over the secure kubelet port -apiVersion: v1 -kind: ConfigMap -metadata: - name: spire-agent - namespace: spire -data: - agent.conf: | - agent { - data_dir = "/run/spire" - log_level = "DEBUG" - server_address = "spire-server" - server_port = "8081" - socket_path = "/run/secrets/workload-spiffe-uds/socket" - trust_bundle_path = "/run/spire/bundle/bundle.crt" - trust_domain = "example.org" - } - - plugins { - NodeAttestor "k8s_psat" { - plugin_data { - # NOTE: Change this to your cluster name - cluster = "demo-cluster" - } - } - - KeyManager "memory" { - plugin_data { - } - } - - WorkloadAttestor "k8s" { - plugin_data { - # Defaults to the secure kubelet port by default. - # Minikube does not have a cert in the cluster CA bundle that - # can authenticate the kubelet cert, so skip validation. - skip_kubelet_verification = true - - # We need to set disable_container_selectors = true if we make holdApplicationUntilProxyStarts = true in istio - # see https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig - # If true, container selectors are not produced. - # This can be used to produce pod selectors when the workload pod is known - # but the workload container is not ready at the time of attestation. - # disable_container_selectors = true - } - } - - WorkloadAttestor "unix" { - plugin_data { - } - } - - } - ---- -# SPIRE Agent DaemonSet. -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: spire-agent - namespace: spire - labels: - app: spire-agent -spec: - selector: - matchLabels: - app: spire-agent - template: - metadata: - namespace: spire - labels: - app: spire-agent - spec: - hostPID: true - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: spire-agent - containers: - - name: spire-agent - image: ghcr.io/spiffe/spire-agent:1.2.3 - imagePullPolicy: IfNotPresent - args: ["-config", "/run/spire/config/agent.conf"] - volumeMounts: - - name: spire-config - mountPath: /run/spire/config - readOnly: true - - name: spire-bundle - mountPath: /run/spire/bundle - readOnly: true - - name: spire-agent-socket-dir - mountPath: /run/secrets/workload-spiffe-uds - - name: spire-token - mountPath: /var/run/secrets/tokens - # This is the container which runs the SPIFFE CSI driver. - - name: spiffe-csi-driver - image: ghcr.io/spiffe/spiffe-csi-driver:0.2.0 - imagePullPolicy: IfNotPresent - args: [ - "-workload-api-socket-dir", "/spire-agent-socket", - "-csi-socket-path", "/spiffe-csi/csi.sock", - ] - env: - # The CSI driver needs a unique node ID. The node name can be - # used for this purpose. - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - # The volume containing the SPIRE agent socket. The SPIFFE CSI - # driver will mount this directory into containers. - - mountPath: /spire-agent-socket - name: spire-agent-socket-dir - readOnly: true - # The volume that will contain the CSI driver socket shared - # with the kubelet and the driver registrar. - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The volume containing mount points for containers. - - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - name: mountpoint-dir - securityContext: - privileged: true - # This container runs the CSI Node Driver Registrar which takes care - # of all the little details required to register a CSI driver with - # the kubelet. - - name: node-driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.4.0 - imagePullPolicy: IfNotPresent - args: [ - "-csi-address", "/spiffe-csi/csi.sock", - "-kubelet-registration-path", "/var/lib/kubelet/plugins/csi.spiffe.io/csi.sock", - ] - volumeMounts: - # The registrar needs access to the SPIFFE CSI driver socket - - mountPath: /spiffe-csi - name: spiffe-csi-socket-dir - # The registrar needs access to the Kubelet plugin registration - # directory - - name: kubelet-plugin-registration-dir - mountPath: /registration - volumes: - - name: spire-config - configMap: - name: spire-agent - - name: spire-bundle - configMap: - name: spire-bundle - - name: spire-token - projected: - sources: - - serviceAccountToken: - path: spire-agent - expirationSeconds: 7200 - audience: spire-server - # This volume is used to share the workload api socket between the - # CSI driver and SPIRE agent - - name: spire-agent-socket-dir - emptyDir: {} - # This volume is where the socket for kubelet->driver communication lives - - name: spiffe-csi-socket-dir - hostPath: - path: /var/lib/kubelet/plugins/csi.spiffe.io - type: DirectoryOrCreate - # This volume is where the SPIFFE CSI driver mounts volumes - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: Directory - # This volume is where the node-driver-registrar registers the plugin - # with kubelet - - name: kubelet-plugin-registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry - type: Directory diff --git a/istio-1.18.2/samples/sleep/README.md b/istio-1.18.2/samples/sleep/README.md deleted file mode 100644 index 045df5c50..000000000 --- a/istio-1.18.2/samples/sleep/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Simple sleep service - -This sample consists of a simple service that does nothing but sleep. -It's a ubuntu container with curl installed that can be used as a request source for invoking other services -to experiment with Istio networking. - -To use it: - -1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/). - -1. Start the sleep service: - - If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled: - - ```bash - kubectl apply -f sleep.yaml - ``` - - Otherwise manually inject the sidecars before applying: - - ```bash - kubectl apply -f <(istioctl kube-inject -f sleep.yaml) - ``` - -1. Start some other services, for example, the [Bookinfo sample](https://istio.io/docs/examples/bookinfo/). - - Now you can `kubectl exec` into the sleep service to experiment with Istio networking. - For example, the following commands can be used to call the Bookinfo `ratings` service: - - ```bash - export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) - kubectl exec -it $SLEEP_POD -c sleep -- curl http://ratings.default.svc.cluster.local:9080/ratings/1 - {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}} - ``` - -You can also use the sleep service to test accessing services outside of the mesh. -See [configuring egress](https://istio.io/docs/tasks/traffic-management/egress/) for details. diff --git a/istio-1.18.2/samples/sleep/notsleep.yaml b/istio-1.18.2/samples/sleep/notsleep.yaml deleted file mode 100644 index 898d4ab47..000000000 --- a/istio-1.18.2/samples/sleep/notsleep.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Notsleep service - based on the sleep service but has its own identity and affinity rule -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: notsleep ---- -apiVersion: v1 -kind: Service -metadata: - name: notsleep - labels: - app: notsleep - service: notsleep -spec: - ports: - - port: 80 - name: http - selector: - app: notsleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: notsleep -spec: - replicas: 1 - selector: - matchLabels: - app: notsleep - template: - metadata: - labels: - app: notsleep - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - productpage - topologyKey: kubernetes.io/hostname - terminationGracePeriodSeconds: 0 - serviceAccountName: notsleep - containers: - - name: notsleep - image: curlimages/curl - command: ["/bin/sleep", "3650d"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/sleep/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: notsleep-secret - optional: true ---- diff --git a/istio-1.18.2/samples/sleep/sleep-vault.yaml b/istio-1.18.2/samples/sleep/sleep-vault.yaml deleted file mode 100644 index b31196cf1..000000000 --- a/istio-1.18.2/samples/sleep/sleep-vault.