6 # Source: istio/charts/mixer/templates/configmap.yaml
10 name: istio-statsd-prom-bridge
11 namespace: istio-system
13 app: istio-statsd-prom-bridge
24 name: istio-mixer-custom-resources
25 namespace: istio-system
33 custom-resources.yaml: |-
34 apiVersion: "config.istio.io/v1alpha2"
35 kind: attributemanifest
38 namespace: istio-system
91 connection.received.bytes:
93 connection.received.bytes_total:
95 connection.sent.bytes:
97 connection.sent.bytes_total:
117 request.auth.principal:
119 request.auth.audiences:
121 request.auth.presenter:
124 valueType: STRING_MAP
125 request.auth.raw_claims:
131 apiVersion: "config.istio.io/v1alpha2"
132 kind: attributemanifest
135 namespace: istio-system
139 valueType: IP_ADDRESS
141 valueType: STRING_MAP
148 source.serviceAccount:
151 valueType: IP_ADDRESS
153 valueType: STRING_MAP
156 destination.namespace:
160 destination.serviceAccount:
163 apiVersion: "config.istio.io/v1alpha2"
167 namespace: istio-system
171 apiVersion: "config.istio.io/v1alpha2"
175 namespace: istio-system
178 timestamp: request.time
180 originIp: origin.ip | ip("0.0.0.0")
181 sourceIp: source.ip | ip("0.0.0.0")
182 sourceService: source.service | ""
183 sourceUser: source.user | source.uid | ""
184 sourceNamespace: source.namespace | ""
185 destinationIp: destination.ip | ip("0.0.0.0")
186 destinationService: destination.service | ""
187 destinationNamespace: destination.namespace | ""
188 apiName: api.service | ""
189 apiVersion: api.version | ""
190 apiClaims: request.headers["sec-istio-auth-userinfo"]| ""
191 apiKey: request.api_key | request.headers["x-api-key"] | ""
192 requestOperation: api.operation | ""
193 protocol: request.scheme | "http"
194 method: request.method | ""
195 url: request.path | ""
196 responseCode: response.code | 0
197 responseSize: response.size | 0
198 requestSize: request.size | 0
199 latency: response.duration | "0ms"
200 connectionMtls: connection.mtls | false
201 userAgent: request.useragent | ""
202 responseTimestamp: response.time
203 receivedBytes: request.total_size | connection.received.bytes | 0
204 sentBytes: response.total_size | connection.sent.bytes | 0
205 referer: request.referer | ""
206 monitored_resource_type: '"UNSPECIFIED"'
208 apiVersion: "config.istio.io/v1alpha2"
212 namespace: istio-system
214 match: "true" # If omitted match is true.
216 - handler: handler.stdio
220 apiVersion: "config.istio.io/v1alpha2"
224 namespace: istio-system
228 source_service: source.service | "unknown"
229 source_version: source.labels["version"] | "unknown"
230 destination_service: destination.service | "unknown"
231 destination_version: destination.labels["version"] | "unknown"
232 response_code: response.code | 200
233 connection_mtls: connection.mtls | false
234 monitored_resource_type: '"UNSPECIFIED"'
236 apiVersion: "config.istio.io/v1alpha2"
239 name: requestduration
240 namespace: istio-system
242 value: response.duration | "0ms"
244 source_service: source.service | "unknown"
245 source_version: source.labels["version"] | "unknown"
246 destination_service: destination.service | "unknown"
247 destination_version: destination.labels["version"] | "unknown"
248 response_code: response.code | 200
249 connection_mtls: connection.mtls | false
250 monitored_resource_type: '"UNSPECIFIED"'
252 apiVersion: "config.istio.io/v1alpha2"
256 namespace: istio-system
258 value: request.size | 0
260 source_service: source.service | "unknown"
261 source_version: source.labels["version"] | "unknown"
262 destination_service: destination.service | "unknown"
263 destination_version: destination.labels["version"] | "unknown"
264 response_code: response.code | 200
265 connection_mtls: connection.mtls | false
266 monitored_resource_type: '"UNSPECIFIED"'
268 apiVersion: "config.istio.io/v1alpha2"
272 namespace: istio-system
274 value: response.size | 0
276 source_service: source.service | "unknown"
277 source_version: source.labels["version"] | "unknown"
278 destination_service: destination.service | "unknown"
279 destination_version: destination.labels["version"] | "unknown"
280 response_code: response.code | 200
281 connection_mtls: connection.mtls | false
282 monitored_resource_type: '"UNSPECIFIED"'
284 apiVersion: "config.istio.io/v1alpha2"
288 namespace: istio-system
290 istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
292 value: connection.sent.bytes | 0
294 source_service: source.service | "unknown"
295 source_version: source.labels["version"] | "unknown"
296 destination_service: destination.service | "unknown"
297 destination_version: destination.labels["version"] | "unknown"
298 connection_mtls: connection.mtls | false
299 monitored_resource_type: '"UNSPECIFIED"'
301 apiVersion: "config.istio.io/v1alpha2"
304 name: tcpbytereceived
305 namespace: istio-system
307 istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
309 value: connection.received.bytes | 0
311 source_service: source.service | "unknown"
312 source_version: source.labels["version"] | "unknown"
313 destination_service: destination.service | "unknown"
314 destination_version: destination.labels["version"] | "unknown"
315 connection_mtls: connection.mtls | false
316 monitored_resource_type: '"UNSPECIFIED"'
318 apiVersion: "config.istio.io/v1alpha2"
322 namespace: istio-system
325 - name: request_count
326 instance_name: requestcount.metric.istio-system
331 - destination_service
332 - destination_version
335 - name: request_duration
336 instance_name: requestduration.metric.istio-system
341 - destination_service
342 - destination_version
347 bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
349 instance_name: requestsize.metric.istio-system
354 - destination_service
355 - destination_version
363 - name: response_size
364 instance_name: responsesize.metric.istio-system
369 - destination_service
370 - destination_version
378 - name: tcp_bytes_sent
379 instance_name: tcpbytesent.metric.istio-system
384 - destination_service
385 - destination_version
387 - name: tcp_bytes_received
388 instance_name: tcpbytereceived.metric.istio-system
393 - destination_service
394 - destination_version
397 apiVersion: "config.istio.io/v1alpha2"
401 namespace: istio-system
406 - handler: handler.prometheus
408 - requestcount.metric
409 - requestduration.metric
411 - responsesize.metric
413 apiVersion: "config.istio.io/v1alpha2"
417 namespace: istio-system
419 istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP
422 - handler: handler.prometheus
425 - tcpbytereceived.metric
428 apiVersion: "config.istio.io/v1alpha2"
432 namespace: istio-system
434 # when running from mixer root, use the following config after adding a
435 # symbolic link to a kubernetes config file via:
437 # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
439 # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
442 apiVersion: "config.istio.io/v1alpha2"
445 name: kubeattrgenrulerule
446 namespace: istio-system
449 - handler: handler.kubernetesenv
451 - attributes.kubernetes
453 apiVersion: "config.istio.io/v1alpha2"
456 name: tcpkubeattrgenrulerule
457 namespace: istio-system
459 match: context.protocol == "tcp"
461 - handler: handler.kubernetesenv
463 - attributes.kubernetes
465 apiVersion: "config.istio.io/v1alpha2"
469 namespace: istio-system
471 # Pass the required attribute data to the adapter
472 source_uid: source.uid | ""
473 source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
474 destination_uid: destination.uid | ""
476 origin_ip: ip("0.0.0.0") # default to unspecified ip addr
478 # Fill the new attributes from the adapter produced output.
