3. Install all the Istio Custom Resource Definitions (CRDs) using kubectl apply
- “helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -”.
+ “helm template istio-init --name istio-init --namespace istio-system | kubectl apply -f -”.
4. Verify that all 53 Istio CRDs were committed to the Kubernetes api-server using the following command:
5. Install istio with the sds as the configuration profile.
- “helm template install/kubernetes/helm/istio --name istio --namespace istio-system --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl apply -f -”
+ “helm template istio --name istio --namespace istio-system --values istio/values-istio-sds-auth.yaml | kubectl apply -f -”
6. Verify the Installation
--- /dev/null
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: istio-system
+ labels:
+ istio-injection: disabled
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: virtualservices.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ singular: virtualservice
+ shortNames:
+ - vs
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+ additionalPrinterColumns:
+ - JSONPath: .spec.gateways
+ description: The names of gateways and sidecars that should apply these routes
+ name: Gateways
+ type: string
+ - JSONPath: .spec.hosts
+ description: The destination hosts to which traffic is being sent
+ name: Hosts
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: destinationrules.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ singular: destinationrule
+ shortNames:
+ - dr
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+ additionalPrinterColumns:
+ - JSONPath: .spec.host
+ description: The name of a service from the service registry
+ name: Host
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: serviceentries.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ singular: serviceentry
+ shortNames:
+ - se
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+ additionalPrinterColumns:
+ - JSONPath: .spec.hosts
+ description: The hosts associated with the ServiceEntry
+ name: Hosts
+ type: string
+ - JSONPath: .spec.location
+ description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)
+ name: Location
+ type: string
+ - JSONPath: .spec.resolution
+ description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
+ name: Resolution
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: gateways.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: Gateway
+ plural: gateways
+ singular: gateway
+ shortNames:
+ - gw
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: envoyfilters.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: EnvoyFilter
+ plural: envoyfilters
+ singular: envoyfilter
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: clusterrbacconfigs.rbac.istio.io
+ labels:
+ app: istio-pilot
+ istio: rbac
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: rbac.istio.io
+ names:
+ kind: ClusterRbacConfig
+ plural: clusterrbacconfigs
+ singular: clusterrbacconfig
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Cluster
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: policies.authentication.istio.io
+ labels:
+ app: istio-citadel
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: authentication.istio.io
+ names:
+ kind: Policy
+ plural: policies
+ singular: policy
+ categories:
+ - istio-io
+ - authentication-istio-io
+ scope: Namespaced
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: meshpolicies.authentication.istio.io
+ labels:
+ app: istio-citadel
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: authentication.istio.io
+ names:
+ kind: MeshPolicy
+ listKind: MeshPolicyList
+ plural: meshpolicies
+ singular: meshpolicy
+ categories:
+ - istio-io
+ - authentication-istio-io
+ scope: Cluster
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: httpapispecbindings.config.istio.io
+ labels:
+ app: istio-mixer
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: HTTPAPISpecBinding
+ plural: httpapispecbindings
+ singular: httpapispecbinding
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: httpapispecs.config.istio.io
+ labels:
+ app: istio-mixer
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: HTTPAPISpec
+ plural: httpapispecs
+ singular: httpapispec
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotaspecbindings.config.istio.io
+ labels:
+ app: istio-mixer
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: QuotaSpecBinding
+ plural: quotaspecbindings
+ singular: quotaspecbinding
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotaspecs.config.istio.io
+ labels:
+ app: istio-mixer
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: QuotaSpec
+ plural: quotaspecs
+ singular: quotaspec
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: rules.config.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: core
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: rule
+ plural: rules
+ singular: rule
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: attributemanifests.config.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: core
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: attributemanifest
+ plural: attributemanifests
+ singular: attributemanifest
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: bypasses.config.istio.io
+ labels:
+ app: mixer
+ package: bypass
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: bypass
+ plural: bypasses
+ singular: bypass
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: circonuses.config.istio.io
+ labels:
+ app: mixer
+ package: circonus
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: circonus
+ plural: circonuses
+ singular: circonus
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: deniers.config.istio.io
+ labels:
+ app: mixer
+ package: denier
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: denier
+ plural: deniers
+ singular: denier
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: fluentds.config.istio.io
+ labels:
+ app: mixer
+ package: fluentd
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: fluentd
+ plural: fluentds
+ singular: fluentd
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: kubernetesenvs.config.istio.io
+ labels:
+ app: mixer
+ package: kubernetesenv
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: kubernetesenv
+ plural: kubernetesenvs
+ singular: kubernetesenv
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: listcheckers.config.istio.io
+ labels:
+ app: mixer
+ package: listchecker
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: listchecker
+ plural: listcheckers
+ singular: listchecker
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: memquotas.config.istio.io
+ labels:
+ app: mixer
+ package: memquota
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: memquota
+ plural: memquotas
+ singular: memquota
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: noops.config.istio.io
+ labels:
+ app: mixer
+ package: noop
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: noop
+ plural: noops
+ singular: noop
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: opas.config.istio.io
+ labels:
+ app: mixer
+ package: opa
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: opa
+ plural: opas
+ singular: opa
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: prometheuses.config.istio.io
+ labels:
+ app: mixer
+ package: prometheus
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: prometheus
+ plural: prometheuses
+ singular: prometheus
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: rbacs.config.istio.io
+ labels:
+ app: mixer
+ package: rbac
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: rbac
+ plural: rbacs
+ singular: rbac
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: redisquotas.config.istio.io
+ labels:
+ app: mixer
+ package: redisquota
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: redisquota
+ plural: redisquotas
+ singular: redisquota
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: signalfxs.config.istio.io
+ labels:
+ app: mixer
+ package: signalfx
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: signalfx
+ plural: signalfxs
+ singular: signalfx
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: solarwindses.config.istio.io
+ labels:
+ app: mixer
+ package: solarwinds
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: solarwinds
+ plural: solarwindses
+ singular: solarwinds
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: stackdrivers.config.istio.io
+ labels:
+ app: mixer
+ package: stackdriver
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: stackdriver
+ plural: stackdrivers
+ singular: stackdriver
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: statsds.config.istio.io
+ labels:
+ app: mixer
+ package: statsd
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: statsd
+ plural: statsds
+ singular: statsd
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: stdios.config.istio.io
+ labels:
+ app: mixer
+ package: stdio
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: stdio
+ plural: stdios
+ singular: stdio
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: apikeys.config.istio.io
+ labels:
+ app: mixer
+ package: apikey
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: apikey
+ plural: apikeys
+ singular: apikey
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: authorizations.config.istio.io
+ labels:
+ app: mixer
+ package: authorization
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: authorization
+ plural: authorizations
+ singular: authorization
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: checknothings.config.istio.io
+ labels:
+ app: mixer
+ package: checknothing
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: checknothing
+ plural: checknothings
+ singular: checknothing
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: kuberneteses.config.istio.io
+ labels:
+ app: mixer
+ package: adapter.template.kubernetes
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: kubernetes
+ plural: kuberneteses
+ singular: kubernetes
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: listentries.config.istio.io
+ labels:
+ app: mixer
+ package: listentry
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: listentry
+ plural: listentries
+ singular: listentry
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: logentries.config.istio.io
+ labels:
+ app: mixer
+ package: logentry
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: logentry
+ plural: logentries
+ singular: logentry
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+ additionalPrinterColumns:
+ - JSONPath: .spec.severity
+ description: The importance of the log entry
+ name: Severity
+ type: string
+ - JSONPath: .spec.timestamp
+ description: The time value for the log entry
+ name: Timestamp
+ type: string
+ - JSONPath: .spec.monitored_resource_type
+ description: Optional expression to compute the type of the monitored resource this log entry is being recorded on
+ name: Res Type
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: edges.config.istio.io
+ labels:
+ app: mixer
+ package: edge
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: edge
+ plural: edges
+ singular: edge
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: metrics.config.istio.io
+ labels:
+ app: mixer
+ package: metric
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: metric
+ plural: metrics
+ singular: metric
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotas.config.istio.io
+ labels:
+ app: mixer
+ package: quota
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: quota
+ plural: quotas
+ singular: quota
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: reportnothings.config.istio.io
+ labels:
+ app: mixer
+ package: reportnothing
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: reportnothing
+ plural: reportnothings
+ singular: reportnothing
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: tracespans.config.istio.io
+ labels:
+ app: mixer
+ package: tracespan
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: tracespan
+ plural: tracespans
+ singular: tracespan
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: rbacconfigs.rbac.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: rbac.istio.io
+ names:
+ kind: RbacConfig
+ plural: rbacconfigs
+ singular: rbacconfig
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Namespaced
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: serviceroles.rbac.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: rbac.istio.io
+ names:
+ kind: ServiceRole
+ plural: serviceroles
+ singular: servicerole
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Namespaced
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: servicerolebindings.rbac.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: rbac.istio.io
+ names:
+ kind: ServiceRoleBinding
+ plural: servicerolebindings
+ singular: servicerolebinding
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Namespaced
+ version: v1alpha1
+ additionalPrinterColumns:
+ - JSONPath: .spec.roleRef.name
+ description: The name of the ServiceRole object being referenced
+ name: Reference
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: adapters.config.istio.io
+ labels:
+ app: mixer
+ package: adapter
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: adapter
+ plural: adapters
+ singular: adapter
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: instances.config.istio.io
+ labels:
+ app: mixer
+ package: instance
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: instance
+ plural: instances
+ singular: instance
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: templates.config.istio.io
+ labels:
+ app: mixer
+ package: template
+ istio: mixer-template
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: template
+ plural: templates
+ singular: template
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: handlers.config.istio.io
+ labels:
+ app: mixer
+ package: handler
+ istio: mixer-handler
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: handler
+ plural: handlers
+ singular: handler
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: cloudwatches.config.istio.io
+ labels:
+ app: mixer
+ package: cloudwatch
+ istio: mixer-adapter
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: cloudwatch
+ plural: cloudwatches
+ singular: cloudwatch
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: dogstatsds.config.istio.io
+ labels:
+ app: mixer
+ package: dogstatsd
+ istio: mixer-adapter