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2019 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spec: - serviceAccountName: vault-citadel-sa - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent ---- diff --git a/istio-1.18.2/samples/sleep/sleep.yaml b/istio-1.18.2/samples/sleep/sleep.yaml deleted file mode 100644 index 570086b93..000000000 --- a/istio-1.18.2/samples/sleep/sleep.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################################## -# Sleep service -################################################################################################## -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sleep ---- -apiVersion: v1 -kind: Service -metadata: - name: sleep - labels: - app: sleep - service: sleep -spec: - ports: - - port: 80 - name: http - selector: - app: sleep ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sleep -spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "infinity"] - imagePullPolicy: IfNotPresent - volumeMounts: - - mountPath: /etc/sleep/tls - name: secret-volume - volumes: - - name: secret-volume - secret: - secretName: sleep-secret - optional: true ---- diff --git a/istio-1.18.2/samples/tcp-echo/README.md b/istio-1.18.2/samples/tcp-echo/README.md deleted file mode 100644 index 50f2d82aa..000000000 --- a/istio-1.18.2/samples/tcp-echo/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# TCP Echo Service - -This sample runs [TCP Echo Server](src/) as an Istio service. TCP Echo Server -allows you to connect to it over TCP and echoes back data sent to it along with -a preconfigured prefix. - -## Usage - -To run the TCP Echo Service sample: - -1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html). - -1. Start the `tcp-echo-server` service inside the Istio service mesh: - - ```console - $ kubectl apply -f <(istioctl kube-inject -f tcp-echo.yaml) - service/tcp-echo created - deployment.apps/tcp-echo created - ``` - -1. Test by running the `nc` command from a `busybox` container from within the cluster. - - ```console - $ kubectl run -i --rm --restart=Never dummy --image=busybox -- sh -c "echo world | nc tcp-echo 9000" - hello world - pod "dummy" deleted - ``` - - As you observe, sending _world_ on a TCP connection to the server results in - the server prepending _hello_ and echoing back with _hello world_. - -1. To clean up, execute the following command: - - ```console - $ kubectl delete -f tcp-echo.yaml - service "tcp-echo" deleted - deployment.apps "tcp-echo" deleted - ``` diff --git a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml deleted file mode 100644 index 11e27be3f..000000000 --- a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-20-v2.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-echo -spec: - parentRefs: - - name: tcp-echo-gateway - sectionName: tcp-31400 - rules: - - backendRefs: - - name: tcp-echo-v1 - port: 9000 - weight: 80 - - name: tcp-echo-v2 - port: 9000 - weight: 20 diff --git a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml b/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml deleted file mode 100644 index 23965bbc3..000000000 --- a/istio-1.18.2/samples/tcp-echo/gateway-api/tcp-echo-all-v1.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: tcp-echo-gateway -spec: - gatewayClassName: istio - listeners: - - name: tcp-31400 - protocol: TCP - port: 31400 - allowedRoutes: - kinds: - - kind: TCPRoute ---- -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo-v1 -spec: - ports: - - port: 9000 - name: tcp - selector: - app: tcp-echo - version: v1 ---- -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo-v2 -spec: - ports: - - port: 9000 - name: tcp - selector: - app: tcp-echo - version: v2 ---- -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TCPRoute -metadata: - name: tcp-echo -spec: - parentRefs: - - name: tcp-echo-gateway - sectionName: tcp-31400 - rules: - - backendRefs: - - name: tcp-echo-v1 - port: 9000 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml deleted file mode 100644 index f69ab1156..000000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-20-v2.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: tcp-echo -spec: - hosts: - - "*" - gateways: - - tcp-echo-gateway - tcp: - - match: - - port: 31400 - route: - - destination: - host: tcp-echo - port: - number: 9000 - subset: v1 - weight: 80 - - destination: - host: tcp-echo - port: - number: 9000 - subset: v2 - weight: 20 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml deleted file mode 100644 index 3c302c514..000000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-all-v1.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: tcp-echo-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 31400 - name: tcp - protocol: TCP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: tcp-echo-destination -spec: - host: tcp-echo - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: tcp-echo -spec: - hosts: - - "*" - gateways: - - tcp-echo-gateway - tcp: - - match: - - port: 31400 - route: - - destination: - host: tcp-echo - port: - number: 9000 - subset: v1 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml deleted file mode 100644 index dd72061df..000000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-dual-stack.yaml +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: RequireDualStack - ipFamilies: - - IPv6 - - IPv4 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml deleted file mode 100644 index 8ac98630c..000000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv4.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: SingleStack - ipFamilies: - - IPv4 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: Always - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml deleted file mode 100644 index 02ddd6dec..000000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-ipv6.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ipFamilyPolicy: SingleStack - ipFamilies: - - IPv6 - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml deleted file mode 100644 index 7f6457464..000000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo-services.yaml +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo-v1 - labels: - app: tcp-echo - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "one" ] - ports: - - containerPort: 9000 - - containerPort: 9001 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo-v2 - labels: - app: tcp-echo - version: v2 -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v2 - template: - metadata: - labels: - app: tcp-echo - version: v2 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "two" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml b/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml deleted file mode 100644 index fae951612..000000000 --- a/istio-1.18.2/samples/tcp-echo/tcp-echo.