479 # $out refers to an instance of OutputTemplate message
480 source.ip: $out.source_pod_ip | ip("0.0.0.0")
481 source.labels: $out.source_labels | emptyStringMap()
482 source.namespace: $out.source_namespace | "default"
483 source.service: $out.source_service | "unknown"
484 source.serviceAccount: $out.source_service_account_name | "unknown"
485 destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
486 destination.labels: $out.destination_labels | emptyStringMap()
487 destination.namespace: $out.destination_namespace | "default"
488 destination.service: $out.destination_service | "unknown"
489 destination.serviceAccount: $out.destination_service_account_name | "unknown"
491 # Configuration needed by Mixer.
492 # Mixer cluster is delivered via CDS
493 # Specify mixer cluster settings
494 apiVersion: networking.istio.io/v1alpha3
495 kind: DestinationRule
498 namespace: istio-system
500 host: istio-policy.istio-system.svc.cluster.local
504 http2MaxRequests: 10000
505 maxRequestsPerConnection: 10000
507 apiVersion: networking.istio.io/v1alpha3
508 kind: DestinationRule
510 name: istio-telemetry
511 namespace: istio-system
513 host: istio-telemetry.istio-system.svc.cluster.local
517 http2MaxRequests: 10000
518 maxRequestsPerConnection: 10000
523 # Source: istio/charts/prometheus/templates/configmap.yaml
528 namespace: istio-system
531 chart: prometheus-0.1.0
532 release: RELEASE-NAME
540 - job_name: 'istio-mesh'
541 # Override the global default and scrape targets from this job every 5 seconds.
544 kubernetes_sd_configs:
548 - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
550 regex: istio-system;istio-telemetry;prometheus
553 # Override the global default and scrape targets from this job every 5 seconds.
555 # metrics_path defaults to '/metrics'
556 # scheme defaults to 'http'.
558 kubernetes_sd_configs:
562 - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
564 regex: istio-system;istio-statsd-prom-bridge;statsd-prom
566 - job_name: 'istio-policy'
567 # Override the global default and scrape targets from this job every 5 seconds.
569 # metrics_path defaults to '/metrics'
570 # scheme defaults to 'http'.
572 kubernetes_sd_configs:
576 - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
578 regex: istio-system;istio-policy;http-monitoring
580 - job_name: 'istio-telemetry'
581 # Override the global default and scrape targets from this job every 5 seconds.
583 # metrics_path defaults to '/metrics'
584 # scheme defaults to 'http'.
586 kubernetes_sd_configs:
590 - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
592 regex: istio-system;istio-telemetry;http-monitoring
595 # Override the global default and scrape targets from this job every 5 seconds.
597 # metrics_path defaults to '/metrics'
598 # scheme defaults to 'http'.
600 kubernetes_sd_configs:
604 - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
606 regex: istio-system;istio-pilot;http-monitoring
608 # scrape config for API servers
609 - job_name: 'kubernetes-apiservers'
610 kubernetes_sd_configs:
614 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
615 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
617 - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
619 regex: default;kubernetes;https
621 # scrape config for nodes (kubelet)
622 - job_name: 'kubernetes-nodes'
625 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
626 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
627 kubernetes_sd_configs:
631 regex: __meta_kubernetes_node_label_(.+)
632 - target_label: __address__
633 replacement: kubernetes.default.svc:443
634 - source_labels: [__meta_kubernetes_node_name]
636 target_label: __metrics_path__
637 replacement: /api/v1/nodes/${1}/proxy/metrics
639 # Scrape config for Kubelet cAdvisor.
641 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
642 # (those whose names begin with 'container_') have been removed from the
643 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
644 # retrieve those metrics.
646 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
647 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
648 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
649 # the --cadvisor-port=0 Kubelet flag).
651 # This job is not necessary and should be removed in Kubernetes 1.6 and
652 # earlier versions, or it will cause the metrics to be scraped twice.
653 - job_name: 'kubernetes-cadvisor'
656 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
657 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
658 kubernetes_sd_configs:
662 regex: __meta_kubernetes_node_label_(.+)
663 - target_label: __address__
664 replacement: kubernetes.default.svc:443
665 - source_labels: [__meta_kubernetes_node_name]
667 target_label: __metrics_path__
668 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
670 # scrape config for service endpoints.
671 - job_name: 'kubernetes-service-endpoints'
672 kubernetes_sd_configs:
675 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
678 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
680 target_label: __scheme__
682 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
684 target_label: __metrics_path__
686 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
688 target_label: __address__
689 regex: ([^:]+)(?::\d+)?;(\d+)
692 regex: __meta_kubernetes_service_label_(.+)
693 - source_labels: [__meta_kubernetes_namespace]
695 target_label: kubernetes_namespace
696 - source_labels: [__meta_kubernetes_service_name]
698 target_label: kubernetes_name
700 # Example scrape config for pods
701 - job_name: 'kubernetes-pods'
702 kubernetes_sd_configs:
706 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
709 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
711 target_label: __metrics_path__
713 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
715 regex: ([^:]+)(?::\d+)?;(\d+)
717 target_label: __address__
719 regex: __meta_kubernetes_pod_label_(.+)
720 - source_labels: [__meta_kubernetes_namespace]
722 target_label: namespace
723 - source_labels: [__meta_kubernetes_pod_name]
725 target_label: pod_name
728 # Source: istio/templates/configmap.yaml
733 namespace: istio-system
737 release: RELEASE-NAME
742 # Edit this list to avoid using mTLS to connect to these services.
743 # Typically, these are control services (e.g kubernetes API server) that don't have istio sidecar
744 # to transparently terminate mTLS authentication.
745 # mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"]
747 # Set the following variable to true to disable policy checks by the Mixer.
748 # Note that metrics will still be reported to the Mixer.
749 disablePolicyChecks: false
750 # Set enableTracing to false to disable request tracing.
753 # To disable the mixer completely (including metrics), comment out
754 # the following lines
755 mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004
756 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004
757 # This is the ingress service name, update if you used a different name
758 ingressService: istio-ingress
760 # Along with discoveryRefreshDelay, this setting determines how
761 # frequently should Envoy fetch and update its internal configuration
762 # from istio Pilot. Lower refresh delay results in higher CPU
763 # utilization and potential performance loss in exchange for faster
764 # convergence. Tweak this value according to your setup.
768 # NOTE: If you change any values in this section, make sure to make
769 # the same changes in start up args in istio-ingress pods.
770 # See rdsRefreshDelay for explanation about this setting.
771 discoveryRefreshDelay: 10s
773 # TCP connection timeout between Envoy & the application, and between Envoys.
776 ### ADVANCED SETTINGS #############
777 # Where should envoy's configuration be stored in the istio-proxy container
778 configPath: "/etc/istio/proxy"
779 binaryPath: "/usr/local/bin/envoy"
780 # The pseudo service name used for Envoy.
781 serviceCluster: istio-proxy
782 # These settings that determine how long an old Envoy
783 # process should be kept alive after an occasional reload.
785 parentShutdownDuration: 1m0s
787 # The mode used to redirect inbound connections to Envoy. This setting
788 # has no effect on outbound traffic: iptables REDIRECT is always used for
789 # outbound connections.
790 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
791 # The "REDIRECT" mode loses source addresses during redirection.
792 # If "TPROXY", use iptables TPROXY to redirect to Envoy.
793 # The "TPROXY" mode preserves both the source and destination IP
794 # addresses and ports, so that they can be used for advanced filtering
796 # The "TPROXY" mode also configures the sidecar to run with the
797 # CAP_NET_ADMIN capability, which is required to use TPROXY.