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: dogstatsd
+ plural: dogstatsds
+ singular: dogstatsd
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: sidecars.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: Sidecar
+ plural: sidecars
+ singular: sidecar
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: zipkins.config.istio.io
+ labels:
+ app: mixer
+ package: zipkin
+ istio: mixer-adapter
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: zipkin
+ plural: zipkins
+ singular: zipkin
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: clusterissuers.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: certmanager.k8s.io
+ version: v1alpha1
+ names:
+ kind: ClusterIssuer
+ plural: clusterissuers
+ scope: Cluster
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: issuers.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: certmanager.k8s.io
+ version: v1alpha1
+ names:
+ kind: Issuer
+ plural: issuers
+ scope: Namespaced
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: certificates.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .spec.secretName
+ name: Secret
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ type: string
+ priority: 1
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ type: string
+ priority: 1
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ version: v1alpha1
+ scope: Namespaced
+ names:
+ kind: Certificate
+ plural: certificates
+ shortNames:
+ - cert
+ - certs
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: orders.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ type: string
+ priority: 1
+ - JSONPath: .status.reason
+ name: Reason
+ type: string
+ priority: 1
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ version: v1alpha1
+ names:
+ kind: Order
+ plural: orders
+ scope: Namespaced
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: challenges.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.dnsName
+ name: Domain
+ type: string
+ - JSONPath: .status.reason
+ name: Reason
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ version: v1alpha1
+ names:
+ kind: Challenge
+ plural: challenges
+ scope: Namespaced
+---
+# Source: istio/charts/galley/templates/poddisruptionbudget.yaml
+
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-galley
+ namespace: istio-system
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+ istio: galley
+spec:
+
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app: galley
+ release: istio
+ istio: galley
+
+---
+# Source: istio/charts/gateways/templates/poddisruptionbudget.yaml
+
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ labels:
+ chart: gateways
+ heritage: Tiller
+ release: istio
+ app: istio-ingressgateway
+ istio: ingressgateway
+spec:
+
+ minAvailable: 1
+ selector:
+ matchLabels:
+ release: istio
+ app: istio-ingressgateway
+ istio: ingressgateway
+---
+
+---
+# Source: istio/charts/mixer/templates/poddisruptionbudget.yaml
+
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-policy
+ namespace: istio-system
+ labels:
+ app: policy
+ chart: mixer
+ heritage: Tiller
+ release: istio
+ version: 1.1.0
+ istio: mixer
+ istio-mixer-type: policy
+spec:
+
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app: policy
+ release: istio
+ istio: mixer
+ istio-mixer-type: policy
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+ labels:
+ app: telemetry
+ chart: mixer
+ heritage: Tiller
+ release: istio
+ version: 1.1.0
+ istio: mixer
+ istio-mixer-type: telemetry
+spec:
+
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app: telemetry
+ release: istio
+ istio: mixer
+ istio-mixer-type: telemetry
+---
+
+---
+# Source: istio/charts/pilot/templates/poddisruptionbudget.yaml
+
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-pilot
+ namespace: istio-system
+ labels:
+ app: pilot
+ chart: pilot
+ heritage: Tiller
+ release: istio
+ istio: pilot
+spec:
+
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app: pilot
+ release: istio
+ istio: pilot
+
+---
+# Source: istio/charts/galley/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-galley-configuration
+ namespace: istio-system
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+ istio: galley
+data:
+ validatingwebhookconfiguration.yaml: |-
+ apiVersion: admissionregistration.k8s.io/v1beta1
+ kind: ValidatingWebhookConfiguration
+ metadata:
+ name: istio-galley
+ namespace: istio-system
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+ istio: galley
+ webhooks:
+ - name: pilot.validation.istio.io
+ clientConfig:
+ service:
+ name: istio-galley
+ namespace: istio-system
+ path: "/admitpilot"
+ caBundle: ""
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - config.istio.io
+ apiVersions:
+ - v1alpha2
+ resources:
+ - httpapispecs
+ - httpapispecbindings
+ - quotaspecs
+ - quotaspecbindings
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - rbac.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - authentication.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - networking.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - destinationrules
+ - envoyfilters
+ - gateways
+ - serviceentries
+ - sidecars
+ - virtualservices
+ failurePolicy: Fail
+ - name: mixer.validation.istio.io
+ clientConfig:
+ service:
+ name: istio-galley
+ namespace: istio-system
+ path: "/admitmixer"
+ caBundle: ""
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - config.istio.io
+ apiVersions:
+ - v1alpha2
+ resources:
+ - rules
+ - attributemanifests
+ - circonuses
+ - deniers
+ - fluentds
+ - kubernetesenvs
+ - listcheckers
+ - memquotas
+ - noops
+ - opas
+ - prometheuses
+ - rbacs
+ - solarwindses
+ - stackdrivers
+ - cloudwatches
+ - dogstatsds
+ - statsds
+ - stdios
+ - apikeys
+ - authorizations
+ - checknothings
+ # - kuberneteses
+ - listentries
+ - logentries
+ - metrics
+ - quotas
+ - reportnothings
+ - tracespans
+ failurePolicy: Fail
+---
+# Source: istio/charts/prometheus/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: prometheus
+ namespace: istio-system
+ labels:
+ app: prometheus
+ chart: prometheus
+ heritage: Tiller
+ release: istio
+data:
+ prometheus.yml: |-
+ global:
+ scrape_interval: 15s
+ scrape_configs:
+
+ - job_name: 'istio-mesh'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - istio-system
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-telemetry;prometheus
+
+ # Scrape config for envoy stats
+ - job_name: 'envoy-stats'
+ metrics_path: /stats/prometheus
+ kubernetes_sd_configs:
+ - role: pod
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_container_port_name]
+ action: keep
+ regex: '.*-envoy-prom'
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:15090
+ target_label: __address__
+ - action: labelmap
+ regex: __meta_kubernetes_pod_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: pod_name
+
+ metric_relabel_configs:
+ # Exclude some of the envoy metrics that have massive cardinality
+ # This list may need to be pruned further moving forward, as informed
+ # by performance and scalability testing.
+ - source_labels: [ cluster_name ]
+ regex: '(outbound|inbound|prometheus_stats).*'
+ action: drop
+ - source_labels: [ tcp_prefix ]
+ regex: '(outbound|inbound|prometheus_stats).*'
+ action: drop
+ - source_labels: [ listener_address ]
+ regex: '(.+)'
+ action: drop
+ - source_labels: [ http_conn_manager_listener_prefix ]
+ regex: '(.+)'
+ action: drop
+ - source_labels: [ http_conn_manager_prefix ]
+ regex: '(.+)'
+ action: drop
+ - source_labels: [ __name__ ]
+ regex: 'envoy_tls.*'
+ action: drop
+ - source_labels: [ __name__ ]
+ regex: 'envoy_tcp_downstream.*'
+ action: drop
+ - source_labels: [ __name__ ]
+ regex: 'envoy_http_(stats|admin).*'
+ action: drop
+ - source_labels: [ __name__ ]
+ regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*'
+ action: drop
+
+ - job_name: 'istio-policy'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - istio-system
+
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-policy;http-monitoring
+
+ - job_name: 'istio-telemetry'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - istio-system
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-telemetry;http-monitoring
+
+ - job_name: 'pilot'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - istio-system
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-pilot;http-monitoring
+
+ - job_name: 'galley'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - istio-system
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-galley;http-monitoring
+
+ - job_name: 'citadel'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - istio-system
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-citadel;http-monitoring
+
+ # scrape config for API servers
+ - job_name: 'kubernetes-apiservers'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - default
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: kubernetes;https
+
+ # scrape config for nodes (kubelet)
+ - job_name: 'kubernetes-nodes'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics
+
+ # Scrape config for Kubelet cAdvisor.
+ #
+ # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
+ # (those whose names begin with 'container_') have been removed from the
+ # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
+ # retrieve those metrics.
+ #
+ # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
+ # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
+ # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
+ # the --cadvisor-port=0 Kubelet flag).
+ #
+ # This job is not necessary and should be removed in Kubernetes 1.6 and
+ # earlier versions, or it will cause the metrics to be scraped twice.
+ - job_name: 'kubernetes-cadvisor'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
+
+ # scrape config for service endpoints.
+ - job_name: 'kubernetes-service-endpoints'
+ kubernetes_sd_configs:
+ - role: endpoints
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
+ action: replace
+ target_label: __scheme__
+ regex: (https?)
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
+ action: replace
+ target_label: __address__
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ - action: labelmap
+ regex: __meta_kubernetes_service_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: kubernetes_namespace
+ - source_labels: [__meta_kubernetes_service_name]
+ action: replace
+ target_label: kubernetes_name
+
+ - job_name: 'kubernetes-pods'
+ kubernetes_sd_configs:
+ - role: pod
+ relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job.
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http"
+ - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme]
+ action: keep
+ regex: ((;.*)|(.*;http))
+ - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls]
+ action: drop
+ regex: (true)
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ - action: labelmap
+ regex: __meta_kubernetes_pod_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: pod_name
+
+ - job_name: 'kubernetes-pods-istio-secure'
+ scheme: https
+ tls_config:
+ ca_file: /etc/istio-certs/root-cert.pem
+ cert_file: /etc/istio-certs/cert-chain.pem
+ key_file: /etc/istio-certs/key.pem
+ insecure_skip_verify: true # prometheus does not support secure naming.
+ kubernetes_sd_configs:
+ - role: pod
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ # sidecar status annotation is added by sidecar injector and
+ # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
+ - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
+ action: keep
+ regex: (([^;]+);([^;]*))|(([^;]*);(true))
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
+ action: drop
+ regex: (http)
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__] # Only keep address that is host:port
+ action: keep # otherwise an extra target with ':443' is added for https scheme
+ regex: ([^:]+):(\d+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ - action: labelmap
+ regex: __meta_kubernetes_pod_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: pod_name
+---
+# Source: istio/charts/security/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-security-custom-resources
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ istio: citadel
+data:
+ custom-resources.yaml: |-
+ # These policy and destination rules effectively enable mTLS for all services in the mesh. For now,
+ # they are added to Istio installation yaml for backward compatible. In future, they should be in
+ # a separated yaml file so that customer can enable mTLS independent from installation.
+
+ # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
+ apiVersion: "authentication.istio.io/v1alpha1"
+ kind: "MeshPolicy"
+ metadata:
+ name: "default"
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ spec:
+ peers:
+ - mtls: {}
+ ---
+ # Corresponding destination rule to configure client side to use mutual TLS when talking to
+ # any service (host) in the mesh.
+ apiVersion: networking.istio.io/v1alpha3
+ kind: DestinationRule
+ metadata:
+ name: "default"
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ spec:
+ host: "*.local"
+ trafficPolicy:
+ tls:
+ mode: ISTIO_MUTUAL
+ ---
+ # Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar.
+ # Customer should add similar destination rules for other services that dont' have sidecar.
+ apiVersion: networking.istio.io/v1alpha3
+ kind: DestinationRule
+ metadata:
+ name: "api-server"
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ spec:
+ host: "kubernetes.default.svc.cluster.local"
+ trafficPolicy:
+ tls:
+ mode: DISABLE
+ run.sh: |-
+ #!/bin/sh
+
+ set -x
+
+ if [ "$#" -ne "1" ]; then
+ echo "first argument should be path to custom resource yaml"
+ exit 1
+ fi
+
+ pathToResourceYAML=${1}
+
+ kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
+ if [ "$?" -eq 0 ]; then
+ echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
+ while true; do
+ kubectl -n istio-system get deployment istio-galley 2>/dev/null
+ if [ "$?" -eq 0 ]; then
+ break
+ fi
+ sleep 1
+ done
+ kubectl -n istio-system rollout status deployment istio-galley
+ if [ "$?" -ne 0 ]; then
+ echo "istio-galley deployment rollout status check failed"
+ exit 1
+ fi
+ echo "istio-galley deployment ready for configuration validation"
+ fi
+ sleep 5
+ kubectl apply -f ${pathToResourceYAML}
+
+
+---
+# Source: istio/templates/configmap.yaml
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio
+ namespace: istio-system
+ labels:
+ app: istio
+ chart: istio
+ heritage: Tiller
+ release: istio
+data:
+ mesh: |-
+ # Set the following variable to true to disable policy checks by the Mixer.