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2018 Istio Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################################ -# tcp-echo service -################################################################################ -apiVersion: v1 -kind: Service -metadata: - name: tcp-echo - labels: - app: tcp-echo - service: tcp-echo -spec: - ports: - - name: tcp - port: 9000 - - name: tcp-other - port: 9001 - # Port 9002 is omitted intentionally for testing the pass through filter chain. - selector: - app: tcp-echo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tcp-echo -spec: - replicas: 1 - selector: - matchLabels: - app: tcp-echo - version: v1 - template: - metadata: - labels: - app: tcp-echo - version: v1 - spec: - containers: - - name: tcp-echo - image: docker.io/istio/tcp-echo-server:1.2 - imagePullPolicy: IfNotPresent - args: [ "9000,9001,9002", "hello" ] - ports: - - containerPort: 9000 - - containerPort: 9001 diff --git a/istio-1.18.2/samples/wasm_modules/README.md b/istio-1.18.2/samples/wasm_modules/README.md deleted file mode 100644 index 4a8a8702c..000000000 --- a/istio-1.18.2/samples/wasm_modules/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# WASM demo - -`header_injector` is used for istio e2e tests, more tests can be found [here](https://github.com/istio-ecosystem/wasm-extensions). diff --git a/istio-1.18.2/samples/wasm_modules/header_injector/Makefile b/istio-1.18.2/samples/wasm_modules/header_injector/Makefile deleted file mode 100644 index 377495d22..000000000 --- a/istio-1.18.2/samples/wasm_modules/header_injector/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -.PHONY: docker-push docker-build build clean - -VERSION_LIST := 1 2 -HUB ?= gcr.io/istio-testing -IMAGE_PREFIX ?= /wasm -IMG := $(HUB)$(IMAGE_PREFIX)/header-injector - -all: docker-push - -build: plugin.cc plugin.h BUILD WORKSPACE - rm -f *.wasm - $(foreach VERSION, $(VERSION_LIST), bazel build :plugin-0.0.$(VERSION).wasm && cp bazel-bin/plugin-0.0.$(VERSION).wasm .;) - -docker-build: build - $(foreach VERSION, $(VERSION_LIST), docker buildx build . -t $(IMG):0.0.$(VERSION) --build-arg WASM_BINARY=plugin-0.0.$(VERSION).wasm;) - -docker-push: docker-build - $(foreach VERSION, $(VERSION_LIST), docker push $(IMG):0.0.$(VERSION);) - -clean: - rm -rf bazel-* - rm -f *.wasm diff --git a/istio-1.18.2/samples/websockets/README.md b/istio-1.18.2/samples/websockets/README.md deleted file mode 100644 index 26a1f382a..000000000 --- a/istio-1.18.2/samples/websockets/README.md +++ /dev/null @@ -1,48 +0,0 @@ -# Tornado - Demo Websockets App - -This is a sample application that demonstrates the use of an upgraded websockets connection on an ingress traffic when using Istio `VirtualService`. -The `app.yaml` creates a Kubernetes `Service` and a `Deployment` that is based on an existing Docker image for [Hiroakis's Tornado Websocket Example](https://github.com/hiroakis/tornado-websocket-example). - -__Notice:__ The addition of websockets upgrade support in v1alpha3 routing rules has only been added after the release of `Istio v0.8.0`. - -## Prerequisites - -Install Istio by following the [Istio Quick Start](https://istio.io/docs/setup/kubernetes/quick-start.html). - -## Installation - -1. First install the application service: - - - With manual sidecar injection: - - ```command - kubectl create -f <(istioctl kube-inject -f samples/websockets/app.yaml) - ``` - - - With automatic sidecar injection - - ```command - kubectl create -f samples/websockets/app.yaml - ``` - -1. Create the Ingress `Gateway` and `VirtualService` that enables the upgrade to Websocket for incoming traffic: - - ```command - kubectl create -f samples/websockets/route.yaml - ``` - -## Test - -- [Find your ingress gateway IP](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports) - -- Access with your browser - -- The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established. -To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing). - -## Cleanup - -```command -kubectl delete -f samples/websockets/route.yaml -kubectl delete -f samples/websockets/app.yaml -``` diff --git a/istio-1.18.2/samples/websockets/app.yaml b/istio-1.18.2/samples/websockets/app.yaml deleted file mode 100644 index 4f44ea7d7..000000000 --- a/istio-1.18.2/samples/websockets/app.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: tornado - labels: - app: tornado - service: tornado -spec: - ports: - - port: 8888 - name: http - selector: - app: tornado ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tornado -spec: - replicas: 1 - selector: - matchLabels: - app: tornado - version: v1 - template: - metadata: - labels: - app: tornado - version: v1 - spec: - containers: - - name: tornado - image: hiroakis/tornado-websocket-example - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8888 ---- diff --git a/istio-1.18.2/samples/websockets/route.yaml b/istio-1.18.2/samples/websockets/route.yaml deleted file mode 100644 index ef580b2cd..000000000 --- a/istio-1.18.2/samples/websockets/route.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: tornado-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: tornado -spec: - hosts: - - "*" - gateways: - - tornado-gateway - http: - - match: - - uri: - prefix: / - route: - - destination: - host: tornado - weight: 100 diff --git a/istio-1.18.2/tools/_istioctl b/istio-1.18.2/tools/_istioctl deleted file mode 100644 index d1e29f21f..000000000 --- a/istio-1.18.2/tools/_istioctl +++ /dev/null @@ -1,212 +0,0 @@ -#compdef istioctl -compdef _istioctl istioctl - -# zsh completion for istioctl -*- shell-script -*- - -__istioctl_debug() -{ - local file="$BASH_COMP_DEBUG_FILE" - if [[ -n ${file} ]]; then - echo "$*" >> "${file}" - fi -} - -_istioctl() -{ - local shellCompDirectiveError=1 - local shellCompDirectiveNoSpace=2 - local shellCompDirectiveNoFileComp=4 - local shellCompDirectiveFilterFileExt=8 - local shellCompDirectiveFilterDirs=16 - local shellCompDirectiveKeepOrder=32 - - local lastParam lastChar flagPrefix requestComp out directive comp lastComp noSpace keepOrder - local -a completions - - __istioctl_debug "\n========= starting completion logic ==========" - __istioctl_debug "CURRENT: ${CURRENT}, words[*]: ${words[*]}" - - # The user could have moved the cursor backwards on the command-line. - # We need to trigger completion from the $CURRENT location, so we need - # to truncate the command-line ($words) up to the $CURRENT location. - # (We cannot use $CURSOR as its value does not work when a command is an alias.) - words=("${=words[1,CURRENT]}") - __istioctl_debug "Truncated words[*]: ${words[*]}," - - lastParam=${words[-1]} - lastChar=${lastParam[-1]} - __istioctl_debug "lastParam: ${lastParam}, lastChar: ${lastChar}" - - # For zsh, when completing a flag with an = (e.g., istioctl -n=) - # completions must be prefixed with the flag - setopt local_options BASH_REMATCH - if [[ "${lastParam}" =~ '-.