798 #interceptionMode: REDIRECT
800 # Port where Envoy listens (on local host) for admin commands
801 # You can exec into the istio-proxy container in a pod and
802 # curl the admin port (curl http://localhost:15000/) to obtain
803 # diagnostic information from Envoy. See
804 # https://lyft.github.io/envoy/docs/operations/admin.html
806 proxyAdminPort: 15000
808 # Zipkin trace collector
809 zipkinAddress: zipkin.istio-system:9411
811 # Statsd metrics collector converts statsd metrics into Prometheus metrics.
812 statsdUdpAddress: istio-statsd-prom-bridge.istio-system:9125
814 # Mutual TLS authentication between sidecars and istio control plane.
815 controlPlaneAuthPolicy: NONE
817 # Address where istio Pilot service is running
818 discoveryAddress: istio-pilot.istio-system:15007
821 # Source: istio/templates/sidecar-injector-configmap.yaml
825 name: istio-sidecar-injector
826 namespace: istio-system
830 release: RELEASE-NAME
832 istio: sidecar-injector
839 image: docker.io/istio/proxy_init:0.8.0
842 - [[ .MeshConfig.ProxyListenPort ]]
846 - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
848 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]]
849 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]"
854 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]]
855 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]"
860 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]]
861 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]"
863 - [[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]
865 [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts") -]]
866 - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts" ]]"
870 imagePullPolicy: IfNotPresent
876 restartPolicy: Always
880 image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]]
881 "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]"
883 docker.io/istio/proxy_debug:0.8.0
889 - [[ .ProxyConfig.ConfigPath ]]
891 - [[ .ProxyConfig.BinaryPath ]]
893 [[ if ne "" (index .ObjectMeta.Labels "app") -]]
894 - [[ index .ObjectMeta.Labels "app" ]]
899 - [[ formatDuration .ProxyConfig.DrainDuration ]]
900 - --parentShutdownDuration
901 - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
903 - [[ .ProxyConfig.DiscoveryAddress ]]
904 - --discoveryRefreshDelay
905 - [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]
907 - [[ .ProxyConfig.ZipkinAddress ]]
909 - [[ formatDuration .ProxyConfig.ConnectTimeout ]]
911 - [[ .ProxyConfig.StatsdUdpAddress ]]
913 - [[ .ProxyConfig.ProxyAdminPort ]]
914 - --controlPlaneAuthPolicy
915 - [[ .ProxyConfig.ControlPlaneAuthPolicy ]]
920 fieldPath: metadata.name
921 - name: POD_NAMESPACE
924 fieldPath: metadata.namespace
928 fieldPath: status.podIP
929 - name: ISTIO_META_POD_NAME
932 fieldPath: metadata.name
933 - name: ISTIO_META_INTERCEPTION_MODE
934 value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
935 imagePullPolicy: IfNotPresent
938 readOnlyRootFilesystem: true
939 [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]]
946 restartPolicy: Always
953 - mountPath: /etc/istio/proxy
955 - mountPath: /etc/certs/
965 [[ if eq .Spec.ServiceAccountName "" -]]
966 secretName: istio.default
968 secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
973 # Source: istio/charts/egressgateway/templates/serviceaccount.yaml
977 name: istio-egressgateway-service-account
978 namespace: istio-system
981 chart: egressgateway-0.8.0
983 release: RELEASE-NAME
986 # Source: istio/charts/ingressgateway/templates/serviceaccount.yaml
990 name: istio-ingressgateway-service-account
991 namespace: istio-system
994 chart: ingressgateway-0.8.0
996 release: RELEASE-NAME
999 # Source: istio/charts/mixer/templates/create-custom-resources-job.yaml
1001 kind: ServiceAccount
1003 name: istio-mixer-post-install-account
1004 namespace: istio-system
1009 release: RELEASE-NAME
1011 apiVersion: rbac.authorization.k8s.io/v1beta1
1014 name: istio-mixer-post-install-istio-system
1015 namespace: istio-system
1020 release: RELEASE-NAME
1022 - apiGroups: ["config.istio.io"] # istio CRD watcher
1024 verbs: ["create", "get", "list", "watch", "patch"]
1025 - apiGroups: ["networking.istio.io"] # needed to create mixer destination rules
1028 - apiGroups: ["apiextensions.k8s.io"]
1029 resources: ["customresourcedefinitions"]
1030 verbs: ["get", "list", "watch"]
1032 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
1033 verbs: ["get", "list", "watch"]
1035 apiVersion: rbac.authorization.k8s.io/v1beta1
1036 kind: ClusterRoleBinding
1038 name: istio-mixer-post-install-role-binding-istio-system
1043 release: RELEASE-NAME
1045 apiGroup: rbac.authorization.k8s.io
1047 name: istio-mixer-post-install-istio-system
1049 - kind: ServiceAccount
1050 name: istio-mixer-post-install-account
1051 namespace: istio-system
1054 apiVersion: batch/v1
1057 name: istio-mixer-post-install
1058 namespace: istio-system
1060 "helm.sh/hook": post-install
1061 "helm.sh/hook-delete-policy": before-hook-creation
1065 release: RELEASE-NAME
1070 name: istio-mixer-post-install
1073 release: RELEASE-NAME
1075 serviceAccountName: istio-mixer-post-install-account
1078 image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
1083 - /tmp/mixer/custom-resources.yaml
1085 - mountPath: "/tmp/mixer"
1086 name: tmp-configmap-mixer
1088 - name: tmp-configmap-mixer
1090 name: istio-mixer-custom-resources
1091 restartPolicy: Never # CRD might take some time till they are available to consume
1094 # Source: istio/charts/mixer/templates/serviceaccount.yaml
1097 kind: ServiceAccount
1099 name: istio-mixer-service-account
1100 namespace: istio-system
1105 release: RELEASE-NAME
1108 # Source: istio/charts/pilot/templates/serviceaccount.yaml
1111 kind: ServiceAccount
1113 name: istio-pilot-service-account
1114 namespace: istio-system
1119 release: RELEASE-NAME
1122 # Source: istio/charts/prometheus/templates/serviceaccount.yaml
1125 kind: ServiceAccount
1128 namespace: istio-system
1131 # Source: istio/charts/security/templates/serviceaccount.yaml
1134 kind: ServiceAccount
1136 name: istio-citadel-service-account
1137 namespace: istio-system
1140 chart: security-0.8.0
1142 release: RELEASE-NAME
1145 kind: ServiceAccount
1147 name: istio-cleanup-old-ca-service-account
1148 namespace: istio-system
1151 chart: security-0.8.0
1153 release: RELEASE-NAME
1156 # Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml
1158 kind: ServiceAccount
1160 name: istio-sidecar-injector-service-account
1161 namespace: istio-system