+ # Note that metrics will still be reported to the Mixer.
+ disablePolicyChecks: true
+
+ # Set enableTracing to false to disable request tracing.
+ enableTracing: true
+
+ # Set accessLogFile to empty string to disable access log.
+ accessLogFile: ""
+
+ # If accessLogEncoding is TEXT, value will be used directly as the log format
+ # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n"
+ # If AccessLogEncoding is JSON, value will be parsed as map[string]string
+ # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}'
+ # Leave empty to use default log format
+ accessLogFormat: ""
+
+ # Set accessLogEncoding to JSON or TEXT to configure sidecar access log
+ accessLogEncoding: 'TEXT'
+ mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091
+ mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091
+ # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
+ # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
+ policyCheckFailOpen: false
+ # Let Pilot give ingresses the public IP of the Istio ingressgateway
+ ingressService: istio-ingressgateway
+
+ # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS
+ connectTimeout: 10s
+
+ # DNS refresh rate for Envoy clusters of type STRICT_DNS
+ dnsRefreshRate: 5s
+
+ # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
+ # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
+ sdsUdsPath: unix:/var/run/sds/uds_path
+
+ # This flag is used by secret discovery service(SDS).
+ # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount
+ # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which
+ # will be used to generate key/cert eventually. This isn't supported for non-k8s case.
+ enableSdsTokenMount: false
+
+ # This flag is used by secret discovery service(SDS).
+ # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
+ # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
+ # and pass to sds server, which will be used to request key/cert eventually.
+ # this flag is ignored if enableSdsTokenMount is set.
+ # This isn't supported for non-k8s case.
+ sdsUseK8sSaJwt: true
+
+ # The trust domain corresponds to the trust root of a system.
+ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+ trustDomain:
+
+ # Set the default behavior of the sidecar for handling outbound traffic from the application:
+ # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
+ # services or ServiceEntries for the destination port
+ # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
+ # as those defined through ServiceEntries
+ outboundTrafficPolicy:
+ mode: ALLOW_ANY
+
+ localityLbSetting:
+ {}
+
+
+ # The namespace to treat as the administrative root namespace for istio
+ # configuration.
+ rootNamespace: istio-system
+ configSources:
+ - address: istio-galley.istio-system.svc:9901
+
+ defaultConfig:
+ #
+ # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters
+ # defined in Envoy's configuration file
+ connectTimeout: 10s
+ #
+ ### ADVANCED SETTINGS #############
+ # Where should envoy's configuration be stored in the istio-proxy container
+ configPath: "/etc/istio/proxy"
+ binaryPath: "/usr/local/bin/envoy"
+ # The pseudo service name used for Envoy.
+ serviceCluster: istio-proxy
+ # These settings that determine how long an old Envoy
+ # process should be kept alive after an occasional reload.
+ drainDuration: 45s
+ parentShutdownDuration: 1m0s
+ #
+ # The mode used to redirect inbound connections to Envoy. This setting
+ # has no effect on outbound traffic: iptables REDIRECT is always used for
+ # outbound connections.
+ # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
+ # The "REDIRECT" mode loses source addresses during redirection.
+ # If "TPROXY", use iptables TPROXY to redirect to Envoy.
+ # The "TPROXY" mode preserves both the source and destination IP
+ # addresses and ports, so that they can be used for advanced filtering
+ # and manipulation.
+ # The "TPROXY" mode also configures the sidecar to run with the
+ # CAP_NET_ADMIN capability, which is required to use TPROXY.
+ #interceptionMode: REDIRECT
+ #
+ # Port where Envoy listens (on local host) for admin commands
+ # You can exec into the istio-proxy container in a pod and
+ # curl the admin port (curl http://localhost:15000/) to obtain
+ # diagnostic information from Envoy. See
+ # https://lyft.github.io/envoy/docs/operations/admin.html
+ # for more details
+ proxyAdminPort: 15000
+ #
+ # Set concurrency to a specific number to control the number of Proxy worker threads.
+ # If set to 0 (default), then start worker thread for each CPU thread/core.
+ concurrency: 2
+ #
+ tracing:
+ zipkin:
+ # Address of the Zipkin collector
+ address: zipkin.istio-system:9411
+ #
+ # Mutual TLS authentication between sidecars and istio control plane.
+ controlPlaneAuthPolicy: NONE
+ #
+ # Address where istio Pilot service is running
+ discoveryAddress: istio-pilot.istio-system:15010
+
+ # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+ meshNetworks: |-
+ networks: {}
+
+---
+# Source: istio/templates/sidecar-injector-configmap.yaml
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ app: istio
+ chart: istio
+ heritage: Tiller
+ release: istio
+ istio: sidecar-injector
+data:
+ config: |-
+ policy: enabled
+ template: |-
+ rewriteAppHTTPProbe: false
+ initContainers:
+ [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]]
+ - name: istio-init
+ image: "docker.io/istio/proxy_init:1.1.6"
+ args:
+ - "-p"
+ - [[ .MeshConfig.ProxyListenPort ]]
+ - "-u"
+ - 1337
+ - "-m"
+ - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]
+ - "-i"
+ - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]"
+ - "-x"
+ - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]"
+ - "-b"
+ - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]"
+ - "-d"
+ - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]"
+ [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]
+ - "-k"
+ - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]"
+ [[ end -]]
+ imagePullPolicy: IfNotPresent
+ resources:
+ requests:
+ cpu: 10m
+ memory: 10Mi
+ limits:
+ cpu: 100m
+ memory: 50Mi
+ securityContext:
+ runAsUser: 0
+ runAsNonRoot: false
+ capabilities:
+ add:
+ - NET_ADMIN
+ restartPolicy: Always
+ [[ end -]]
+ containers:
+ - name: istio-proxy
+ image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` "docker.io/istio/proxyv2:1.1.6" ]]
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --configPath
+ - [[ .ProxyConfig.ConfigPath ]]
+ - --binaryPath
+ - [[ .ProxyConfig.BinaryPath ]]
+ - --serviceCluster
+ [[ if ne "" (index .ObjectMeta.Labels "app") -]]
+ - [[ index .ObjectMeta.Labels "app" ]].$(POD_NAMESPACE)
+ [[ else -]]
+ - [[ valueOrDefault .DeploymentMeta.Name "istio-proxy" ]].[[ valueOrDefault .DeploymentMeta.Namespace "default" ]]
+ [[ end -]]
+ - --drainDuration
+ - [[ formatDuration .ProxyConfig.DrainDuration ]]
+ - --parentShutdownDuration
+ - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
+ - --discoveryAddress
+ - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]
+ - --zipkinAddress
+ - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]
+ - --connectTimeout
+ - [[ formatDuration .ProxyConfig.ConnectTimeout ]]
+ - --proxyAdminPort
+ - [[ .ProxyConfig.ProxyAdminPort ]]
+ [[ if gt .ProxyConfig.Concurrency 0 -]]
+ - --concurrency
+ - [[ .ProxyConfig.Concurrency ]]
+ [[ end -]]
+ - --controlPlaneAuthPolicy
+ - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]
+ [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]]
+ - --statusPort
+ - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]]
+ - --applicationPorts
+ - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]"
+ [[- end ]]
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+
+ - name: ISTIO_META_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: ISTIO_META_CONFIG_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
+ [[ if .ObjectMeta.Annotations ]]
+ - name: ISTIO_METAJSON_ANNOTATIONS
+ value: |
+ [[ toJSON .ObjectMeta.Annotations ]]
+ [[ end ]]
+ [[ if .ObjectMeta.Labels ]]
+ - name: ISTIO_METAJSON_LABELS
+ value: |
+ [[ toJSON .ObjectMeta.Labels ]]
+ [[ end ]]
+ [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
+ - name: ISTIO_BOOTSTRAP_OVERRIDE
+ value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+ [[- end ]]
+ imagePullPolicy: IfNotPresent
+ [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]]
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]]
+ initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]]
+ periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]]
+ failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]]
+ [[ end -]]securityContext:
+ readOnlyRootFilesystem: true
+ [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]]
+ capabilities:
+ add:
+ - NET_ADMIN
+ runAsGroup: 1337
+ [[ else -]]
+
+ runAsUser: 1337
+ [[- end ]]
+ resources:
+ [[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]
+ requests:
+ [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]
+ cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]"
+ [[ end ]]
+ [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]
+ memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]"
+ [[ end ]]
+ [[ else -]]
+ limits:
+ cpu: 2000m
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ [[ end -]]
+ volumeMounts:
+ [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
+ - mountPath: /etc/istio/custom-bootstrap
+ name: custom-bootstrap-volume
+ [[- end ]]
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /var/run/sds/uds_path
+ name: sds-uds-path
+ readOnly: true
+ [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]]
+ [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]]
+ - name: "[[ $index ]]"
+ [[ toYaml $value | indent 4 ]]
+ [[ end ]]
+ [[- end ]]
+ volumes:
+ [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]
+ - name: custom-bootstrap-volume
+ configMap:
+ name: [[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]]
+ [[- end ]]
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: sds-uds-path
+ hostPath:
+ path: /var/run/sds/uds_path
+ type: Socket
+
+---
+# Source: istio/charts/galley/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-galley-service-account
+ namespace: istio-system
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+
+---
+# Source: istio/charts/gateways/templates/serviceaccount.yaml
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-ingressgateway-service-account
+ namespace: istio-system
+ labels:
+ app: istio-ingressgateway
+ chart: gateways
+ heritage: Tiller
+ release: istio
+---
+
+
+---
+# Source: istio/charts/mixer/templates/serviceaccount.yaml
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-mixer-service-account
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+
+---
+# Source: istio/charts/nodeagent/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-nodeagent-service-account
+ namespace: istio-system
+ labels:
+ app: nodeagent
+ chart: nodeagent
+ heritage: Tiller
+ release: istio
+---
+# Source: istio/charts/pilot/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-pilot-service-account
+ namespace: istio-system
+ labels:
+ app: pilot
+ chart: pilot
+ heritage: Tiller
+ release: istio
+
+---
+# Source: istio/charts/prometheus/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: prometheus
+ namespace: istio-system
+ labels:
+ app: prometheus
+ chart: prometheus
+ heritage: Tiller
+ release: istio
+
+---
+# Source: istio/charts/security/templates/cleanup-secrets.yaml
+# The reason for creating a ServiceAccount and ClusterRole specifically for this
+# post-delete hooked job is because the citadel ServiceAccount is being deleted
+# before this hook is launched. On the other hand, running this hook before the
+# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they
+# will be re-created immediately by the to-be-deleted citadel.