*=' ]]; then - # We are dealing with a flag with an = - flagPrefix="-P ${BASH_REMATCH}" - fi - - # Prepare the command to obtain completions - requestComp="${words[1]} __complete ${words[2,-1]}" - if [ "${lastChar}" = "" ]; then - # If the last parameter is complete (there is a space following it) - # We add an extra empty parameter so we can indicate this to the go completion code. - __istioctl_debug "Adding extra empty parameter" - requestComp="${requestComp} \"\"" - fi - - __istioctl_debug "About to call: eval ${requestComp}" - - # Use eval to handle any environment variables and such - out=$(eval ${requestComp} 2>/dev/null) - __istioctl_debug "completion output: ${out}" - - # Extract the directive integer following a : from the last line - local lastLine - while IFS='\n' read -r line; do - lastLine=${line} - done < <(printf "%s\n" "${out[@]}") - __istioctl_debug "last line: ${lastLine}" - - if [ "${lastLine[1]}" = : ]; then - directive=${lastLine[2,-1]} - # Remove the directive including the : and the newline - local suffix - (( suffix=${#lastLine}+2)) - out=${out[1,-$suffix]} - else - # There is no directive specified. Leave $out as is. - __istioctl_debug "No directive found. Setting do default" - directive=0 - fi - - __istioctl_debug "directive: ${directive}" - __istioctl_debug "completions: ${out}" - __istioctl_debug "flagPrefix: ${flagPrefix}" - - if [ $((directive & shellCompDirectiveError)) -ne 0 ]; then - __istioctl_debug "Completion received error. Ignoring completions." - return - fi - - local activeHelpMarker="_activeHelp_ " - local endIndex=${#activeHelpMarker} - local startIndex=$((${#activeHelpMarker}+1)) - local hasActiveHelp=0 - while IFS='\n' read -r comp; do - # Check if this is an activeHelp statement (i.e., prefixed with $activeHelpMarker) - if [ "${comp[1,$endIndex]}" = "$activeHelpMarker" ];then - __istioctl_debug "ActiveHelp found: $comp" - comp="${comp[$startIndex,-1]}" - if [ -n "$comp" ]; then - compadd -x "${comp}" - __istioctl_debug "ActiveHelp will need delimiter" - hasActiveHelp=1 - fi - - continue - fi - - if [ -n "$comp" ]; then - # If requested, completions are returned with a description. - # The description is preceded by a TAB character. - # For zsh's _describe, we need to use a : instead of a TAB. - # We first need to escape any : as part of the completion itself. - comp=${comp//:/\\:} - - local tab="$(printf '\t')" - comp=${comp//$tab/:} - - __istioctl_debug "Adding completion: ${comp}" - completions+=${comp} - lastComp=$comp - fi - done < <(printf "%s\n" "${out[@]}") - - # Add a delimiter after the activeHelp statements, but only if: - # - there are completions following the activeHelp statements, or - # - file completion will be performed (so there will be choices after the activeHelp) - if [ $hasActiveHelp -eq 1 ]; then - if [ ${#completions} -ne 0 ] || [ $((directive & shellCompDirectiveNoFileComp)) -eq 0 ]; then - __istioctl_debug "Adding activeHelp delimiter" - compadd -x "--" - hasActiveHelp=0 - fi - fi - - if [ $((directive & shellCompDirectiveNoSpace)) -ne 0 ]; then - __istioctl_debug "Activating nospace." - noSpace="-S ''" - fi - - if [ $((directive & shellCompDirectiveKeepOrder)) -ne 0 ]; then - __istioctl_debug "Activating keep order." - keepOrder="-V" - fi - - if [ $((directive & shellCompDirectiveFilterFileExt)) -ne 0 ]; then - # File extension filtering - local filteringCmd - filteringCmd='_files' - for filter in ${completions[@]}; do - if [ ${filter[1]} != '*' ]; then - # zsh requires a glob pattern to do file filtering - filter="\*.$filter" - fi - filteringCmd+=" -g $filter" - done - filteringCmd+=" ${flagPrefix}" - - __istioctl_debug "File filtering command: $filteringCmd" - _arguments '*:filename:'"$filteringCmd" - elif [ $((directive & shellCompDirectiveFilterDirs)) -ne 0 ]; then - # File completion for directories only - local subdir - subdir="${completions[1]}" - if [ -n "$subdir" ]; then - __istioctl_debug "Listing directories in $subdir" - pushd "${subdir}" >/dev/null 2>&1 - else - __istioctl_debug "Listing directories in ." - fi - - local result - _arguments '*:dirname:_files -/'" ${flagPrefix}" - result=$? - if [ -n "$subdir" ]; then - popd >/dev/null 2>&1 - fi - return $result - else - __istioctl_debug "Calling _describe" - if eval _describe $keepOrder "completions" completions $flagPrefix $noSpace; then - __istioctl_debug "_describe found some completions" - - # Return the success of having called _describe - return 0 - else - __istioctl_debug "_describe did not find completions." - __istioctl_debug "Checking if we should do file completion." - if [ $((directive & shellCompDirectiveNoFileComp)) -ne 0 ]; then - __istioctl_debug "deactivating file completion" - - # We must return an error code here to let zsh know that there were no - # completions found by _describe; this is what will trigger other - # matching algorithms to attempt to find completions. - # For example zsh can match letters in the middle of words. - return 1 - else - # Perform file completion - __istioctl_debug "Activating file completion" - - # We must return the result of this command, so it must be the - # last command, or else we must store its result to return it. - _arguments '*:filename:_files'" ${flagPrefix}" - fi - fi - fi -} - -# don't run the completion function when being source-ed or eval-ed -if [ "$funcstack[1]" = "_istioctl" ]; then - _istioctl -fi diff --git a/istio-1.18.2/tools/certs/Makefile.k8s.mk b/istio-1.18.2/tools/certs/Makefile.k8s.mk deleted file mode 100644 index 3d2e7fe0f..000000000 --- a/istio-1.18.2/tools/certs/Makefile.k8s.mk +++ /dev/null @@ -1,102 +0,0 @@ -.SUFFIXES: .csr .pem .conf -.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem -.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem -.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf - -.DEFAULT_GOAL := help - -SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) - -include $(SELF_DIR)common.mk - -#------------------------------------------------------------------------ -##help: print this help message -.PHONY: help - -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' - -#------------------------------------------------------------------------ -##fetch-root-ca: fetch root CA and key from a k8s cluster. -.PHONY: fetch-root-ca -rawcluster := $(shell kubectl config current-context) -cluster := $(subst /,-,$(rawcluster)) -pwd := $(shell pwd) -export KUBECONFIG - -fetch-root-ca: - @echo "fetching root ca from k8s cluster: "$(cluster)"" - @mkdir -p $(pwd)/$(cluster) - @res=$(shell kubectl get secret istio-ca-secret -n $(ISTIO-NAMESPACE) >/dev/null 2>&1; echo $$?) -ifeq ($(res), 1) - @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem - @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem -else - @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem - @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem -endif - -k8s-root-cert.pem: - @cat $(cluster)/k8s-root-cert.pem > $@ - -k8s-root-key.pem: - @cat $(cluster)/k8s-root-key.pem > $@ -#------------------------------------------------------------------------ -##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory -.PHONY: %-cacerts - -%-cacerts: %/cert-chain.pem - @echo "done" - -%/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate certs stored in $(dir $<)" - @cp k8s-root-cert.pem $(dir $<)/root-cert.pem - -%/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem - @echo "generating $@" - @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ - -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/intermediate.conf \ - -in $< -out $@ - -%/cluster-ca.csr: L=$(dir $@) -%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf - @echo "generating $@" - @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ - -%/ca-key.pem: fetch-root-ca - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 - -#------------------------------------------------------------------------ -##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. -.PHONY: %-certs - -%-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem - @echo "done" - -%/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate and workload certs stored in $(dir $<)" - @cp k8s-root-cert.pem $(dir $@)/root-cert.pem - -%/workload-cert.pem: %/workload.csr - @echo "generating $@" - @openssl x509 -req -days $(WORKLOAD_DAYS) \ - -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/workload.conf \ - -in $< -out $@ - -%/workload.csr: L=$(dir $@) -%/workload.csr: %/key.pem %/workload.conf - @echo "generating $@" - @openssl req -new -config $(L)/workload.conf -key $< -out $@ - -%/key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 \ No newline at end of file diff --git a/istio-1.18.2/tools/certs/Makefile.selfsigned.mk b/istio-1.18.2/tools/certs/Makefile.selfsigned.mk deleted file mode 100644 index 2a87d071f..000000000 --- a/istio-1.18.2/tools/certs/Makefile.selfsigned.mk +++ /dev/null @@ -1,98 +0,0 @@ -.SUFFIXES: .csr .pem .conf -.