1163 app: istio-sidecar-injector
1164 chart: sidecarInjectorWebhook-0.8.0
1166 release: RELEASE-NAME
1169 # Source: istio/charts/mixer/templates/crds.yaml
1171 kind: CustomResourceDefinition
1172 apiVersion: apiextensions.k8s.io/v1beta1
1174 name: rules.config.istio.io
1177 package: istio.io.mixer
1180 group: config.istio.io
1189 kind: CustomResourceDefinition
1190 apiVersion: apiextensions.k8s.io/v1beta1
1192 name: attributemanifests.config.istio.io
1195 package: istio.io.mixer
1198 group: config.istio.io
1200 kind: attributemanifest
1201 plural: attributemanifests
1202 singular: attributemanifest
1207 kind: CustomResourceDefinition
1208 apiVersion: apiextensions.k8s.io/v1beta1
1210 name: circonuses.config.istio.io
1214 istio: mixer-adapter
1216 group: config.istio.io
1225 kind: CustomResourceDefinition
1226 apiVersion: apiextensions.k8s.io/v1beta1
1228 name: deniers.config.istio.io
1232 istio: mixer-adapter
1234 group: config.istio.io
1243 kind: CustomResourceDefinition
1244 apiVersion: apiextensions.k8s.io/v1beta1
1246 name: fluentds.config.istio.io
1250 istio: mixer-adapter
1252 group: config.istio.io
1261 kind: CustomResourceDefinition
1262 apiVersion: apiextensions.k8s.io/v1beta1
1264 name: kubernetesenvs.config.istio.io
1267 package: kubernetesenv
1268 istio: mixer-adapter
1270 group: config.istio.io
1273 plural: kubernetesenvs
1274 singular: kubernetesenv
1279 kind: CustomResourceDefinition
1280 apiVersion: apiextensions.k8s.io/v1beta1
1282 name: listcheckers.config.istio.io
1285 package: listchecker
1286 istio: mixer-adapter
1288 group: config.istio.io
1291 plural: listcheckers
1292 singular: listchecker
1297 kind: CustomResourceDefinition
1298 apiVersion: apiextensions.k8s.io/v1beta1
1300 name: memquotas.config.istio.io
1304 istio: mixer-adapter
1306 group: config.istio.io
1315 kind: CustomResourceDefinition
1316 apiVersion: apiextensions.k8s.io/v1beta1
1318 name: noops.config.istio.io
1322 istio: mixer-adapter
1324 group: config.istio.io
1333 kind: CustomResourceDefinition
1334 apiVersion: apiextensions.k8s.io/v1beta1
1336 name: opas.config.istio.io
1340 istio: mixer-adapter
1342 group: config.istio.io
1351 kind: CustomResourceDefinition
1352 apiVersion: apiextensions.k8s.io/v1beta1
1354 name: prometheuses.config.istio.io
1358 istio: mixer-adapter
1360 group: config.istio.io
1363 plural: prometheuses
1364 singular: prometheus
1369 kind: CustomResourceDefinition
1370 apiVersion: apiextensions.k8s.io/v1beta1
1372 name: rbacs.config.istio.io
1376 istio: mixer-adapter
1378 group: config.istio.io
1387 kind: CustomResourceDefinition
1388 apiVersion: apiextensions.k8s.io/v1beta1
1390 name: servicecontrols.config.istio.io
1393 package: servicecontrol
1394 istio: mixer-adapter
1396 group: config.istio.io
1398 kind: servicecontrol
1399 plural: servicecontrols
1400 singular: servicecontrol
1405 kind: CustomResourceDefinition
1406 apiVersion: apiextensions.k8s.io/v1beta1
1408 name: solarwindses.config.istio.io
1412 istio: mixer-adapter
1414 group: config.istio.io
1417 plural: solarwindses
1418 singular: solarwinds
1423 kind: CustomResourceDefinition
1424 apiVersion: apiextensions.k8s.io/v1beta1
1426 name: stackdrivers.config.istio.io
1429 package: stackdriver
1430 istio: mixer-adapter
1432 group: config.istio.io
1435 plural: stackdrivers
1436 singular: stackdriver
1441 kind: CustomResourceDefinition
1442 apiVersion: apiextensions.k8s.io/v1beta1
1444 name: statsds.config.istio.io
1448 istio: mixer-adapter
1450 group: config.istio.io
1459 kind: CustomResourceDefinition
1460 apiVersion: apiextensions.k8s.io/v1beta1
1462 name: stdios.config.istio.io
1466 istio: mixer-adapter
1468 group: config.istio.io
1477 kind: CustomResourceDefinition
1478 apiVersion: apiextensions.k8s.io/v1beta1
1480 name: apikeys.config.istio.io
1484 istio: mixer-instance
1486 group: config.istio.io
1495 kind: CustomResourceDefinition
1496 apiVersion: apiextensions.k8s.io/v1beta1
1498 name: authorizations.config.istio.io
1501 package: authorization
1502 istio: mixer-instance
1504 group: config.istio.io
1507 plural: authorizations
1508 singular: authorization
1513 kind: CustomResourceDefinition
1514 apiVersion: apiextensions.k8s.io/v1beta1
1516 name: checknothings.config.istio.io
1519 package: checknothing
1520 istio: mixer-instance
1522 group: config.istio.io
1525 plural: checknothings
1526 singular: checknothing
1531 kind: CustomResourceDefinition
1532 apiVersion: apiextensions.k8s.io/v1beta1
1534 name: kuberneteses.config.istio.io
1537 package: adapter.template.kubernetes
1538 istio: mixer-instance
1540 group: config.istio.io
1543 plural: kuberneteses
1544 singular: kubernetes
1549 kind: CustomResourceDefinition
1550 apiVersion: apiextensions.k8s.io/v1beta1
1552 name: listentries.config.istio.io
1556 istio: mixer-instance
1558 group: config.istio.io
1567 kind: CustomResourceDefinition
1568 apiVersion: apiextensions.k8s.io/v1beta1
1570 name: logentries.config.istio.io
1574 istio: mixer-instance
1576 group: config.istio.io
1585 kind: CustomResourceDefinition
1586 apiVersion: apiextensions.k8s.io/v1beta1
1588 name: metrics.config.istio.io
1592 istio: mixer-instance
1594 group: config.istio.io
1603 kind: CustomResourceDefinition
1604 apiVersion: apiextensions.k8s.io/v1beta1
1606 name: quotas.config.istio.io
1610 istio: mixer-instance
1612 group: config.istio.io
1621 kind: CustomResourceDefinition
1622 apiVersion: apiextensions.k8s.io/v1beta1
1624 name: reportnothings.config.istio.io
1627 package: reportnothing
1628 istio: mixer-instance
1630 group: config.istio.io
1633 plural: reportnothings
1634 singular: reportnothing
1639 kind: CustomResourceDefinition
1640 apiVersion: apiextensions.k8s.io/v1beta1
1642 name: servicecontrolreports.config.istio.io
1645 package: servicecontrolreport
1646 istio: mixer-instance
1648 group: config.istio.io
1650 kind: servicecontrolreport
1651 plural: servicecontrolreports
1652 singular: servicecontrolreport
1657 kind: CustomResourceDefinition
1658 apiVersion: apiextensions.k8s.io/v1beta1
1660 name: tracespans.config.istio.io
1664 istio: mixer-instance
1666 group: config.istio.io
1675 kind: CustomResourceDefinition
1676 apiVersion: apiextensions.k8s.io/v1beta1
1678 name: serviceroles.config.istio.io
1681 package: istio.io.mixer
1684 group: config.istio.io
1687 plural: serviceroles
1688 singular: servicerole
1693 kind: CustomResourceDefinition
1694 apiVersion: apiextensions.k8s.io/v1beta1
1696 name: servicerolebindings.config.istio.io
1699 package: istio.io.mixer