+#
+# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding
+# will be ready before running the hooked Job therefore the hook weights.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-cleanup-secrets-service-account
+ namespace: istio-system
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "1"
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-cleanup-secrets-istio-system
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "1"
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-cleanup-secrets-istio-system
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "2"
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-cleanup-secrets-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-cleanup-secrets-service-account
+ namespace: istio-system
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: istio-cleanup-secrets-1.1.6
+ namespace: istio-system
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "3"
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+spec:
+ template:
+ metadata:
+ name: istio-cleanup-secrets
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ spec:
+ serviceAccountName: istio-cleanup-secrets-service-account
+ containers:
+ - name: kubectl
+ image: "docker.io/istio/kubectl:1.1.6"
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/bash
+ - -c
+ - >
+ kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do
+ ns=$(echo $entry | awk '{print $1}');
+ name=$(echo $entry | awk '{print $2}');
+ kubectl delete secret $name -n $ns;
+ done
+ restartPolicy: OnFailure
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/security/templates/create-custom-resources-job.yaml
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-security-post-install-account
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: istio-security-post-install-istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["networking.istio.io"] # needed to create security destination rules
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["get"]
+- apiGroups: ["extensions", "apps"]
+ resources: ["deployments", "replicasets"]
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-security-post-install-role-binding-istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-security-post-install-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-security-post-install-account
+ namespace: istio-system
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: istio-security-post-install-1.1.6
+ namespace: istio-system
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-delete-policy": hook-succeeded
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+spec:
+ template:
+ metadata:
+ name: istio-security-post-install
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ spec:
+ serviceAccountName: istio-security-post-install-account
+ containers:
+ - name: kubectl
+ image: "docker.io/istio/kubectl:1.1.6"
+ imagePullPolicy: IfNotPresent
+ command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
+ volumeMounts:
+ - mountPath: "/tmp/security"
+ name: tmp-configmap-security
+ volumes:
+ - name: tmp-configmap-security
+ configMap:
+ name: istio-security-custom-resources
+ restartPolicy: OnFailure
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/security/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-citadel-service-account
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-sidecar-injector-service-account
+ namespace: istio-system
+ labels:
+ app: sidecarInjectorWebhook
+ chart: sidecarInjectorWebhook
+ heritage: Tiller
+ release: istio
+ istio: sidecar-injector
+
+---
+# Source: istio/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-multi
+ namespace: istio-system
+
+---
+# Source: istio/charts/galley/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-galley-istio-system
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["*"]
+- apiGroups: ["config.istio.io"] # istio mixer CRD watcher
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["authentication.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["rbac.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions","apps"]
+ resources: ["deployments"]
+ resourceNames: ["istio-galley"]
+ verbs: ["get"]
+- apiGroups: [""]
+ resources: ["pods", "nodes", "services", "endpoints"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+ resources: ["deployments/finalizers"]
+ resourceNames: ["istio-galley"]
+ verbs: ["update"]
+
+---
+# Source: istio/charts/gateways/templates/clusterrole.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-ingressgateway-istio-system
+ labels:
+ app: ingressgateway
+ chart: gateways
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: ["networking.istio.io"]
+ resources: ["virtualservices", "destinationrules", "gateways"]
+ verbs: ["get", "watch", "list", "update"]
+---
+
+---
+# Source: istio/charts/mixer/templates/clusterrole.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-mixer-istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: ["config.istio.io"] # istio CRD watcher
+ resources: ["*"]
+ verbs: ["create", "get", "list", "watch", "patch"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions", "apps"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
+
+---
+# Source: istio/charts/nodeagent/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-nodeagent-istio-system
+ labels:
+ app: nodeagent
+ chart: nodeagent
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get"]
+---
+# Source: istio/charts/pilot/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-pilot-istio-system
+ labels:
+ app: pilot
+ chart: pilot
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: ["config.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["rbac.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "watch", "list"]
+- apiGroups: ["networking.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["authentication.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["*"]
+- apiGroups: ["extensions"]
+ resources: ["ingresses", "ingresses/status"]
+ verbs: ["*"]
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+- apiGroups: [""]
+ resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"]
+ verbs: ["get", "list", "watch"]
+
+---
+# Source: istio/charts/prometheus/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: prometheus-istio-system
+ labels:
+ app: prometheus
+ chart: prometheus
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: [""]
+ resources:
+ - nodes
+ - services
+ - endpoints
+ - pods
+ - nodes/proxy
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources:
+ - configmaps
+ verbs: ["get"]
+- nonResourceURLs: ["/metrics"]
+ verbs: ["get"]
+
+---
+# Source: istio/charts/security/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-citadel-istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "update"]
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create", "get", "watch", "list", "update", "delete"]
+- apiGroups: [""]
+ resources: ["serviceaccounts", "services"]
+ verbs: ["get", "watch", "list"]
+- apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-sidecar-injector-istio-system
+ labels:
+ app: sidecarInjectorWebhook
+ chart: sidecarInjectorWebhook
+ heritage: Tiller
+ release: istio
+ istio: sidecar-injector
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "patch"]
+
+---
+# Source: istio/templates/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: istio-reader
+rules:
+ - apiGroups: ['']
+ resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"]
+ verbs: ['get', 'watch', 'list']
+ - apiGroups: ["extensions", "apps"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
+
+---
+# Source: istio/charts/galley/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-galley-admin-role-binding-istio-system
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-galley-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-galley-service-account
+ namespace: istio-system
+
+---
+# Source: istio/charts/gateways/templates/clusterrolebindings.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-ingressgateway-istio-system
+ labels:
+ app: ingressgateway
+ chart: gateways
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-ingressgateway-istio-system
+subjects:
+- kind: ServiceAccount
+ name: istio-ingressgateway-service-account
+ namespace: istio-system
+---
+
+---
+# Source: istio/charts/mixer/templates/clusterrolebinding.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-mixer-admin-role-binding-istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-mixer-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-mixer-service-account
+ namespace: istio-system
+
+---
+# Source: istio/charts/nodeagent/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-nodeagent-istio-system
+ labels:
+ app: nodeagent
+ chart: nodeagent
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-nodeagent-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-nodeagent-service-account
+ namespace: istio-system
+---
+# Source: istio/charts/pilot/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-pilot-istio-system
+ labels:
+ app: pilot
+ chart: pilot
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-pilot-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-pilot-service-account
+ namespace: istio-system
+
+---
+# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: prometheus-istio-system
+ labels:
+ app: prometheus
+ chart: prometheus
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: prometheus-istio-system
+subjects:
+- kind: ServiceAccount
+ name: prometheus
+ namespace: istio-system
+
+---
+# Source: istio/charts/security/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-citadel-istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-citadel-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-citadel-service-account
+ namespace: istio-system
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-sidecar-injector-admin-role-binding-istio-system
+ labels:
+ app: sidecarInjectorWebhook
+ chart: sidecarInjectorWebhook
+ heritage: Tiller
+ release: istio
+ istio: sidecar-injector
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-sidecar-injector-istio-system
+subjects:
+ - kind: ServiceAccount
+ name: istio-sidecar-injector-service-account
+ namespace: istio-system
+
+---
+# Source: istio/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-multi
+ labels:
+ chart: istio-1.1.0
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-reader
+subjects:
+- kind: ServiceAccount
+ name: istio-multi
+ namespace: istio-system
+
+---
+# Source: istio/charts/gateways/templates/role.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+---
+
+---
+# Source: istio/charts/gateways/templates/rolebindings.yaml
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+ name: istio-ingressgateway-service-account
+---
+
+---
+# Source: istio/charts/galley/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-galley
+ namespace: istio-system
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+ istio: galley
+spec:
+ ports:
+ - port: 443
+ name: https-validation
+ - port: 15014
+ name: http-monitoring
+ - port: 9901
+ name: grpc-mcp
+ selector:
+ istio: galley
+
+---
+# Source: istio/charts/gateways/templates/service.yaml
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ annotations:
+ labels:
+ chart: gateways
+ heritage: Tiller
+ release: istio
+ app: istio-ingressgateway
+ istio: ingressgateway
+spec:
+ type: LoadBalancer
+ selector:
+ release: istio
+ app: istio-ingressgateway
+ istio: ingressgateway
+ ports:
+ -
+ name: status-port
+ port: 15020
+ targetPort: 15020
+ -
+ name: http2
+ nodePort: 31380
+ port: 80
+ targetPort: 80
+ -
+ name: https
+ nodePort: 31390
+ port: 443
+ -
+ name: tcp
+ nodePort: 31400
+ port: 31400
+ -
+ name: https-kiali
+ port: 15029
+ targetPort: 15029
+ -
+ name: https-prometheus
+ port: 15030
+ targetPort: 15030
+ -
+ name: https-grafana
+ port: 15031
+ targetPort: 15031
+ -
+ name: https-tracing
+ port: 15032
+ targetPort: 15032
+ -
+ name: tls
+ port: 15443
+ targetPort: 15443
+---