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem -.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem -.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf - -.DEFAULT_GOAL := help - -SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) - -include $(SELF_DIR)common.mk - -#------------------------------------------------------------------------ -##help: print this help message -.PHONY: help - -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' - -#------------------------------------------------------------------------ -##root-ca: generate root CA files (key and certificate) in current directory. -.PHONY: root-ca - -root-ca: root-key.pem root-cert.pem - -root-cert.pem: root-cert.csr root-key.pem - @echo "generating $@" - @openssl x509 -req -sha256 -days $(ROOTCA_DAYS) -signkey root-key.pem \ - -extensions req_ext -extfile root-ca.conf \ - -in $< -out $@ - -root-cert.csr: root-key.pem root-ca.conf - @echo "generating $@" - @openssl req -sha256 -new -key $< -config root-ca.conf -out $@ - -root-key.pem: - @echo "generating $@" - @openssl genrsa -out $@ 4096 -#------------------------------------------------------------------------ -##-cacerts: generate self signed intermediate certificates for and store them under directory. -.PHONY: %-cacerts - -%-cacerts: %/cert-chain.pem - @echo "done" - -%/cert-chain.pem: %/ca-cert.pem root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate inputs stored in $(dir $<)" - @cp root-cert.pem $(dir $<) - - -%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem - @echo "generating $@" - @openssl x509 -req -sha256 -days $(INTERMEDIATE_DAYS) \ - -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/intermediate.conf \ - -in $< -out $@ - -%/cluster-ca.csr: L=$(dir $@) -%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf - @echo "generating $@" - @openssl req -sha256 -new -config $(L)/intermediate.conf -key $< -out $@ - -%/ca-key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 - -#------------------------------------------------------------------------ -##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs. -.PHONY: %-certs - -%-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem - @echo "done" - -%/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem - @echo "generating $@" - @cat $^ > $@ - @echo "Intermediate and workload certs stored in $(dir $<)" - @cp root-cert.pem $(dir $@)/root-cert.pem - - -%/workload-cert.pem: %/workload.csr - @echo "generating $@" - @openssl x509 -sha256 -req -days $(WORKLOAD_DAYS) \ - -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ - -extensions req_ext -extfile $(dir $<)/workload.conf \ - -in $< -out $@ - -%/workload.csr: L=$(dir $@) -%/workload.csr: %/key.pem %/workload.conf - @echo "generating $@" - @openssl req -sha256 -new -config $(L)/workload.conf -key $< -out $@ - -%/key.pem: - @echo "generating $@" - @mkdir -p $(dir $@) - @openssl genrsa -out $@ 4096 diff --git a/istio-1.18.2/tools/certs/README.md b/istio-1.18.2/tools/certs/README.md deleted file mode 100644 index f197e2a8f..000000000 --- a/istio-1.18.2/tools/certs/README.md +++ /dev/null @@ -1,26 +0,0 @@ -# Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust - -The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: -- `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default -`kubeconfig` is used for accessing the cluster. -- `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. - -The table below describes the targets supported by both Makefiles. - -Make Target | Makefile | Description ------- | -------- | ----------- -`root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. -`fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. -`$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. -`$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. -`clean` | Both | Removes any generated root certificates, keys, and intermediate files. - -For example: - -```bash -make -f Makefile.selfsigned.mk root-ca -``` - -Note that the Makefile generates long-lived intermediate certificates. While this might be -acceptable for demonstration purposes, a more realistic and secure deployment would use -short-lived and automatically renewed certificates for the intermediate CAs. diff --git a/istio-1.18.2/tools/certs/common.mk b/istio-1.18.2/tools/certs/common.mk deleted file mode 100644 index ba3f90c9d..000000000 --- a/istio-1.18.2/tools/certs/common.mk +++ /dev/null @@ -1,101 +0,0 @@ -#------------------------------------------------------------------------ -# variables: root CA -ROOTCA_DAYS ?= 3650 -ROOTCA_KEYSZ ?= 4096 -ROOTCA_ORG ?= Istio -ROOTCA_CN ?= Root CA -KUBECONFIG ?= $(HOME)/.kube/config -ISTIO_NAMESPACE ?= istio-system -# Additional variables are defined in root-ca.conf target below. - -#------------------------------------------------------------------------ -# variables: intermediate CA -INTERMEDIATE_DAYS ?= 3650 -INTERMEDIATE_KEYSZ ?= 4096 -INTERMEDIATE_ORG ?= Istio -INTERMEDIATE_CN ?= Intermediate CA -INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc -# Additional variables are defined in %/intermediate.conf target below. - -#------------------------------------------------------------------------ -# variables: workload certs: eg VM -WORKLOAD_DAYS ?= 1 -SERVICE_ACCOUNT ?= default -WORKLOAD_CN ?= Workload - -#------------------------------------------------------------------------ -# variables: files to clean -FILES_TO_CLEAN+=k8s-root-cert.pem \ - k8s-root-cert.srl \ - k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem -#------------------------------------------------------------------------ -# clean -.PHONY: clean - -clean: ## Cleans all the intermediate files and folders previously generated. - @rm -f $(FILES_TO_CLEAN) - -root-ca.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:true" >> $@ - @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(ROOTCA_ORG)" >> $@ - @echo "CN = $(ROOTCA_CN)" >> $@ - -%/intermediate.conf: L=$(dir $@) -%/intermediate.