1702 group: config.istio.io
1704 kind: ServiceRoleBinding
1705 plural: servicerolebindings
1706 singular: servicerolebinding
1711 # Source: istio/charts/pilot/templates/crds.yaml
1712 apiVersion: apiextensions.k8s.io/v1beta1
1713 kind: CustomResourceDefinition
1715 name: destinationpolicies.config.istio.io
1719 group: config.istio.io
1721 kind: DestinationPolicy
1722 listKind: DestinationPolicyList
1723 plural: destinationpolicies
1724 singular: destinationpolicy
1728 apiVersion: apiextensions.k8s.io/v1beta1
1729 kind: CustomResourceDefinition
1731 name: egressrules.config.istio.io
1735 group: config.istio.io
1738 listKind: EgressRuleList
1740 singular: egressrule
1744 apiVersion: apiextensions.k8s.io/v1beta1
1745 kind: CustomResourceDefinition
1747 name: routerules.config.istio.io
1751 group: config.istio.io
1754 listKind: RouteRuleList
1760 apiVersion: apiextensions.k8s.io/v1beta1
1761 kind: CustomResourceDefinition
1763 name: virtualservices.networking.istio.io
1767 group: networking.istio.io
1769 kind: VirtualService
1770 listKind: VirtualServiceList
1771 plural: virtualservices
1772 singular: virtualservice
1776 apiVersion: apiextensions.k8s.io/v1beta1
1777 kind: CustomResourceDefinition
1779 name: destinationrules.networking.istio.io
1783 group: networking.istio.io
1785 kind: DestinationRule
1786 listKind: DestinationRuleList
1787 plural: destinationrules
1788 singular: destinationrule
1792 apiVersion: apiextensions.k8s.io/v1beta1
1793 kind: CustomResourceDefinition
1795 name: serviceentries.networking.istio.io
1799 group: networking.istio.io
1802 listKind: ServiceEntryList
1803 plural: serviceentries
1804 singular: serviceentry
1808 apiVersion: apiextensions.k8s.io/v1beta1
1809 kind: CustomResourceDefinition
1811 name: gateways.networking.istio.io
1815 group: networking.istio.io
1823 kind: CustomResourceDefinition
1824 apiVersion: apiextensions.k8s.io/v1beta1
1826 name: policies.authentication.istio.io
1828 group: authentication.istio.io
1836 kind: CustomResourceDefinition
1837 apiVersion: apiextensions.k8s.io/v1beta1
1839 name: httpapispecbindings.config.istio.io
1841 group: config.istio.io
1843 kind: HTTPAPISpecBinding
1844 plural: httpapispecbindings
1845 singular: httpapispecbinding
1849 kind: CustomResourceDefinition
1850 apiVersion: apiextensions.k8s.io/v1beta1
1852 name: httpapispecs.config.istio.io
1854 group: config.istio.io
1857 plural: httpapispecs
1858 singular: httpapispec
1862 kind: CustomResourceDefinition
1863 apiVersion: apiextensions.k8s.io/v1beta1
1865 name: quotaspecbindings.config.istio.io
1867 group: config.istio.io
1869 kind: QuotaSpecBinding
1870 plural: quotaspecbindings
1871 singular: quotaspecbinding
1875 kind: CustomResourceDefinition
1876 apiVersion: apiextensions.k8s.io/v1beta1
1878 name: quotaspecs.config.istio.io
1880 group: config.istio.io
1890 # Source: istio/charts/mixer/templates/clusterrole.yaml
1892 apiVersion: rbac.authorization.k8s.io/v1beta1
1895 name: istio-mixer-istio-system
1896 namespace: istio-system
1901 release: RELEASE-NAME
1903 - apiGroups: ["config.istio.io"] # istio CRD watcher
1905 verbs: ["create", "get", "list", "watch", "patch"]
1906 - apiGroups: ["apiextensions.k8s.io"]
1907 resources: ["customresourcedefinitions"]
1908 verbs: ["get", "list", "watch"]
1910 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
1911 verbs: ["get", "list", "watch"]
1914 # Source: istio/charts/pilot/templates/clusterrole.yaml
1916 apiVersion: rbac.authorization.k8s.io/v1beta1
1919 name: istio-pilot-istio-system
1920 namespace: istio-system
1925 release: RELEASE-NAME
1927 - apiGroups: ["config.istio.io"]
1930 - apiGroups: ["networking.istio.io"]
1933 - apiGroups: ["authentication.istio.io"]
1936 - apiGroups: ["apiextensions.k8s.io"]
1937 resources: ["customresourcedefinitions"]
1939 - apiGroups: ["extensions"]
1940 resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
1943 resources: ["configmaps"]
1944 verbs: ["create", "get", "list", "watch", "update"]
1946 resources: ["endpoints", "pods", "services"]
1947 verbs: ["get", "list", "watch"]
1949 resources: ["namespaces", "nodes", "secrets"]
1950 verbs: ["get", "list", "watch"]
1953 # Source: istio/charts/prometheus/templates/clusterrole.yaml
1956 apiVersion: rbac.authorization.k8s.io/v1beta1
1959 name: prometheus-istio-system
1960 namespace: istio-system
1969 verbs: ["get", "list", "watch"]
1974 - nonResourceURLs: ["/metrics"]
1977 apiVersion: rbac.authorization.k8s.io/v1beta1
1978 kind: ClusterRoleBinding
1980 name: prometheus-istio-system
1981 namespace: istio-system
1983 apiGroup: rbac.authorization.k8s.io
1985 name: prometheus-istio-system
1987 - kind: ServiceAccount
1989 namespace: istio-system
1994 # Source: istio/charts/security/templates/clusterrole.yaml
1996 apiVersion: rbac.authorization.k8s.io/v1beta1
1999 name: istio-citadel-istio-system
2000 namespace: istio-system
2003 chart: security-0.8.0
2005 release: RELEASE-NAME
2008 resources: ["secrets"]
2009 verbs: ["create", "get", "watch", "list", "update", "delete"]
2011 resources: ["serviceaccounts"]
2012 verbs: ["get", "watch", "list"]
2014 resources: ["services"]
2015 verbs: ["get", "watch", "list"]
2017 apiVersion: rbac.authorization.k8s.io/v1beta1
2020 name: istio-cleanup-old-ca-istio-system
2021 namespace: istio-system
2024 chart: security-0.8.0
2026 release: RELEASE-NAME
2029 resources: ["deployments", "serviceaccounts", "services"]
2030 verbs: ["get", "delete"]
2031 - apiGroups: ["extensions"]
2032 resources: ["deployments", "replicasets"]
2033 verbs: ["get", "list", "update", "delete"]
2036 # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
2038 apiVersion: rbac.authorization.k8s.io/v1beta1
2041 name: istio-sidecar-injector-istio-system
2043 app: istio-sidecar-injector
2044 chart: sidecarInjectorWebhook-0.8.0
2046 release: RELEASE-NAME
2049 resources: ["configmaps"]
2050 verbs: ["get", "list", "watch"]
2051 - apiGroups: ["admissionregistration.k8s.io"]
2052 resources: ["mutatingwebhookconfigurations"]
2053 verbs: ["get", "list", "watch", "patch"]
2056 # Source: istio/charts/mixer/templates/clusterrolebinding.yaml
2058 apiVersion: rbac.authorization.k8s.io/v1beta1
2059 kind: ClusterRoleBinding
2061 name: istio-mixer-admin-role-binding-istio-system
2066 release: RELEASE-NAME
2068 apiGroup: rbac.authorization.k8s.io
2070 name: istio-mixer-istio-system
2072 - kind: ServiceAccount
2073 name: istio-mixer-service-account
2074 namespace: istio-system
2077 # Source: istio/charts/pilot/templates/clusterrolebinding.yaml