+
+---
+# Source: istio/charts/mixer/templates/service.yaml
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-policy
+ namespace: istio-system
+ annotations:
+ networking.istio.io/exportTo: "*"
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+ istio: mixer
+spec:
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: 15014
+ selector:
+ istio: mixer
+ istio-mixer-type: policy
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+ annotations:
+ networking.istio.io/exportTo: "*"
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+ istio: mixer
+spec:
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: 15014
+ - name: prometheus
+ port: 42422
+ selector:
+ istio: mixer
+ istio-mixer-type: telemetry
+---
+
+
+---
+# Source: istio/charts/pilot/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-pilot
+ namespace: istio-system
+ labels:
+ app: pilot
+ chart: pilot
+ heritage: Tiller
+ release: istio
+ istio: pilot
+spec:
+ ports:
+ - port: 15010
+ name: grpc-xds # direct
+ - port: 15011
+ name: https-xds # mTLS
+ - port: 8080
+ name: http-legacy-discovery # direct
+ - port: 15014
+ name: http-monitoring
+ selector:
+ istio: pilot
+
+---
+# Source: istio/charts/prometheus/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: prometheus
+ namespace: istio-system
+ annotations:
+ prometheus.io/scrape: 'true'
+ labels:
+ app: prometheus
+ chart: prometheus
+ heritage: Tiller
+ release: istio
+spec:
+ selector:
+ app: prometheus
+ ports:
+ - name: http-prometheus
+ protocol: TCP
+ port: 9090
+
+---
+# Source: istio/charts/security/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ # we use the normal name here (e.g. 'prometheus')
+ # as grafana is configured to use this as a data source
+ name: istio-citadel
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ istio: citadel
+spec:
+ ports:
+ - name: grpc-citadel
+ port: 8060
+ targetPort: 8060
+ protocol: TCP
+ - name: http-monitoring
+ port: 15014
+ selector:
+ istio: citadel
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ app: sidecarInjectorWebhook
+ chart: sidecarInjectorWebhook
+ heritage: Tiller
+ release: istio
+ istio: sidecar-injector
+spec:
+ ports:
+ - port: 443
+ selector:
+ istio: sidecar-injector
+
+---
+# Source: istio/charts/nodeagent/templates/daemonset.yaml
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: istio-nodeagent
+ namespace: istio-system
+ labels:
+ app: nodeagent
+ chart: nodeagent
+ release: istio
+ heritage: Tiller
+ istio: nodeagent
+spec:
+ template:
+ metadata:
+ labels:
+ app: nodeagent
+ chart: nodeagent
+ release: istio
+ heritage: Tiller
+ istio: nodeagent
+ spec:
+ serviceAccountName: istio-nodeagent-service-account
+ containers:
+ - name: nodeagent
+ image: "docker.io/istio/node-agent-k8s:1.1.6"
+ imagePullPolicy: IfNotPresent
+ volumeMounts:
+ - mountPath: /var/run/sds
+ name: sdsudspath
+ env:
+ - name: CA_ADDR
+ value: "istio-citadel:8060"
+ - name: CA_PROVIDER
+ value: "Citadel"
+ - name: Plugins
+ value: ""
+ - name: VALID_TOKEN
+ value: "true"
+ - name: "Trust_Domain"
+ value: ""
+ volumes:
+ - name: sdsudspath
+ hostPath:
+ path: /var/run/sds
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/galley/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-galley
+ namespace: istio-system
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+ istio: galley
+spec:
+ replicas: 1
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ template:
+ metadata:
+ labels:
+ app: galley
+ chart: galley
+ heritage: Tiller
+ release: istio
+ istio: galley
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-galley-service-account
+ containers:
+ - name: galley
+ image: "docker.io/istio/galley:1.1.6"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 443
+ - containerPort: 15014
+ - containerPort: 9901
+ command:
+ - /usr/local/bin/galley
+ - server
+ - --meshConfigFile=/etc/mesh-config/mesh
+ - --livenessProbeInterval=1s
+ - --livenessProbePath=/healthliveness
+ - --readinessProbePath=/healthready
+ - --readinessProbeInterval=1s
+ - --deployment-namespace=istio-system
+ - --insecure=true
+ - --validation-webhook-config-file
+ - /etc/config/validatingwebhookconfiguration.yaml
+ - --monitoringPort=15014
+ - --log_output_level=default:info
+ volumeMounts:
+ - name: certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: config
+ mountPath: /etc/config
+ readOnly: true
+ - name: mesh-config
+ mountPath: /etc/mesh-config
+ readOnly: true
+ livenessProbe:
+ exec:
+ command:
+ - /usr/local/bin/galley
+ - probe
+ - --probe-path=/healthliveness
+ - --interval=10s
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ readinessProbe:
+ exec:
+ command:
+ - /usr/local/bin/galley
+ - probe
+ - --probe-path=/healthready
+ - --interval=10s
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ resources:
+ requests:
+ cpu: 10m
+
+ volumes:
+ - name: certs
+ secret:
+ secretName: istio.istio-galley-service-account
+ - name: config
+ configMap:
+ name: istio-galley-configuration
+ - name: mesh-config
+ configMap:
+ name: istio
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/gateways/templates/deployment.yaml
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ labels:
+ chart: gateways
+ heritage: Tiller
+ release: istio
+ app: istio-ingressgateway
+ istio: ingressgateway
+spec:
+ template:
+ metadata:
+ labels:
+ chart: gateways
+ heritage: Tiller
+ release: istio
+ app: istio-ingressgateway
+ istio: ingressgateway
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-ingressgateway-service-account
+ containers:
+ - name: istio-proxy
+ image: "docker.io/istio/proxyv2:1.1.6"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 15020
+ - containerPort: 80
+ - containerPort: 443
+ - containerPort: 31400
+ - containerPort: 15029
+ - containerPort: 15030
+ - containerPort: 15031
+ - containerPort: 15032
+ - containerPort: 15443
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --log_output_level=default:info
+ - --drainDuration
+ - '45s' #drainDuration
+ - --parentShutdownDuration
+ - '1m0s' #parentShutdownDuration
+ - --connectTimeout
+ - '10s' #connectTimeout
+ - --serviceCluster
+ - istio-ingressgateway
+ - --zipkinAddress
+ - zipkin:9411
+ - --proxyAdminPort
+ - "15000"
+ - --statusPort
+ - "15020"
+ - --controlPlaneAuthPolicy
+ - NONE
+ - --discoveryAddress
+ - istio-pilot:15010
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15020
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 256Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: ISTIO_META_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: ISTIO_META_CONFIG_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ISTIO_META_ROUTER_MODE
+ value: sni-dnat
+ volumeMounts:
+ - name: sdsudspath
+ mountPath: /var/run/sds/uds_path
+ readOnly: true
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: ingressgateway-certs
+ mountPath: "/etc/istio/ingressgateway-certs"
+ readOnly: true
+ - name: ingressgateway-ca-certs
+ mountPath: "/etc/istio/ingressgateway-ca-certs"
+ readOnly: true
+ volumes:
+ - name: sdsudspath
+ hostPath:
+ path: /var/run/sds/uds_path
+ type: Socket
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-ingressgateway-service-account
+ optional: true
+ - name: ingressgateway-certs
+ secret:
+ secretName: "istio-ingressgateway-certs"
+ optional: true
+ - name: ingressgateway-ca-certs
+ secret:
+ secretName: "istio-ingressgateway-ca-certs"
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+---
+
+---
+# Source: istio/charts/mixer/templates/deployment.yaml
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-policy
+ namespace: istio-system
+ labels:
+ app: istio-mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+ istio: mixer
+spec:
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ selector:
+ matchLabels:
+ istio: mixer
+ istio-mixer-type: policy
+ template:
+ metadata:
+ labels:
+ app: policy
+ chart: mixer
+ heritage: Tiller
+ release: istio
+ istio: mixer
+ istio-mixer-type: policy
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-mixer-service-account
+ volumes:
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-mixer-service-account
+ optional: true
+ - name: uds-socket
+ emptyDir: {}
+ - name: policy-adapter-secret
+ secret:
+ secretName: policy-adapter-secret
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+ containers:
+ - name: mixer
+ image: "docker.io/istio/mixer:1.1.6"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 15014
+ - containerPort: 42422
+ args:
+ - --monitoringPort=15014
+ - --address
+ - unix:///sock/mixer.socket
+ - --log_output_level=default:info
+ - --configStoreURL=mcp://istio-galley.istio-system.svc:9901
+ - --configDefaultNamespace=istio-system
+ - --useAdapterCRDs=true
+ - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
+ env:
+ - name: GODEBUG
+ value: "gctrace=1"
+ - name: GOMAXPROCS
+ value: "6"
+ resources:
+ requests:
+ cpu: 10m
+
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: uds-socket
+ mountPath: /sock
+ livenessProbe:
+ httpGet:
+ path: /version
+ port: 15014
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ - name: istio-proxy
+ image: "docker.io/istio/proxyv2:1.1.6"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9091
+ - containerPort: 15004
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --serviceCluster
+ - istio-policy
+ - --templateFile
+ - /etc/istio/proxy/envoy_policy.yaml.tmpl
+ - --controlPlaneAuthPolicy
+ - NONE
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: uds-socket
+ mountPath: /sock
+ - name: policy-adapter-secret
+ mountPath: /var/run/secrets/istio.io/policy/adapter
+ readOnly: true
+
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+ labels:
+ app: istio-mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+ istio: mixer
+spec:
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ selector:
+ matchLabels:
+ istio: mixer
+ istio-mixer-type: telemetry
+ template:
+ metadata:
+ labels:
+ app: telemetry
+ chart: mixer
+ heritage: Tiller
+ release: istio
+ istio: mixer
+ istio-mixer-type: telemetry
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-mixer-service-account
+ volumes:
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-mixer-service-account
+ optional: true
+ - name: uds-socket
+ emptyDir: {}
+ - name: telemetry-adapter-secret
+ secret:
+ secretName: telemetry-adapter-secret
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+ containers:
+ - name: mixer
+ image: "docker.io/istio/mixer:1.1.6"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 15014
+ - containerPort: 42422
+ args:
+ - --monitoringPort=15014
+ - --address
+ - unix:///sock/mixer.socket
+ - --log_output_level=default:info
+ - --configStoreURL=mcp://istio-galley.istio-system.svc:9901
+ - --configDefaultNamespace=istio-system
+ - --useAdapterCRDs=true
+ - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
+ - --averageLatencyThreshold
+ - 100ms
+ - --loadsheddingMode
+ - enforce
+ env:
+ - name: GODEBUG
+ value: "gctrace=1"
+ - name: GOMAXPROCS
+ value: "6"
+ resources:
+ limits:
+ cpu: 4800m
+ memory: 4G
+ requests:
+ cpu: 1000m
+ memory: 1G
+
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: telemetry-adapter-secret
+ mountPath: /var/run/secrets/istio.io/telemetry/adapter
+ readOnly: true
+ - name: uds-socket
+ mountPath: /sock
+ livenessProbe:
+ httpGet:
+ path: /version
+ port: 15014
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ - name: istio-proxy
+ image: "docker.io/istio/proxyv2:1.1.6"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9091
+ - containerPort: 15004
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --serviceCluster
+ - istio-telemetry
+ - --templateFile
+ - /etc/istio/proxy/envoy_telemetry.yaml.tmpl
+ - --controlPlaneAuthPolicy
+ - NONE
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: uds-socket
+ mountPath: /sock
+
+---
+
+---
+# Source: istio/charts/pilot/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-pilot
+ namespace: istio-system
+ # TODO: default template doesn't have this, which one is right ?