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ - @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ - @echo "subjectAltName=@san" >> $@ - @echo "[ san ]" >> $@ - @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(INTERMEDIATE_ORG)" >> $@ - @echo "CN = $(INTERMEDIATE_CN)" >> $@ - @echo "L = $(L:/=)" >> $@ - -%/workload.conf: L=$(dir $@) -%/workload.conf: - @echo "[ req ]" > $@ - @echo "encrypt_key = no" >> $@ - @echo "prompt = no" >> $@ - @echo "utf8 = yes" >> $@ - @echo "default_md = sha256" >> $@ - @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ - @echo "req_extensions = req_ext" >> $@ - @echo "x509_extensions = req_ext" >> $@ - @echo "distinguished_name = req_dn" >> $@ - @echo "[ req_ext ]" >> $@ - @echo "subjectKeyIdentifier = hash" >> $@ - @echo "basicConstraints = critical, CA:false" >> $@ - @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ - @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ - @echo "subjectAltName=@san" >> $@ - @echo "[ san ]" >> $@ - @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ - @echo "[ req_dn ]" >> $@ - @echo "O = $(INTERMEDIATE_ORG)" >> $@ - @echo "CN = $(WORKLOAD_CN)" >> $@ - @echo "L = $(L:/=)" >> $@ diff --git a/istio-1.18.2/tools/istioctl.bash b/istio-1.18.2/tools/istioctl.bash deleted file mode 100644 index 6f1e15854..000000000 --- a/istio-1.18.2/tools/istioctl.bash +++ /dev/null @@ -1,338 +0,0 @@ -# bash completion V2 for istioctl -*- shell-script -*- - -__istioctl_debug() -{ - if [[ -n ${BASH_COMP_DEBUG_FILE-} ]]; then - echo "$*" >> "${BASH_COMP_DEBUG_FILE}" - fi -} - -# Macs have bash3 for which the bash-completion package doesn't include -# _init_completion. This is a minimal version of that function. -__istioctl_init_completion() -{ - COMPREPLY=() - _get_comp_words_by_ref "$@" cur prev words cword -} - -# This function calls the istioctl program to obtain the completion -# results and the directive. It fills the 'out' and 'directive' vars. -__istioctl_get_completion_results() { - local requestComp lastParam lastChar args - - # Prepare the command to request completions for the program. - # Calling ${words[0]} instead of directly istioctl allows to handle aliases - args=("${words[@]:1}") - requestComp="${words[0]} __complete ${args[*]}" - - lastParam=${words[$((${#words[@]}-1))]} - lastChar=${lastParam:$((${#lastParam}-1)):1} - __istioctl_debug "lastParam ${lastParam}, lastChar ${lastChar}" - - if [[ -z ${cur} && ${lastChar} != = ]]; then - # If the last parameter is complete (there is a space following it) - # We add an extra empty parameter so we can indicate this to the go method. - __istioctl_debug "Adding extra empty parameter" - requestComp="${requestComp} ''" - fi - - # When completing a flag with an = (e.g., istioctl -n=) - # bash focuses on the part after the =, so we need to remove - # the flag part from $cur - if [[ ${cur} == -*=* ]]; then - cur="${cur#*=}" - fi - - __istioctl_debug "Calling ${requestComp}" - # Use eval to handle any environment variables and such - out=$(eval "${requestComp}" 2>/dev/null) - - # Extract the directive integer at the very end of the output following a colon (:) - directive=${out##*:} - # Remove the directive - out=${out%:*} - if [[ ${directive} == "${out}" ]]; then - # There is not directive specified - directive=0 - fi - __istioctl_debug "The completion directive is: ${directive}" - __istioctl_debug "The completions are: ${out}" -} - -__istioctl_process_completion_results() { - local shellCompDirectiveError=1 - local shellCompDirectiveNoSpace=2 - local shellCompDirectiveNoFileComp=4 - local shellCompDirectiveFilterFileExt=8 - local shellCompDirectiveFilterDirs=16 - local shellCompDirectiveKeepOrder=32 - - if (((directive & shellCompDirectiveError) != 0)); then - # Error code. No completion. - __istioctl_debug "Received error from custom completion go code" - return - else - if (((directive & shellCompDirectiveNoSpace) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - __istioctl_debug "Activating no space" - compopt -o nospace - else - __istioctl_debug "No space directive not supported in this version of bash" - fi - fi - if (((directive & shellCompDirectiveKeepOrder) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - # no sort isn't supported for bash less than < 4.4 - if [[ ${BASH_VERSINFO[0]} -lt 4 || ( ${BASH_VERSINFO[0]} -eq 4 && ${BASH_VERSINFO[1]} -lt 4 ) ]]; then - __istioctl_debug "No sort directive not supported in this version of bash" - else - __istioctl_debug "Activating keep order" - compopt -o nosort - fi - else - __istioctl_debug "No sort directive not supported in this version of bash" - fi - fi - if (((directive & shellCompDirectiveNoFileComp) != 0)); then - if [[ $(type -t compopt) == builtin ]]; then - __istioctl_debug "Activating no file completion" - compopt +o default - else - __istioctl_debug "No file completion directive not supported in this version of bash" - fi - fi - fi - - # Separate activeHelp from normal completions - local completions=() - local activeHelp=() - __istioctl_extract_activeHelp - - if (((directive & shellCompDirectiveFilterFileExt) != 0)); then - # File extension filtering - local fullFilter filter filteringCmd - - # Do not use quotes around the $completions variable or else newline - # characters will be kept. - for filter in ${completions[*]}; do - fullFilter+="$filter|" - done - - filteringCmd="_filedir $fullFilter" - __istioctl_debug "File filtering command: $filteringCmd" - $filteringCmd - elif (((directive & shellCompDirectiveFilterDirs) != 0)); then - # File completion for directories only - - local subdir - subdir=${completions[0]} - if [[ -n $subdir ]]; then - __istioctl_debug "Listing directories in $subdir" - pushd "$subdir" >/dev/null 2>&1 && _filedir -d && popd >/dev/null 2>&1 || return - else - __istioctl_debug "Listing directories in ." - _filedir -d - fi - else - __istioctl_handle_completion_types - fi - - __istioctl_handle_special_char "$cur" : - __istioctl_handle_special_char "$cur" = - - # Print the activeHelp statements before we finish - if ((${#activeHelp[*]} != 0)); then - printf "\n"; - printf "%s\n" "${activeHelp[@]}" - printf "\n" - - # The prompt format is only available from bash 4.4. - # We test if it is available before using it. - if (x=${PS1@P}) 2> /dev/null; then - printf "%s" "${PS1@P}${COMP_LINE[@]}" - else - # Can't print the prompt. Just print the - # text the user had typed, it is workable enough. - printf "%s" "${COMP_LINE[@]}" - fi - fi -} - -# Separate activeHelp lines from real completions. -# Fills the $activeHelp and $completions arrays. -__istioctl_extract_activeHelp() { - local activeHelpMarker="_activeHelp_ " - local endIndex=${#activeHelpMarker} - - while IFS='' read -r comp; do - if [[ ${comp:0:endIndex} == $activeHelpMarker ]]; then - comp=${comp:endIndex} - __istioctl_debug "ActiveHelp found: $comp" - if [[ -n $comp ]]; then - activeHelp+=("$comp") - fi - else - # Not an activeHelp line but a normal completion - completions+=("$comp") - fi - done <<<"${out}" -} - -__istioctl_handle_completion_types() { - __istioctl_debug "__istioctl_handle_completion_types: COMP_TYPE is $COMP_TYPE" - - case $COMP_TYPE in - 37|42) - # Type: menu-complete/menu-complete-backward and insert-completions - # If the user requested inserting one completion at a time, or all - # completions at once on the command-line we must remove the descriptions. - # https://github.com/spf13/cobra/issues/1508 - local tab=$'\t' comp - while IFS='' read -r comp; do - [[ -z $comp ]] && continue - # Strip any description - comp=${comp%%$tab*} - # Only consider the completions that match - if [[ $comp == "$cur"* ]]; then - COMPREPLY+=("$comp") - fi - done < <(printf "%s\n" "${completions[@]}") - ;; - - *) - # Type: complete (normal completion) - __istioctl_handle_standard_completion_case - ;; - esac -} - -__istioctl_handle_standard_completion_case() { - local tab=$'\t' comp - - # Short circuit to optimize if we don't have descriptions - if [[ "${completions[*]}" != *$tab* ]]; then - IFS=$'\n' read -ra COMPREPLY -d '' < <(compgen -W "${completions[*]}" -- "$cur") - return 0 - fi - - local longest=0 - local compline - # Look for the longest completion so that we can format