2079 apiVersion: rbac.authorization.k8s.io/v1beta1
2080 kind: ClusterRoleBinding
2082 name: istio-pilot-istio-system
2087 release: RELEASE-NAME
2089 apiGroup: rbac.authorization.k8s.io
2091 name: istio-pilot-istio-system
2093 - kind: ServiceAccount
2094 name: istio-pilot-service-account
2095 namespace: istio-system
2098 # Source: istio/charts/security/templates/clusterrolebinding.yaml
2100 apiVersion: rbac.authorization.k8s.io/v1beta1
2101 kind: ClusterRoleBinding
2103 name: istio-citadel-istio-system
2106 chart: security-0.8.0
2108 release: RELEASE-NAME
2110 apiGroup: rbac.authorization.k8s.io
2112 name: istio-citadel-istio-system
2114 - kind: ServiceAccount
2115 name: istio-citadel-service-account
2116 namespace: istio-system
2118 apiVersion: rbac.authorization.k8s.io/v1beta1
2121 name: istio-cleanup-old-ca-istio-system
2122 namespace: istio-system
2125 chart: security-0.8.0
2127 release: RELEASE-NAME
2129 apiGroup: rbac.authorization.k8s.io
2131 name: istio-cleanup-old-ca-istio-system
2133 - kind: ServiceAccount
2134 name: istio-cleanup-old-ca-service-account
2135 namespace: istio-system
2138 # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
2140 apiVersion: rbac.authorization.k8s.io/v1beta1
2141 kind: ClusterRoleBinding
2143 name: istio-sidecar-injector-admin-role-binding-istio-system
2145 app: istio-sidecar-injector
2146 chart: sidecarInjectorWebhook-0.8.0
2148 release: RELEASE-NAME
2150 apiGroup: rbac.authorization.k8s.io
2152 name: istio-sidecar-injector-istio-system
2154 - kind: ServiceAccount
2155 name: istio-sidecar-injector-service-account
2156 namespace: istio-system
2158 # Source: istio/charts/egressgateway/templates/service.yaml
2162 name: istio-egressgateway
2163 namespace: istio-system
2165 chart: egressgateway-0.8.0
2166 release: RELEASE-NAME
2168 istio: egressgateway
2172 istio: egressgateway
2182 # Source: istio/charts/grafana/templates/service.yaml
2187 namespace: istio-system
2189 auth.istio.io/3000: NONE
2192 chart: grafana-0.1.0
2193 release: RELEASE-NAME
2207 # Source: istio/charts/ingressgateway/templates/service.yaml
2211 name: istio-ingressgateway
2212 namespace: istio-system
2214 chart: ingressgateway-0.8.0
2215 release: RELEASE-NAME
2217 istio: ingressgateway
2221 istio: ingressgateway
2237 # Source: istio/charts/mixer/templates/service.yaml
2243 namespace: istio-system
2246 release: RELEASE-NAME
2252 - name: grpc-mixer-mtls
2254 - name: http-monitoring
2258 istio-mixer-type: policy
2263 name: istio-telemetry
2264 namespace: istio-system
2267 release: RELEASE-NAME
2273 - name: grpc-mixer-mtls
2275 - name: http-monitoring
2281 istio-mixer-type: telemetry
2285 # Source: istio/charts/mixer/templates/statsdtoprom.yaml
2291 name: istio-statsd-prom-bridge
2292 namespace: istio-system
2295 release: RELEASE-NAME
2296 istio: statsd-prom-bridge
2305 istio: statsd-prom-bridge
2309 apiVersion: extensions/v1beta1
2312 name: istio-statsd-prom-bridge
2313 namespace: istio-system
2316 release: RELEASE-NAME
2322 istio: statsd-prom-bridge
2324 sidecar.istio.io/inject: "false"
2326 serviceAccountName: istio-mixer-service-account
2328 - name: config-volume
2330 name: istio-statsd-prom-bridge
2332 - name: statsd-prom-bridge
2333 image: "prom/statsd-exporter:latest"
2334 imagePullPolicy: IfNotPresent
2336 - containerPort: 9102
2337 - containerPort: 9125
2340 - '-statsd.mapping-config=/etc/statsd/mapping.conf'
2345 - name: config-volume
2346 mountPath: /etc/statsd
2349 # Source: istio/charts/pilot/templates/service.yaml
2354 namespace: istio-system
2358 release: RELEASE-NAME
2363 name: http-old-discovery # mTLS or non-mTLS depending on auth setting
2365 name: https-discovery # always mTLS
2367 name: http-discovery # always plain-text
2369 name: grpc-xds # direct
2371 name: https-xds # mTLS
2373 name: http-legacy-discovery # direct
2375 name: http-monitoring
2380 # Source: istio/charts/prometheus/templates/service.yaml
2385 namespace: istio-system
2387 prometheus.io/scrape: 'true'
2394 - name: http-prometheus
2399 # Source: istio/charts/security/templates/service.yaml
2403 # we use the normal name here (e.g. 'prometheus')
2404 # as grafana is configured to use this as a data source
2406 namespace: istio-system
2411 - name: grpc-citadel
2415 - name: http-monitoring
2421 # Source: istio/charts/servicegraph/templates/service.yaml
2426 namespace: istio-system
2429 chart: servicegraph-0.1.0
2430 release: RELEASE-NAME
2444 # Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml
2448 name: istio-sidecar-injector
2449 namespace: istio-system
2451 istio: sidecar-injector
2456 istio: sidecar-injector
2459 # Source: istio/charts/egressgateway/templates/deployment.yaml
2460 apiVersion: extensions/v1beta1
2463 name: istio-egressgateway
2464 namespace: istio-system
2467 chart: egressgateway-0.8.0
2468 release: RELEASE-NAME
2470 istio: egressgateway
2476 istio: egressgateway
2478 sidecar.istio.io/inject: "false"
2480 serviceAccountName: istio-egressgateway-service-account
2482 - name: egressgateway
2483 image: "docker.io/istio/proxyv2:0.8.0"
2484 imagePullPolicy: IfNotPresent
2487 - containerPort: 443
2493 - --discoveryRefreshDelay
2494 - '1s' #discoveryRefreshDelay
2496 - '45s' #drainDuration
2497 - --parentShutdownDuration
2498 - '1m0s' #parentShutdownDuration
2500 - '10s' #connectTimeout
2502 - istio-egressgateway
2505 - --statsdUdpAddress
2506 - istio-statsd-prom-bridge:9125
2509 - --controlPlaneAuthPolicy
2511 - --discoveryAddress
2521 fieldPath: metadata.name
2522 - name: POD_NAMESPACE
2526 fieldPath: metadata.namespace
2530 fieldPath: status.podIP
2531 - name: ISTIO_META_POD_NAME
2534 fieldPath: metadata.name
2537 mountPath: /etc/certs
2542 secretName: "istio.default"
2546 requiredDuringSchedulingIgnoredDuringExecution:
2549 - key: beta.kubernetes.io/arch
2555 preferredDuringSchedulingIgnoredDuringExecution:
2559 - key: beta.kubernetes.io/arch
2566 - key: beta.kubernetes.io/arch
2573 - key: beta.kubernetes.io/arch
2579 # Source: istio/charts/grafana/templates/deployment.yaml
2580 apiVersion: extensions/v1beta1
2584 namespace: istio-system
2587 chart: grafana-0.1.0
2588 release: RELEASE-NAME
2597 sidecar.istio.io/inject: "false"
2601 image: "docker.io/istio/grafana:0.8.0"
2602 imagePullPolicy: IfNotPresent
2604 - containerPort: 3000
2610 - name: GRAFANA_PORT
2612 - name: GF_AUTH_BASIC_ENABLED
2614 - name: GF_AUTH_ANONYMOUS_ENABLED
2616 - name: GF_AUTH_ANONYMOUS_ORG_ROLE
2618 - name: GF_PATHS_DATA
2619 value: /data/grafana