+ labels:
+ app: pilot
+ chart: pilot
+ heritage: Tiller
+ release: istio
+ istio: pilot
+ annotations:
+ checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9
+spec:
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ selector:
+ matchLabels:
+ istio: pilot
+ template:
+ metadata:
+ labels:
+ app: pilot
+ chart: pilot
+ heritage: Tiller
+ release: istio
+ istio: pilot
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-pilot-service-account
+ containers:
+ - name: discovery
+ image: "docker.io/istio/pilot:1.1.6"
+ imagePullPolicy: IfNotPresent
+ args:
+ - "discovery"
+ - --monitoringAddr=:15014
+ - --log_output_level=default:info
+ - --domain
+ - cluster.local
+ - --secureGrpcAddr
+ - ""
+ - --keepaliveMaxServerConnectionAge
+ - "30m"
+ ports:
+ - containerPort: 8080
+ - containerPort: 15010
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 30
+ timeoutSeconds: 5
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: GODEBUG
+ value: "gctrace=1"
+ - name: PILOT_PUSH_THROTTLE
+ value: "100"
+ - name: PILOT_TRACE_SAMPLING
+ value: "1"
+ - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY
+ value: "1"
+ resources:
+ requests:
+ cpu: 500m
+ memory: 2048Mi
+
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/istio/config
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: istio-proxy
+ image: "docker.io/istio/proxyv2:1.1.6"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 15003
+ - containerPort: 15005
+ - containerPort: 15007
+ - containerPort: 15011
+ args:
+ - proxy
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --serviceCluster
+ - istio-pilot
+ - --templateFile
+ - /etc/istio/proxy/envoy_pilot.yaml.tmpl
+ - --controlPlaneAuthPolicy
+ - NONE
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ volumes:
+ - name: config-volume
+ configMap:
+ name: istio
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-pilot-service-account
+ optional: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/prometheus/templates/deployment.yaml
+# TODO: the original template has service account, roles, etc
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: prometheus
+ namespace: istio-system
+ labels:
+ app: prometheus
+ chart: prometheus
+ heritage: Tiller
+ release: istio
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: prometheus
+ template:
+ metadata:
+ labels:
+ app: prometheus
+ chart: prometheus
+ heritage: Tiller
+ release: istio
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: prometheus
+ containers:
+ - name: prometheus
+ image: "docker.io/prom/prometheus:v2.3.1"
+ imagePullPolicy: IfNotPresent
+ args:
+ - '--storage.tsdb.retention=6h'
+ - '--config.file=/etc/prometheus/prometheus.yml'
+ ports:
+ - containerPort: 9090
+ name: http
+ livenessProbe:
+ httpGet:
+ path: /-/healthy
+ port: 9090
+ readinessProbe:
+ httpGet:
+ path: /-/ready
+ port: 9090
+ resources:
+ requests:
+ cpu: 10m
+
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/prometheus
+ - mountPath: /etc/istio-certs
+ name: istio-certs
+ volumes:
+ - name: config-volume
+ configMap:
+ name: prometheus
+ - name: istio-certs
+ secret:
+ defaultMode: 420
+ secretName: istio.default
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/security/templates/deployment.yaml
+# istio CA watching all namespaces
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-citadel
+ namespace: istio-system
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ istio: citadel
+spec:
+ replicas: 1
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ template:
+ metadata:
+ labels:
+ app: security
+ chart: security
+ heritage: Tiller
+ release: istio
+ istio: citadel
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-citadel-service-account
+ containers:
+ - name: citadel
+ image: "docker.io/istio/citadel:1.1.6"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --append-dns-names=true
+ - --grpc-port=8060
+ - --grpc-hostname=citadel
+ - --citadel-storage-namespace=istio-system
+ - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system
+ - --monitoring-port=15014
+ - --self-signed-ca=true
+ livenessProbe:
+ httpGet:
+ path: /version
+ port: 15014
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ resources:
+ requests:
+ cpu: 10m
+
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ app: sidecarInjectorWebhook
+ chart: sidecarInjectorWebhook
+ heritage: Tiller
+ release: istio
+ istio: sidecar-injector
+spec:
+ replicas: 1
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ template:
+ metadata:
+ labels:
+ app: sidecarInjectorWebhook
+ chart: sidecarInjectorWebhook
+ heritage: Tiller
+ release: istio
+ istio: sidecar-injector
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-sidecar-injector-service-account
+ containers:
+ - name: sidecar-injector-webhook
+ image: "docker.io/istio/sidecar_injector:1.1.6"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --caCertFile=/etc/istio/certs/root-cert.pem
+ - --tlsCertFile=/etc/istio/certs/cert-chain.pem
+ - --tlsKeyFile=/etc/istio/certs/key.pem
+ - --injectConfig=/etc/istio/inject/config
+ - --meshConfig=/etc/istio/config/mesh
+ - --healthCheckInterval=2s
+ - --healthCheckFile=/health
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/istio/config
+ readOnly: true
+ - name: certs
+ mountPath: /etc/istio/certs
+ readOnly: true
+ - name: inject-config
+ mountPath: /etc/istio/inject
+ readOnly: true
+ livenessProbe:
+ exec:
+ command:
+ - /usr/local/bin/sidecar-injector
+ - probe
+ - --probe-path=/health
+ - --interval=4s
+ initialDelaySeconds: 4
+ periodSeconds: 4
+ readinessProbe:
+ exec:
+ command:
+ - /usr/local/bin/sidecar-injector
+ - probe
+ - --probe-path=/health
+ - --interval=4s
+ initialDelaySeconds: 4
+ periodSeconds: 4
+ resources:
+ requests:
+ cpu: 10m
+
+ volumes:
+ - name: config-volume
+ configMap:
+ name: istio
+ - name: certs
+ secret:
+ secretName: istio.istio-sidecar-injector-service-account
+ - name: inject-config
+ configMap:
+ name: istio-sidecar-injector
+ items:
+ - key: config
+ path: config
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - ppc64le
+ - s390x
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - ppc64le
+ - weight: 2
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - s390x
+
+---
+# Source: istio/charts/gateways/templates/autoscale.yaml
+
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-ingressgateway
+ namespace: istio-system
+ labels:
+ app: ingressgateway
+ chart: gateways
+ heritage: Tiller
+ release: istio
+spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-ingressgateway
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 80
+---
+
+---
+# Source: istio/charts/mixer/templates/autoscale.yaml
+
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-policy
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-policy
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 80
+---
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-telemetry
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 80
+---
+
+---
+# Source: istio/charts/pilot/templates/autoscale.yaml
+
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-pilot
+ namespace: istio-system
+ labels:
+ app: pilot
+ chart: pilot
+ heritage: Tiller
+ release: istio
+spec:
+ maxReplicas: 5
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-pilot
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: 80
+---
+
+---
+# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ labels:
+ app: sidecarInjectorWebhook
+ chart: sidecarInjectorWebhook
+ heritage: Tiller
+ release: istio
+webhooks:
+ - name: sidecar-injector.istio.io
+ clientConfig:
+ service:
+ name: istio-sidecar-injector
+ namespace: istio-system
+ path: "/inject"
+ caBundle: ""
+ rules:
+ - operations: [ "CREATE" ]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ failurePolicy: Fail
+ namespaceSelector:
+ matchLabels:
+ istio-injection: enabled
+
+
+---
+# Source: istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl
+
+
+---
+# Source: istio/charts/gateways/templates/preconfigured.yaml
+
+
+---
+# Source: istio/charts/pilot/templates/meshexpansion.yaml
+
+
+
+---
+# Source: istio/charts/prometheus/templates/ingress.yaml
+
+---
+# Source: istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml
+
+
+---
+# Source: istio/charts/security/templates/enable-mesh-mtls.yaml
+
+
+---
+# Source: istio/charts/security/templates/enable-mesh-permissive.yaml
+
+
+---
+# Source: istio/charts/security/templates/meshexpansion.yaml
+
+
+---
+# Source: istio/charts/security/templates/tests/test-citadel-connection.yaml
+
+
+---
+# Source: istio/templates/endpoints.yaml
+
+
+---
+# Source: istio/templates/install-custom-resources.sh.tpl
+
+
+---
+# Source: istio/templates/service.yaml
+
+
+---
+# Source: istio/charts/mixer/templates/config.yaml
+
+apiVersion: "config.istio.io/v1alpha2"
+kind: attributemanifest
+metadata:
+ name: istioproxy
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ attributes:
+ origin.ip:
+ valueType: IP_ADDRESS
+ origin.uid:
+ valueType: STRING
+ origin.user:
+ valueType: STRING
+ request.headers:
+ valueType: STRING_MAP
+ request.id:
+ valueType: STRING
+ request.host:
+ valueType: STRING
+ request.method:
+ valueType: STRING
+ request.path:
+ valueType: STRING
+ request.url_path:
+ valueType: STRING
+ request.query_params:
+ valueType: STRING_MAP
+ request.reason:
+ valueType: STRING
+ request.referer:
+ valueType: STRING
+ request.scheme:
+ valueType: STRING
+ request.total_size:
+ valueType: INT64
+ request.size:
+ valueType: INT64
+ request.time:
+ valueType: TIMESTAMP
+ request.useragent:
+ valueType: STRING
+ response.code:
+ valueType: INT64
+ response.duration:
+ valueType: DURATION
+ response.headers:
+ valueType: STRING_MAP
+ response.total_size:
+ valueType: INT64
+ response.size:
+ valueType: INT64
+ response.time:
+ valueType: TIMESTAMP
+ response.grpc_status:
+ valueType: STRING
+ response.grpc_message:
+ valueType: STRING
+ source.uid:
+ valueType: STRING
+ source.user: # DEPRECATED
+ valueType: STRING
+ source.principal:
+ valueType: STRING
+ destination.uid:
+ valueType: STRING
+ destination.principal:
+ valueType: STRING
+ destination.port:
+ valueType: INT64
+ connection.event:
+ valueType: STRING
+ connection.id:
+ valueType: STRING
+ connection.received.bytes:
+ valueType: INT64
+ connection.received.bytes_total:
+ valueType: INT64
+ connection.sent.bytes:
+ valueType: INT64
+ connection.sent.bytes_total:
+ valueType: INT64
+ connection.duration:
+ valueType: DURATION
+ connection.mtls:
+ valueType: BOOL
+ connection.requested_server_name:
+ valueType: STRING
+ context.protocol:
+ valueType: STRING
+ context.proxy_error_code:
+ valueType: STRING
+ context.timestamp:
+ valueType: TIMESTAMP
+ context.time:
+ valueType: TIMESTAMP
+ # Deprecated, kept for compatibility
+ context.reporter.local:
+ valueType: BOOL
+ context.reporter.kind:
+ valueType: STRING
+ context.reporter.uid:
+ valueType: STRING
+ api.service:
+ valueType: STRING
+ api.version:
+ valueType: STRING
+ api.operation:
+ valueType: STRING
+ api.protocol:
+ valueType: STRING
+ request.auth.principal:
+ valueType: STRING
+ request.auth.audiences:
+ valueType: STRING
+ request.auth.presenter:
+ valueType: STRING
+ request.auth.claims:
+ valueType: STRING_MAP
+ request.auth.raw_claims:
+ valueType: STRING
+ request.api_key:
+ valueType: STRING
+ rbac.permissive.response_code:
+ valueType: STRING
+ rbac.permissive.effective_policy_id:
+ valueType: STRING
+ check.error_code:
+ valueType: INT64
+ check.error_message:
+ valueType: STRING
+ check.cache_hit:
+ valueType: BOOL
+ quota.cache_hit:
+ valueType: BOOL
+
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: attributemanifest
+metadata:
+ name: kubernetes
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ attributes:
+ source.ip:
+ valueType: IP_ADDRESS
+ source.labels:
+ valueType: STRING_MAP
+ source.metadata:
+ valueType: STRING_MAP
+ source.name:
+ valueType: STRING
+ source.namespace:
+ valueType: STRING
+ source.owner:
+ valueType: STRING
+ source.serviceAccount:
+ valueType: STRING
+ source.services:
+ valueType: STRING
+ source.workload.uid:
+ valueType: STRING
+ source.workload.name:
+ valueType: STRING
+ source.workload.namespace:
+ valueType: STRING
+ destination.ip:
+ valueType: IP_ADDRESS
+ destination.labels:
+ valueType: STRING_MAP
+ destination.metadata:
+ valueType: STRING_MAP
+ destination.owner:
+ valueType: STRING
+ destination.name:
+ valueType: STRING
+ destination.container.name:
+ valueType: STRING
+ destination.namespace:
+ valueType: STRING
+ destination.service.uid:
+ valueType: STRING
+ destination.service.name:
+ valueType: STRING
+ destination.service.namespace:
+ valueType: STRING
+ destination.service.host:
+ valueType: STRING
+ destination.serviceAccount:
+ valueType: STRING
+ destination.workload.uid:
+ valueType: STRING
+ destination.workload.name:
+ valueType: STRING
+ destination.workload.namespace:
+ valueType: STRING
+---
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestcount
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ value: "1"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ response_flags: context.proxy_error_code | "-"
+ permissive_response_code: rbac.permissive.response_code | "none"
+ permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestduration
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ value: response.duration | "0ms"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ response_flags: context.proxy_error_code | "-"
+ permissive_response_code: rbac.permissive.response_code | "none"
+ permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestsize
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ value: request.size | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ response_flags: context.proxy_error_code | "-"
+ permissive_response_code: rbac.permissive.response_code | "none"
+ permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: responsesize
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ value: response.size | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ response_flags: context.proxy_error_code | "-"
+ permissive_response_code: rbac.permissive.response_code | "none"
+ permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpbytesent
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ value: connection.sent.bytes | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ response_flags: context.proxy_error_code | "-"
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpbytereceived
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ value: connection.received.bytes | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ response_flags: context.proxy_error_code | "-"
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpconnectionsopened
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ value: "1"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.name | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ response_flags: context.proxy_error_code | "-"
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpconnectionsclosed
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ value: "1"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.name | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ response_flags: context.proxy_error_code | "-"
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: handler
+metadata:
+ name: prometheus
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ compiledAdapter: prometheus
+ params:
+ metricsExpirationPolicy:
+ metricsExpiryDuration: "10m"
+ metrics:
+ - name: requests_total
+ instance_name: requestcount.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - response_flags
+ - permissive_response_code
+ - permissive_response_policyid
+ - connection_security_policy
+ - name: request_duration_seconds
+ instance_name: requestduration.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - response_flags
+ - permissive_response_code
+ - permissive_response_policyid
+ - connection_security_policy
+ buckets:
+ explicit_buckets:
+ bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
+ - name: request_bytes
+ instance_name: requestsize.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - response_flags
+ - permissive_response_code
+ - permissive_response_policyid
+ - connection_security_policy
+ buckets:
+ exponentialBuckets:
+ numFiniteBuckets: 8
+ scale: 1
+ growthFactor: 10
+ - name: response_bytes
+ instance_name: responsesize.metric.istio-system
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - response_flags
+ - permissive_response_code
+ - permissive_response_policyid
+ - connection_security_policy
+ buckets:
+ exponentialBuckets:
+ numFiniteBuckets: 8
+ scale: 1
+ growthFactor: 10
+ - name: tcp_sent_bytes_total
+ instance_name: tcpbytesent.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - response_flags
+ - name: tcp_received_bytes_total
+ instance_name: tcpbytereceived.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - response_flags
+ - name: tcp_connections_opened_total
+ instance_name: tcpconnectionsopened.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - response_flags
+ - name: tcp_connections_closed_total
+ instance_name: tcpconnectionsclosed.metric.istio-system
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - response_flags
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promhttp
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false)
+ actions:
+ - handler: prometheus
+ instances:
+ - requestcount.metric
+ - requestduration.metric
+ - requestsize.metric
+ - responsesize.metric
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promtcp
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: prometheus
+ instances:
+ - tcpbytesent.metric
+ - tcpbytereceived.metric
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promtcpconnectionopen
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ match: context.protocol == "tcp" && ((connection.event | "na") == "open")
+ actions:
+ - handler: prometheus
+ instances:
+ - tcpconnectionsopened.metric
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promtcpconnectionclosed
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ match: context.protocol == "tcp" && ((connection.event | "na") == "close")
+ actions:
+ - handler: prometheus
+ instances:
+ - tcpconnectionsclosed.metric
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: handler
+metadata:
+ name: kubernetesenv
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ compiledAdapter: kubernetesenv
+ params:
+ # when running from mixer root, use the following config after adding a
+ # symbolic link to a kubernetes config file via:
+ #
+ # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
+ #
+ # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
+
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: kubeattrgenrulerule
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ actions:
+ - handler: kubernetesenv
+ instances:
+ - attributes.kubernetes
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: tcpkubeattrgenrulerule
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: kubernetesenv
+ instances:
+ - attributes.kubernetes
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: kubernetes
+metadata:
+ name: attributes
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ # Pass the required attribute data to the adapter
+ source_uid: source.uid | ""
+ source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
+ destination_uid: destination.uid | ""
+ destination_port: destination.port | 0
+ attribute_bindings:
+ # Fill the new attributes from the adapter produced output.
+ # $out refers to an instance of OutputTemplate message
+ source.ip: $out.source_pod_ip | ip("0.0.0.0")
+ source.uid: $out.source_pod_uid | "unknown"
+ source.labels: $out.source_labels | emptyStringMap()
+ source.name: $out.source_pod_name | "unknown"
+ source.namespace: $out.source_namespace | "default"
+ source.owner: $out.source_owner | "unknown"
+ source.serviceAccount: $out.source_service_account_name | "unknown"
+ source.workload.uid: $out.source_workload_uid | "unknown"
+ source.workload.name: $out.source_workload_name | "unknown"
+ source.workload.namespace: $out.source_workload_namespace | "unknown"
+ destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
+ destination.uid: $out.destination_pod_uid | "unknown"
+ destination.labels: $out.destination_labels | emptyStringMap()
+ destination.name: $out.destination_pod_name | "unknown"
+ destination.container.name: $out.destination_container_name | "unknown"
+ destination.namespace: $out.destination_namespace | "default"
+ destination.owner: $out.destination_owner | "unknown"
+ destination.serviceAccount: $out.destination_service_account_name | "unknown"
+ destination.workload.uid: $out.destination_workload_uid | "unknown"
+ destination.workload.name: $out.destination_workload_name | "unknown"
+ destination.workload.namespace: $out.destination_workload_namespace | "unknown"
+---
+# Configuration needed by Mixer.
+# Mixer cluster is delivered via CDS
+# Specify mixer cluster settings
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: istio-policy
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ host: istio-policy.istio-system.svc.cluster.local
+ trafficPolicy:
+ connectionPool:
+ http:
+ http2MaxRequests: 10000
+ maxRequestsPerConnection: 10000
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+ labels:
+ app: mixer
+ chart: mixer
+ heritage: Tiller
+ release: istio
+spec:
+ host: istio-telemetry.istio-system.svc.cluster.local
+ trafficPolicy:
+ connectionPool:
+ http:
+ http2MaxRequests: 10000
+ maxRequestsPerConnection: 10000
+---
+
--- /dev/null
+apiVersion: v1
+name: istio-init
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2-0"
+description: Helm chart to initialize Istio CRDs
+keywords:
+ - istio
+ - crd
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+# Istio
+
+[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
+
+## Introduction
+
+This chart bootstraps Istio's [CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
+which are an internal implementation detail of Istio. CRDs define data structures for storing runtime configuration
+specified by a human operator.
+
+This chart must be run to completion prior to running other Istio charts, or other Istio charts will fail to initialize.
+
+## Prerequisites
+
+- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required
+- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required
+
+## Resources Required
+
+The chart deploys pods that consume minimal resources.
+
+## Installing the Chart
+
+1. If a service account has not already been installed for Tiller, install one:
+ ```
+ $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
+ ```
+
+1. If Tiller has not already been installed in your cluster, Install Tiller on your cluster with the service account:
+ ```
+ $ helm init --service-account tiller
+ ```
+
+1. Install the Istio initializer chart:
+ ```
+ $ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system
+ ```
+
+ > Although you can install the `istio-init` chart to any namespace, it is recommended to install `istio-init` in the same namespace(`istio-system`) as other Istio charts.
+
+## Configuration
+
+The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides.
+To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation.
+
+Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table:
+
+| Parameter | Description | Values | Default |
+| --- | --- | --- | --- |
+| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` |
+| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` |
+| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
+
+
+## Uninstalling the Chart
+
+> Uninstalling this chart does not delete Istio's registered CRDs. Istio by design expects
+> CRDs to leak into the Kubernetes environment. As CRDs contain all runtime configuration
+> data in CutomResources the Istio designers feel it is better to explicitly delete this
+> configuration rather then unexpectedly lose it.
+
+To uninstall/delete the `istio-init` release but continue to track the release:
+ ```
+ $ helm delete istio-init
+ ```
+
+To uninstall/delete the `istio-init` release completely and make its name free for later use:
+ ```
+ $ helm delete istio-init --purge
+ ```
+
+> Warning: Deleting CRDs will delete any configuration that you have made to Istio.