things nicely - while IFS='' read -r compline; do - [[ -z $compline ]] && continue - # Strip any description before checking the length - comp=${compline%%$tab*} - # Only consider the completions that match - [[ $comp == "$cur"* ]] || continue - COMPREPLY+=("$compline") - if ((${#comp}>longest)); then - longest=${#comp} - fi - done < <(printf "%s\n" "${completions[@]}") - - # If there is a single completion left, remove the description text - if ((${#COMPREPLY[*]} == 1)); then - __istioctl_debug "COMPREPLY[0]: ${COMPREPLY[0]}" - comp="${COMPREPLY[0]%%$tab*}" - __istioctl_debug "Removed description from single completion, which is now: ${comp}" - COMPREPLY[0]=$comp - else # Format the descriptions - __istioctl_format_comp_descriptions $longest - fi -} - -__istioctl_handle_special_char() -{ - local comp="$1" - local char=$2 - if [[ "$comp" == *${char}* && "$COMP_WORDBREAKS" == *${char}* ]]; then - local word=${comp%"${comp##*${char}}"} - local idx=${#COMPREPLY[*]} - while ((--idx >= 0)); do - COMPREPLY[idx]=${COMPREPLY[idx]#"$word"} - done - fi -} - -__istioctl_format_comp_descriptions() -{ - local tab=$'\t' - local comp desc maxdesclength - local longest=$1 - - local i ci - for ci in ${!COMPREPLY[*]}; do - comp=${COMPREPLY[ci]} - # Properly format the description string which follows a tab character if there is one - if [[ "$comp" == *$tab* ]]; then - __istioctl_debug "Original comp: $comp" - desc=${comp#*$tab} - comp=${comp%%$tab*} - - # $COLUMNS stores the current shell width. - # Remove an extra 4 because we add 2 spaces and 2 parentheses. - maxdesclength=$(( COLUMNS - longest - 4 )) - - # Make sure we can fit a description of at least 8 characters - # if we are to align the descriptions. - if ((maxdesclength > 8)); then - # Add the proper number of spaces to align the descriptions - for ((i = ${#comp} ; i < longest ; i++)); do - comp+=" " - done - else - # Don't pad the descriptions so we can fit more text after the completion - maxdesclength=$(( COLUMNS - ${#comp} - 4 )) - fi - - # If there is enough space for any description text, - # truncate the descriptions that are too long for the shell width - if ((maxdesclength > 0)); then - if ((${#desc} > maxdesclength)); then - desc=${desc:0:$(( maxdesclength - 1 ))} - desc+="…" - fi - comp+=" ($desc)" - fi - COMPREPLY[ci]=$comp - __istioctl_debug "Final comp: $comp" - fi - done -} - -__start_istioctl() -{ - local cur prev words cword split - - COMPREPLY=() - - # Call _init_completion from the bash-completion package - # to prepare the arguments properly - if declare -F _init_completion >/dev/null 2>&1; then - _init_completion -n =: || return - else - __istioctl_init_completion -n =: || return - fi - - __istioctl_debug - __istioctl_debug "========= starting completion logic ==========" - __istioctl_debug "cur is ${cur}, words[*] is ${words[*]}, #words[@] is ${#words[@]}, cword is $cword" - - # The user could have moved the cursor backwards on the command-line. - # We need to trigger completion from the $cword location, so we need - # to truncate the command-line ($words) up to the $cword location. - words=("${words[@]:0:$cword+1}") - __istioctl_debug "Truncated words[*]: ${words[*]}," - - local out directive - __istioctl_get_completion_results - __istioctl_process_completion_results -} - -if [[ $(type -t compopt) = "builtin" ]]; then - complete -o default -F __start_istioctl istioctl -else - complete -o default -o nospace -F __start_istioctl istioctl -fi - -# ex: ts=4 sw=4 et filetype=sh From 2b8f687c43615bac236d17feff4de42c65c688a7 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Sat, 19 Aug 2023 12:45:58 +0800 Subject: [PATCH 9/9] fix lint Signed-off-by: huabing zhao --- .golangci.yml | 45 ++++++------------- cmd/aeraki/main.go | 1 - internal/bootstrap/server.go | 8 +++- internal/controller/kube/dubbo.go | 8 ++-- internal/controller/kube/metaprotocol.go | 6 +-- internal/controller/kube/metarouter.go | 8 ++-- internal/controller/kube/redis.go | 17 +++---- internal/controller/kube/serviceentry.go | 6 +-- .../plugin/dubbo/authz/model/generator.go | 2 +- .../webhook/validation/scheme/validation.go | 2 +- internal/xds/callbacks.go | 8 ++-- 11 files changed, 48 insertions(+), 63 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index a64642dcd..5cd5ddeb6 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -15,13 +15,15 @@ --- linters-settings: depguard: - list-type: blacklist - packages: - # logging is allowed only by logutils.Log, logrus - # is allowed to use only in logutils package - - github.com/sirupsen/logrus - packages-with-error-message: - - github.com/sirupsen/logrus: "logging is allowed only by logutils.Log" + rules: + Main: + deny: + - pkg: github.com/gogo/protobuf + desc: "gogo/protobuf is deprecated, use golang/protobuf" + - pkg: gopkg.in/yaml.v2 + desc: "use sigs.k8s.io/yaml instead" + - pkg: gopkg.in/yaml.v3 + desc: "use sigs.k8s.io/yaml instead" dupl: threshold: 100 funlen: @@ -80,39 +82,18 @@ linters-settings: linters: disable-all: true enable: + - stylecheck - bodyclose - - deadcode - - depguard - - dogsled - - dupl - - errcheck - exportloopref - - funlen - - gochecknoinits - - goconst - - gocritic - - gocyclo - gofmt - goimports - - goprintffuncname + - goheader + - gocritic - gosec - - gosimple - - govet - - ineffassign - - lll - misspell - - nakedret - - noctx - - nolintlint - - staticcheck - - structcheck - - stylecheck - - typecheck + - revive - unconvert - unparam - - unused - - varcheck - - whitespace # don't enable: # - asciicheck diff --git a/cmd/aeraki/main.go b/cmd/aeraki/main.go index ee872ed67..f5ae23d06 100644 --- a/cmd/aeraki/main.go +++ b/cmd/aeraki/main.go @@ -83,7 +83,6 @@ func main() { server, err := bootstrap.NewServer(args) if err != nil { log.Fatalf("Failed to init Aeraki :%v", err) - os.Exit(1) } server.Start(stopChan) diff --git a/internal/bootstrap/server.go b/internal/bootstrap/server.go index 4874b9cc0..9775f673e 100644 --- a/internal/bootstrap/server.go +++ b/internal/bootstrap/server.go @@ -23,7 +23,7 @@ import ( "net" "net/http" - // nolint + //nolint _ "net/http/pprof" // pprof "sync" "sync/atomic" @@ -304,7 +304,11 @@ func (s *Server) Start(stop <-chan struct{}) { // pprof server go func() { - if err := http.ListenAndServe("localhost:6060", nil); err != nil { + server := &http.Server{ + Addr: "localhost:6060", + ReadHeaderTimeout: 3 * time.Second, + } + if err := server.ListenAndServe(); err != nil { aerakiLog.Errorf("failed to start pprof server") } }() diff --git a/internal/controller/kube/dubbo.go b/internal/controller/kube/dubbo.go index 5513cb725..134ed6e46 100644 --- a/internal/controller/kube/dubbo.go +++ b/internal/controller/kube/dubbo.go @@ -36,7 +36,7 @@ type DubboController struct { } // Reconcile will try to trigger once mcp push. -func (r *DubboController) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { +func (r *DubboController) Reconcile(_ context.Context, request reconcile.Request) (reconcile.Result, error) { dubboLog.Infof("reconcile: %s/%s", request.Namespace, request.Name) if r.triggerPush != nil { err := r.triggerPush() @@ -77,12 +77,12 @@ var ( UpdateFunc: func(e event.UpdateEvent) bool { switch old := e.ObjectOld.(type) { case *v1alpha1.DubboAuthorizationPolicy: - new, ok := e.ObjectNew.(*v1alpha1.DubboAuthorizationPolicy) + newDA, ok := e.ObjectNew.