2625 mountPath: /data/grafana
2628 requiredDuringSchedulingIgnoredDuringExecution:
2631 - key: beta.kubernetes.io/arch
2637 preferredDuringSchedulingIgnoredDuringExecution:
2641 - key: beta.kubernetes.io/arch
2648 - key: beta.kubernetes.io/arch
2655 - key: beta.kubernetes.io/arch
2663 # Source: istio/charts/ingressgateway/templates/deployment.yaml
2664 apiVersion: extensions/v1beta1
2667 name: istio-ingressgateway
2668 namespace: istio-system
2671 chart: ingressgateway-0.8.0
2672 release: RELEASE-NAME
2674 istio: ingressgateway
2680 istio: ingressgateway
2682 sidecar.istio.io/inject: "false"
2684 serviceAccountName: istio-ingressgateway-service-account
2686 - name: ingressgateway
2687 image: "docker.io/istio/proxyv2:0.8.0"
2688 imagePullPolicy: IfNotPresent
2691 - containerPort: 443
2692 - containerPort: 31400
2698 - --discoveryRefreshDelay
2699 - '1s' #discoveryRefreshDelay
2701 - '45s' #drainDuration
2702 - --parentShutdownDuration
2703 - '1m0s' #parentShutdownDuration
2705 - '10s' #connectTimeout
2707 - istio-ingressgateway
2710 - --statsdUdpAddress
2711 - istio-statsd-prom-bridge:9125
2714 - --controlPlaneAuthPolicy
2716 - --discoveryAddress
2726 fieldPath: metadata.name
2727 - name: POD_NAMESPACE
2731 fieldPath: metadata.namespace
2736 fieldPath: status.podIP
2737 - name: ISTIO_META_POD_NAME
2740 fieldPath: metadata.name
2743 mountPath: /etc/certs
2745 - name: ingressgateway-certs
2746 mountPath: "/etc/istio/ingressgateway-certs"
2751 secretName: "istio.default"
2753 - name: ingressgateway-certs
2755 secretName: "istio-ingressgateway-certs"
2759 requiredDuringSchedulingIgnoredDuringExecution:
2762 - key: beta.kubernetes.io/arch
2768 preferredDuringSchedulingIgnoredDuringExecution:
2772 - key: beta.kubernetes.io/arch
2779 - key: beta.kubernetes.io/arch
2786 - key: beta.kubernetes.io/arch
2792 # Source: istio/charts/mixer/templates/deployment.yaml
2794 apiVersion: extensions/v1beta1
2798 namespace: istio-system
2801 release: RELEASE-NAME
2809 istio-mixer-type: policy
2811 sidecar.istio.io/inject: "false"
2813 serviceAccountName: istio-mixer-service-account
2817 secretName: istio.istio-mixer-service-account
2821 requiredDuringSchedulingIgnoredDuringExecution:
2824 - key: beta.kubernetes.io/arch
2830 preferredDuringSchedulingIgnoredDuringExecution:
2834 - key: beta.kubernetes.io/arch
2841 - key: beta.kubernetes.io/arch
2848 - key: beta.kubernetes.io/arch
2854 image: "docker.io/istio/mixer:0.8.0"
2855 imagePullPolicy: IfNotPresent
2857 - containerPort: 9092
2858 - containerPort: 9093
2859 - containerPort: 42422
2862 - tcp://127.0.0.1:9092
2863 - --configStoreURL=k8s://
2864 - --configDefaultNamespace=istio-system
2865 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
2870 image: "docker.io/istio/proxyv2:0.8.0"
2871 imagePullPolicy: IfNotPresent
2873 - containerPort: 9091
2874 - containerPort: 15004
2880 - /etc/istio/proxy/envoy_policy.yaml.tmpl
2881 - --controlPlaneAuthPolicy
2888 fieldPath: metadata.name
2889 - name: POD_NAMESPACE
2893 fieldPath: metadata.namespace
2898 fieldPath: status.podIP
2906 mountPath: /etc/certs
2910 apiVersion: extensions/v1beta1
2913 name: istio-telemetry
2914 namespace: istio-system
2917 release: RELEASE-NAME
2925 istio-mixer-type: telemetry
2927 sidecar.istio.io/inject: "false"
2929 serviceAccountName: istio-mixer-service-account
2933 secretName: istio.istio-mixer-service-account
2937 image: "docker.io/istio/mixer:0.8.0"
2938 imagePullPolicy: IfNotPresent
2940 - containerPort: 9092
2941 - containerPort: 9093
2942 - containerPort: 42422
2945 - tcp://127.0.0.1:9092
2946 - --configStoreURL=k8s://
2947 - --configDefaultNamespace=istio-system
2948 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
2953 image: "docker.io/istio/proxyv2:0.8.0"
2954 imagePullPolicy: IfNotPresent
2956 - containerPort: 9091
2957 - containerPort: 15004
2963 - /etc/istio/proxy/envoy_telemetry.yaml.tmpl
2964 - --controlPlaneAuthPolicy
2971 fieldPath: metadata.name
2972 - name: POD_NAMESPACE
2976 fieldPath: metadata.namespace
2981 fieldPath: status.podIP
2989 mountPath: /etc/certs
2995 # Source: istio/charts/pilot/templates/deployment.yaml
2996 apiVersion: extensions/v1beta1
3000 namespace: istio-system
3001 # TODO: default tempate doesn't have this, which one is right ?
3005 release: RELEASE-NAME
3009 checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9
3017 sidecar.istio.io/inject: "false"
3019 serviceAccountName: istio-pilot-service-account
3022 image: "docker.io/istio/pilot:0.8.0"
3023 imagePullPolicy: IfNotPresent
3026 # TODO(sdake) remove when secrets are automagically registered
3028 - containerPort: 8080
3029 - containerPort: 15010
3032 path: /v1/registration
3034 initialDelaySeconds: 30
3042 fieldPath: metadata.name
3043 - name: POD_NAMESPACE
3047 fieldPath: metadata.namespace
3048 - name: PILOT_THROTTLE
3050 - name: PILOT_CACHE_SQUASH
3056 - name: config-volume
3057 mountPath: /etc/istio/config
3059 mountPath: /etc/certs
3062 image: "docker.io/istio/proxyv2:0.8.0"
3063 imagePullPolicy: IfNotPresent
3065 - containerPort: 15003
3066 - containerPort: 15005
3067 - containerPort: 15007
3068 - containerPort: 15011
3074 - /etc/istio/proxy/envoy_pilot.yaml.tmpl
3075 - --controlPlaneAuthPolicy
3082 fieldPath: metadata.name
3083 - name: POD_NAMESPACE
3087 fieldPath: metadata.namespace
3092 fieldPath: status.podIP
3100 mountPath: /etc/certs
3103 - name: config-volume
3108 secretName: "istio.istio-pilot-service-account"
3111 requiredDuringSchedulingIgnoredDuringExecution:
3114 - key: beta.kubernetes.io/arch
3120 preferredDuringSchedulingIgnoredDuringExecution:
3124 - key: beta.kubernetes.io/arch
3131 - key: beta.kubernetes.io/arch
3138 - key: beta.kubernetes.io/arch
3144 # Source: istio/charts/prometheus/templates/deployment.yaml
3145 # TODO: the original template has service account, roles, etc
3146 apiVersion: extensions/v1beta1
3150 namespace: istio-system
3153 chart: prometheus-0.1.0
3154 release: RELEASE-NAME
3166 sidecar.istio.io/inject: "false"
3168 serviceAccountName: prometheus
3172 image: "docker.io/prom/prometheus:latest"
3173 imagePullPolicy: IfNotPresent
3175 - '--storage.tsdb.retention=6h'
3176 - '--config.file=/etc/prometheus/prometheus.yml'
3178 - containerPort: 9090
3192 - name: config-volume
3193 mountPath: /etc/prometheus
3195 - name: config-volume
3200 requiredDuringSchedulingIgnoredDuringExecution:
3203 - key: beta.kubernetes.io/arch
3209 preferredDuringSchedulingIgnoredDuringExecution:
3213 - key: beta.kubernetes.io/arch