(*v1alpha1.DubboAuthorizationPolicy) if !ok { return false } - if old.GetDeletionTimestamp() != new.GetDeletionTimestamp() || - old.GetGeneration() != new.GetGeneration() { + if old.GetDeletionTimestamp() != newDA.GetDeletionTimestamp() || + old.GetGeneration() != newDA.GetGeneration() { return true } default: diff --git a/internal/controller/kube/metaprotocol.go b/internal/controller/kube/metaprotocol.go index 0ffbe8842..041fa0797 100644 --- a/internal/controller/kube/metaprotocol.go +++ b/internal/controller/kube/metaprotocol.go @@ -45,12 +45,12 @@ var ( UpdateFunc: func(e event.UpdateEvent) bool { switch old := e.ObjectOld.(type) { case *v1alpha1.ApplicationProtocol: - new, ok := e.ObjectNew.(*v1alpha1.ApplicationProtocol) + newAP, ok := e.ObjectNew.(*v1alpha1.ApplicationProtocol) if !ok { return false } - if old.GetDeletionTimestamp() != new.GetDeletionTimestamp() || - old.GetGeneration() != new.GetGeneration() { + if old.GetDeletionTimestamp() != newAP.GetDeletionTimestamp() || + old.GetGeneration() != newAP.GetGeneration() { return true } default: diff --git a/internal/controller/kube/metarouter.go b/internal/controller/kube/metarouter.go index 2e8c9fa00..12acd06be 100644 --- a/internal/controller/kube/metarouter.go +++ b/internal/controller/kube/metarouter.go @@ -43,12 +43,12 @@ var ( UpdateFunc: func(e event.UpdateEvent) bool { switch old := e.ObjectOld.(type) { case *v1alpha1.MetaRouter: - new, ok := e.ObjectNew.(*v1alpha1.MetaRouter) + newMR, ok := e.ObjectNew.(*v1alpha1.MetaRouter) if !ok { return false } - if old.GetDeletionTimestamp() != new.GetDeletionTimestamp() || - old.GetGeneration() != new.GetGeneration() { + if old.GetDeletionTimestamp() != newMR.GetDeletionTimestamp() || + old.GetGeneration() != newMR.GetGeneration() { return true } default: @@ -66,7 +66,7 @@ type MetaRouterController struct { } // Reconcile will try to trigger once mcp push. -func (r *MetaRouterController) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { +func (r *MetaRouterController) Reconcile(_ context.Context, request reconcile.Request) (reconcile.Result, error) { metaRouterLog.Infof("reconcile: %s/%s", request.Namespace, request.Name) if r.metaRouterCallback != nil { err := r.metaRouterCallback() diff --git a/internal/controller/kube/redis.go b/internal/controller/kube/redis.go index ab78f5d9f..8c0116c80 100644 --- a/internal/controller/kube/redis.go +++ b/internal/controller/kube/redis.go @@ -36,7 +36,7 @@ type RedisController struct { } // Reconcile will try to trigger once mcp push. -func (r *RedisController) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { +func (r *RedisController) Reconcile(_ context.Context, request reconcile.Request) (reconcile.Result, error) { redisLog.Infof("reconcile: %s/%s", request.Namespace, request.Name) if r.triggerPush != nil { err := r.triggerPush() @@ -55,7 +55,8 @@ func AddRedisServiceController(mgr manager.Manager, triggerPush func() error) er return err } // Watch for changes to primary resource IstioFilter - err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.RedisService{}), &handler.EnqueueRequestForObject{}, redisPredicates) + err = c.Watch(source.Kind(mgr.GetCache(), &v1alpha1.RedisService{}), + &handler.EnqueueRequestForObject{}, redisPredicates) if err != nil { return err } @@ -91,21 +92,21 @@ var ( UpdateFunc: func(e event.UpdateEvent) bool { switch old := e.ObjectOld.(type) { case *v1alpha1.RedisService: - new, ok := e.ObjectNew.(*v1alpha1.RedisService) + newRS, ok := e.ObjectNew.(*v1alpha1.RedisService) if !ok { return false } - if old.GetDeletionTimestamp() != new.GetDeletionTimestamp() || - old.GetGeneration() != new.GetGeneration() { + if old.GetDeletionTimestamp() != newRS.GetDeletionTimestamp() || + old.GetGeneration() != newRS.GetGeneration() { return true } case *v1alpha1.RedisDestination: - new, ok := e.ObjectNew.(*v1alpha1.RedisDestination) + newRD, ok := e.ObjectNew.(*v1alpha1.RedisDestination) if !ok { return false } - if old.GetDeletionTimestamp() != new.GetDeletionTimestamp() || - old.GetGeneration() != new.GetGeneration() { + if old.GetDeletionTimestamp() != newRD.GetDeletionTimestamp() || + old.GetGeneration() != newRD.GetGeneration() { return true } default: diff --git a/internal/controller/kube/serviceentry.go b/internal/controller/kube/serviceentry.go index d22936f0f..3a369a0a1 100644 --- a/internal/controller/kube/serviceentry.go +++ b/internal/controller/kube/serviceentry.go @@ -51,12 +51,12 @@ var ( UpdateFunc: func(e event.UpdateEvent) bool { switch old := e.ObjectOld.(type) { case *networking.ServiceEntry: - new, ok := e.ObjectNew.(*networking.ServiceEntry) + newSE, ok := e.ObjectNew.(*networking.ServiceEntry) if !ok { return false } - if old.GetDeletionTimestamp() != new.GetDeletionTimestamp() || - old.GetGeneration() != new.GetGeneration() { + if old.GetDeletionTimestamp() != newSE.GetDeletionTimestamp() || + old.GetGeneration() != newSE.GetGeneration() { return true } default: diff --git a/internal/plugin/dubbo/authz/model/generator.go b/internal/plugin/dubbo/authz/model/generator.go index c15dfdd74..8bfcb0eaa 100644 --- a/internal/plugin/dubbo/authz/model/generator.go +++ b/internal/plugin/dubbo/authz/model/generator.go @@ -73,7 +73,7 @@ func (srcPrincipalGenerator) permission(_, _ string) (*rbacpb.Permission, error) return nil, fmt.Errorf("unimplemented") } -func (srcPrincipalGenerator) principal(key, value string) (*rbacpb.Principal, error) { +func (srcPrincipalGenerator) principal(_, value string) (*rbacpb.Principal, error) { m := matcher.StringMatcherWithPrefix(value, spiffe.URIPrefix) return principalAuthenticated(m), nil } diff --git a/internal/webhook/validation/scheme/validation.go b/internal/webhook/validation/scheme/validation.go index 0a3ac51d6..f59d98268 100644 --- a/internal/webhook/validation/scheme/validation.go +++ b/internal/webhook/validation/scheme/validation.go @@ -378,7 +378,7 @@ func validateMetaRouteMatch(match *metaprotocol.MetaRouteMatch) (errs error) { // nolint: unparam func analyzeUnreachableMetaRules(routes []*metaprotocol.MetaRoute, - reportUnreachable func(ruleno, reason string), reportIneffective func(ruleno, matchno, dupno string)) { + reportUnreachable func(ruleno, reason string), _ func(ruleno, matchno, dupno string)) { emptyMatchEncountered := -1 for rulen, route := range routes { if route == nil { diff --git a/internal/xds/callbacks.go b/internal/xds/callbacks.go index bb83cd2a9..ea7c5f367 100644 --- a/internal/xds/callbacks.go +++ b/internal/xds/callbacks.go @@ -61,13 +61,13 @@ func (cb *callbacks) OnStreamResponse(_ context.Context, _ int64, request *disco response *discovery.DiscoveryResponse) { xdsLog.Debugf("send rds response to: %s :%v", request.Node.Id, response.Resources) } -func (cb *callbacks) OnStreamDeltaResponse(id int64, req *discovery.DeltaDiscoveryRequest, - res *discovery.DeltaDiscoveryResponse) { +func (cb *callbacks) OnStreamDeltaResponse(_ int64, _ *discovery.DeltaDiscoveryRequest, + _ *discovery.DeltaDiscoveryResponse) { } -func (cb *callbacks) OnStreamDeltaRequest(id int64, req *discovery.DeltaDiscoveryRequest) error { +func (cb *callbacks) OnStreamDeltaRequest(_ int64, _ *discovery.DeltaDiscoveryRequest) error { return nil } -func (cb *callbacks) OnFetchRequest(_ context.Context, req *discovery.DiscoveryRequest) error { +func (cb *callbacks) OnFetchRequest(_ context.Context, _ *discovery.DiscoveryRequest) error { return nil } func (cb *callbacks) OnFetchResponse(*discovery.DiscoveryRequest, *discovery.DiscoveryResponse) {}