3220 - key: beta.kubernetes.io/arch
3227 - key: beta.kubernetes.io/arch
3233 # Source: istio/charts/security/templates/deployment.yaml
3234 # istio CA watching all namespaces
3235 apiVersion: extensions/v1beta1
3239 namespace: istio-system
3242 chart: security-0.8.0
3243 release: RELEASE-NAME
3253 sidecar.istio.io/inject: "false"
3255 serviceAccountName: istio-citadel-service-account
3258 image: "docker.io/istio/citadel:0.8.0"
3259 imagePullPolicy: IfNotPresent
3261 - --append-dns-names=true
3263 - --grpc-hostname=citadel
3264 - --self-signed-ca=true
3265 - --citadel-storage-namespace=istio-system
3271 requiredDuringSchedulingIgnoredDuringExecution:
3274 - key: beta.kubernetes.io/arch
3280 preferredDuringSchedulingIgnoredDuringExecution:
3284 - key: beta.kubernetes.io/arch
3291 - key: beta.kubernetes.io/arch
3298 - key: beta.kubernetes.io/arch
3304 # Source: istio/charts/servicegraph/templates/deployment.yaml
3305 apiVersion: extensions/v1beta1
3309 namespace: istio-system
3312 chart: servicegraph-0.1.0
3313 release: RELEASE-NAME
3322 sidecar.istio.io/inject: "false"
3325 - name: servicegraph
3326 image: "docker.io/istio/servicegraph:0.8.0"
3327 imagePullPolicy: IfNotPresent
3329 - containerPort: 8088
3331 - --prometheusAddr=http://prometheus:9090
3345 requiredDuringSchedulingIgnoredDuringExecution:
3348 - key: beta.kubernetes.io/arch
3354 preferredDuringSchedulingIgnoredDuringExecution:
3358 - key: beta.kubernetes.io/arch
3365 - key: beta.kubernetes.io/arch
3372 - key: beta.kubernetes.io/arch
3378 # Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml
3379 apiVersion: extensions/v1beta1
3382 name: istio-sidecar-injector
3383 namespace: istio-system
3385 app: sidecarInjectorWebhook
3386 chart: sidecarInjectorWebhook-0.8.0
3387 release: RELEASE-NAME
3389 istio: sidecar-injector
3395 istio: sidecar-injector
3397 serviceAccountName: istio-sidecar-injector-service-account
3399 - name: sidecar-injector-webhook
3400 image: "docker.io/istio/sidecar_injector:0.8.0"
3401 imagePullPolicy: IfNotPresent
3403 - --caCertFile=/etc/istio/certs/root-cert.pem
3404 - --tlsCertFile=/etc/istio/certs/cert-chain.pem
3405 - --tlsKeyFile=/etc/istio/certs/key.pem
3406 - --injectConfig=/etc/istio/inject/config
3407 - --meshConfig=/etc/istio/config/mesh
3408 - --healthCheckInterval=2s
3409 - --healthCheckFile=/health
3411 - name: config-volume
3412 mountPath: /etc/istio/config
3415 mountPath: /etc/istio/certs
3417 - name: inject-config
3418 mountPath: /etc/istio/inject
3423 - /usr/local/bin/sidecar-injector
3425 - --probe-path=/health
3427 initialDelaySeconds: 4
3432 - /usr/local/bin/sidecar-injector
3434 - --probe-path=/health
3436 initialDelaySeconds: 4
3439 - name: config-volume
3444 secretName: istio.istio-sidecar-injector-service-account
3445 - name: inject-config
3447 name: istio-sidecar-injector
3453 requiredDuringSchedulingIgnoredDuringExecution:
3456 - key: beta.kubernetes.io/arch
3462 preferredDuringSchedulingIgnoredDuringExecution:
3466 - key: beta.kubernetes.io/arch
3473 - key: beta.kubernetes.io/arch
3480 - key: beta.kubernetes.io/arch
3486 # Source: istio/charts/tracing/templates/deployment.yaml
3487 apiVersion: extensions/v1beta1
3491 namespace: istio-system
3494 chart: tracing-0.1.0
3495 release: RELEASE-NAME
3504 sidecar.istio.io/inject: "false"
3508 image: "jaegertracing/all-in-one:1.5"
3509 imagePullPolicy: IfNotPresent
3511 - containerPort: 9411
3512 - containerPort: 16686
3513 - containerPort: 5775
3515 - containerPort: 6831
3517 - containerPort: 6832
3520 - name: POD_NAMESPACE
3524 fieldPath: metadata.namespace
3525 - name: COLLECTOR_ZIPKIN_HTTP_PORT
3527 - name: MEMORY_MAX_TRACES
3542 requiredDuringSchedulingIgnoredDuringExecution:
3545 - key: beta.kubernetes.io/arch
3551 preferredDuringSchedulingIgnoredDuringExecution:
3555 - key: beta.kubernetes.io/arch
3562 - key: beta.kubernetes.io/arch
3569 - key: beta.kubernetes.io/arch
3575 # Source: istio/charts/security/templates/cleanup-old-ca.yaml
3577 apiVersion: batch/v1
3580 name: istio-cleanup-old-ca
3581 namespace: istio-system
3583 "helm.sh/hook": post-install
3584 "helm.sh/hook-delete-policy": hook-succeeded
3587 chart: security-0.8.0
3588 release: RELEASE-NAME
3593 name: istio-cleanup-old-ca
3596 release: RELEASE-NAME
3598 serviceAccountName: istio-cleanup-old-ca-service-account
3601 image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0"
3606 NS="-n istio-system";
3607 ./kubectl get deploy istio-ca $NS;
3608 if [[ $? = 0 ]]; then ./kubectl delete deploy istio-ca $NS; fi;
3609 ./kubectl get serviceaccount istio-ca-service-account $NS;
3610 if [[ $? = 0 ]]; then ./kubectl delete serviceaccount istio-ca-service-account $NS; fi;
3611 ./kubectl get service istio-ca-ilb $NS;
3612 if [[ $? = 0 ]]; then ./kubectl delete service istio-ca-ilb $NS; fi
3613 restartPolicy: Never
3615 # Source: istio/charts/egressgateway/templates/autoscale.yaml
3617 apiVersion: autoscaling/v2beta1
3618 kind: HorizontalPodAutoscaler
3620 name: istio-egressgateway
3621 namespace: istio-system
3626 apiVersion: apps/v1beta1
3628 name: istio-egressgateway
3633 targetAverageUtilization: 80
3637 # Source: istio/charts/ingressgateway/templates/autoscale.yaml
3639 apiVersion: autoscaling/v2beta1
3640 kind: HorizontalPodAutoscaler
3642 name: istio-ingressgateway
3643 namespace: istio-system
3648 apiVersion: apps/v1beta1
3650 name: istio-ingressgateway
3655 targetAverageUtilization: 80
3659 # Source: istio/charts/tracing/templates/service.yaml
3667 namespace: istio-system
3670 chart: tracing-0.1.0
3671 release: RELEASE-NAME
3687 namespace: istio-system
3690 chart: tracing-0.1.0
3691 release: RELEASE-NAME
3705 # Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
3706 apiVersion: admissionregistration.k8s.io/v1beta1
3707 kind: MutatingWebhookConfiguration
3709 name: istio-sidecar-injector
3710 namespace: istio-system
3712 app: istio-sidecar-injector
3713 chart: sidecarInjectorWebhook-0.8.0
3714 release: RELEASE-NAME
3717 - name: sidecar-injector.istio.io
3720 name: istio-sidecar-injector
3721 namespace: istio-system
3725 - operations: [ "CREATE" ]
3732 istio-injection: enabled
3735 # Source: istio/charts/grafana/templates/ingress.yaml
3738 # Source: istio/charts/mixer/templates/config.yaml
3742 # Source: istio/charts/prometheus/templates/ingress.yaml
3745 # Source: istio/charts/servicegraph/templates/ingress.yaml
3748 # Source: istio/charts/tracing/templates/ingress.yaml
3751 # Source: istio/charts/tracing/templates/service-jaeger.yaml