+
+To delete all CRDs, run the following command
+ ```
+ $ for i in istio-init/files/*crd*yaml; do kubectl delete -f $i; done
+ ```
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: virtualservices.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ singular: virtualservice
+ shortNames:
+ - vs
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+ additionalPrinterColumns:
+ - JSONPath: .spec.gateways
+ description: The names of gateways and sidecars that should apply these routes
+ name: Gateways
+ type: string
+ - JSONPath: .spec.hosts
+ description: The destination hosts to which traffic is being sent
+ name: Hosts
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: destinationrules.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ singular: destinationrule
+ shortNames:
+ - dr
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+ additionalPrinterColumns:
+ - JSONPath: .spec.host
+ description: The name of a service from the service registry
+ name: Host
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: serviceentries.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ singular: serviceentry
+ shortNames:
+ - se
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+ additionalPrinterColumns:
+ - JSONPath: .spec.hosts
+ description: The hosts associated with the ServiceEntry
+ name: Hosts
+ type: string
+ - JSONPath: .spec.location
+ description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)
+ name: Location
+ type: string
+ - JSONPath: .spec.resolution
+ description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
+ name: Resolution
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: gateways.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: Gateway
+ plural: gateways
+ singular: gateway
+ shortNames:
+ - gw
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: envoyfilters.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: EnvoyFilter
+ plural: envoyfilters
+ singular: envoyfilter
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: clusterrbacconfigs.rbac.istio.io
+ labels:
+ app: istio-pilot
+ istio: rbac
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: rbac.istio.io
+ names:
+ kind: ClusterRbacConfig
+ plural: clusterrbacconfigs
+ singular: clusterrbacconfig
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Cluster
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: policies.authentication.istio.io
+ labels:
+ app: istio-citadel
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: authentication.istio.io
+ names:
+ kind: Policy
+ plural: policies
+ singular: policy
+ categories:
+ - istio-io
+ - authentication-istio-io
+ scope: Namespaced
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: meshpolicies.authentication.istio.io
+ labels:
+ app: istio-citadel
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: authentication.istio.io
+ names:
+ kind: MeshPolicy
+ listKind: MeshPolicyList
+ plural: meshpolicies
+ singular: meshpolicy
+ categories:
+ - istio-io
+ - authentication-istio-io
+ scope: Cluster
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: httpapispecbindings.config.istio.io
+ labels:
+ app: istio-mixer
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: HTTPAPISpecBinding
+ plural: httpapispecbindings
+ singular: httpapispecbinding
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: httpapispecs.config.istio.io
+ labels:
+ app: istio-mixer
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: HTTPAPISpec
+ plural: httpapispecs
+ singular: httpapispec
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotaspecbindings.config.istio.io
+ labels:
+ app: istio-mixer
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: QuotaSpecBinding
+ plural: quotaspecbindings
+ singular: quotaspecbinding
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotaspecs.config.istio.io
+ labels:
+ app: istio-mixer
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: QuotaSpec
+ plural: quotaspecs
+ singular: quotaspec
+ categories:
+ - istio-io
+ - apim-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: rules.config.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: core
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: rule
+ plural: rules
+ singular: rule
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: attributemanifests.config.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: core
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: attributemanifest
+ plural: attributemanifests
+ singular: attributemanifest
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: bypasses.config.istio.io
+ labels:
+ app: mixer
+ package: bypass
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: bypass
+ plural: bypasses
+ singular: bypass
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: circonuses.config.istio.io
+ labels:
+ app: mixer
+ package: circonus
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: circonus
+ plural: circonuses
+ singular: circonus
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: deniers.config.istio.io
+ labels:
+ app: mixer
+ package: denier
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: denier
+ plural: deniers
+ singular: denier
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: fluentds.config.istio.io
+ labels:
+ app: mixer
+ package: fluentd
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: fluentd
+ plural: fluentds
+ singular: fluentd
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: kubernetesenvs.config.istio.io
+ labels:
+ app: mixer
+ package: kubernetesenv
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: kubernetesenv
+ plural: kubernetesenvs
+ singular: kubernetesenv
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: listcheckers.config.istio.io
+ labels:
+ app: mixer
+ package: listchecker
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: listchecker
+ plural: listcheckers
+ singular: listchecker
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: memquotas.config.istio.io
+ labels:
+ app: mixer
+ package: memquota
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: memquota
+ plural: memquotas
+ singular: memquota
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: noops.config.istio.io
+ labels:
+ app: mixer
+ package: noop
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: noop
+ plural: noops
+ singular: noop
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: opas.config.istio.io
+ labels:
+ app: mixer
+ package: opa
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: opa
+ plural: opas
+ singular: opa
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: prometheuses.config.istio.io
+ labels:
+ app: mixer
+ package: prometheus
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: prometheus
+ plural: prometheuses
+ singular: prometheus
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: rbacs.config.istio.io
+ labels:
+ app: mixer
+ package: rbac
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: rbac
+ plural: rbacs
+ singular: rbac
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: redisquotas.config.istio.io
+ labels:
+ app: mixer
+ package: redisquota
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: redisquota
+ plural: redisquotas
+ singular: redisquota
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: signalfxs.config.istio.io
+ labels:
+ app: mixer
+ package: signalfx
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: signalfx
+ plural: signalfxs
+ singular: signalfx
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: solarwindses.config.istio.io
+ labels:
+ app: mixer
+ package: solarwinds
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: solarwinds
+ plural: solarwindses
+ singular: solarwinds
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: stackdrivers.config.istio.io
+ labels:
+ app: mixer
+ package: stackdriver
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: stackdriver
+ plural: stackdrivers
+ singular: stackdriver
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: statsds.config.istio.io
+ labels:
+ app: mixer
+ package: statsd
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: statsd
+ plural: statsds
+ singular: statsd
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: stdios.config.istio.io
+ labels:
+ app: mixer
+ package: stdio
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: stdio
+ plural: stdios
+ singular: stdio
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: apikeys.config.istio.io
+ labels:
+ app: mixer
+ package: apikey
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: apikey
+ plural: apikeys
+ singular: apikey
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: authorizations.config.istio.io
+ labels:
+ app: mixer
+ package: authorization
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: authorization
+ plural: authorizations
+ singular: authorization
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: checknothings.config.istio.io
+ labels:
+ app: mixer
+ package: checknothing
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: checknothing
+ plural: checknothings
+ singular: checknothing
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: kuberneteses.config.istio.io
+ labels:
+ app: mixer
+ package: adapter.template.kubernetes
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: kubernetes
+ plural: kuberneteses
+ singular: kubernetes
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: listentries.config.istio.io
+ labels:
+ app: mixer
+ package: listentry
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: listentry
+ plural: listentries
+ singular: listentry
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: logentries.config.istio.io
+ labels:
+ app: mixer
+ package: logentry
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: logentry
+ plural: logentries
+ singular: logentry
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+ additionalPrinterColumns:
+ - JSONPath: .spec.severity
+ description: The importance of the log entry
+ name: Severity
+ type: string
+ - JSONPath: .spec.timestamp
+ description: The time value for the log entry
+ name: Timestamp
+ type: string
+ - JSONPath: .spec.monitored_resource_type
+ description: Optional expression to compute the type of the monitored resource this log entry is being recorded on
+ name: Res Type
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: edges.config.istio.io
+ labels:
+ app: mixer
+ package: edge
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: edge
+ plural: edges
+ singular: edge
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: metrics.config.istio.io
+ labels:
+ app: mixer
+ package: metric
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: metric
+ plural: metrics
+ singular: metric
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: quotas.config.istio.io
+ labels:
+ app: mixer
+ package: quota
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: quota
+ plural: quotas
+ singular: quota
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: reportnothings.config.istio.io
+ labels:
+ app: mixer
+ package: reportnothing
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: reportnothing
+ plural: reportnothings
+ singular: reportnothing
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: tracespans.config.istio.io
+ labels:
+ app: mixer
+ package: tracespan
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: tracespan
+ plural: tracespans
+ singular: tracespan
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: rbacconfigs.rbac.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: rbac.istio.io
+ names:
+ kind: RbacConfig
+ plural: rbacconfigs
+ singular: rbacconfig
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Namespaced
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: serviceroles.rbac.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: rbac.istio.io
+ names:
+ kind: ServiceRole
+ plural: serviceroles
+ singular: servicerole
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Namespaced
+ version: v1alpha1
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: servicerolebindings.rbac.istio.io
+ labels:
+ app: mixer
+ package: istio.io.mixer
+ istio: rbac
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: rbac.istio.io
+ names:
+ kind: ServiceRoleBinding
+ plural: servicerolebindings
+ singular: servicerolebinding
+ categories:
+ - istio-io
+ - rbac-istio-io
+ scope: Namespaced
+ version: v1alpha1
+ additionalPrinterColumns:
+ - JSONPath: .spec.roleRef.name
+ description: The name of the ServiceRole object being referenced
+ name: Reference
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: adapters.config.istio.io
+ labels:
+ app: mixer
+ package: adapter
+ istio: mixer-adapter
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: adapter
+ plural: adapters
+ singular: adapter
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: instances.config.istio.io
+ labels:
+ app: mixer
+ package: instance
+ istio: mixer-instance
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: instance
+ plural: instances
+ singular: instance
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: templates.config.istio.io
+ labels:
+ app: mixer
+ package: template
+ istio: mixer-template
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: template
+ plural: templates
+ singular: template
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: handlers.config.istio.io
+ labels:
+ app: mixer
+ package: handler
+ istio: mixer-handler
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: handler
+ plural: handlers
+ singular: handler
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
--- /dev/null
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: cloudwatches.config.istio.io
+ labels:
+ app: mixer
+ package: cloudwatch
+ istio: mixer-adapter
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: cloudwatch
+ plural: cloudwatches
+ singular: cloudwatch
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: dogstatsds.config.istio.io
+ labels:
+ app: mixer
+ package: dogstatsd
+ istio: mixer-adapter
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: dogstatsd
+ plural: dogstatsds
+ singular: dogstatsd
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: sidecars.networking.istio.io
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: networking.istio.io
+ names:
+ kind: Sidecar
+ plural: sidecars
+ singular: sidecar
+ categories:
+ - istio-io
+ - networking-istio-io
+ scope: Namespaced
+ version: v1alpha3
+---
+kind: CustomResourceDefinition
+apiVersion: apiextensions.k8s.io/v1beta1
+metadata:
+ name: zipkins.config.istio.io
+ labels:
+ app: mixer
+ package: zipkin
+ istio: mixer-adapter
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: config.istio.io
+ names:
+ kind: zipkin
+ plural: zipkins
+ singular: zipkin
+ categories:
+ - istio-io
+ - policy-istio-io
+ scope: Namespaced
+ version: v1alpha2
+---
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: clusterissuers.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: certmanager.k8s.io
+ version: v1alpha1
+ names:
+ kind: ClusterIssuer
+ plural: clusterissuers
+ scope: Cluster
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: issuers.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ group: certmanager.k8s.io
+ version: v1alpha1
+ names:
+ kind: Issuer
+ plural: issuers
+ scope: Namespaced
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: certificates.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .spec.secretName
+ name: Secret
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ type: string
+ priority: 1
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ type: string
+ priority: 1
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ version: v1alpha1
+ scope: Namespaced
+ names:
+ kind: Certificate
+ plural: certificates
+ shortNames:
+ - cert
+ - certs
--- /dev/null
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: orders.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ type: string
+ priority: 1
+ - JSONPath: .status.reason
+ name: Reason
+ type: string
+ priority: 1
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ version: v1alpha1
+ names:
+ kind: Order
+ plural: orders
+ scope: Namespaced
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: challenges.certmanager.k8s.io
+ labels:
+ app: certmanager
+ chart: certmanager
+ heritage: Tiller
+ release: istio
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.dnsName
+ name: Domain
+ type: string
+ - JSONPath: .status.reason
+ name: Reason
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: |-
+ CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+ Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ name: Age
+ type: date
+ group: certmanager.k8s.io
+ version: v1alpha1
+ names:
+ kind: Challenge
+ plural: challenges
+ scope: Namespaced
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-init-{{ .Release.Namespace }}
+ labels:
+ app: istio-init
+ istio: istio-init
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "create", "watch"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["create", "get", "list", "watch", "patch"]
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-init-admin-role-binding-{{ .Release.Namespace }}
+ labels:
+ app: istio-init
+ istio: init
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-init-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-init-service-account
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: istio-crd-10
+data:
+ crd-10.yaml: |-
+{{.Files.Get "files/crd-10.yaml" | printf "%s" | indent 4}}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: istio-crd-11
+data:
+ crd-11.yaml: |-
+{{.Files.Get "files/crd-11.yaml" | printf "%s" | indent 4}}
--- /dev/null
+{{- if .Values.certmanager.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: istio-crd-certmanager-10
+data:
+ crd-certmanager-10.yaml: |-
+{{.Files.Get "files/crd-certmanager-10.yaml" | printf "%s" | indent 4}}
+{{- end }}
--- /dev/null
+{{- if .Values.certmanager.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: istio-crd-certmanager-11
+data:
+ crd-certmanager-11.yaml: |-
+{{.Files.Get "files/crd-certmanager-11.yaml" | printf "%s" | indent 4}}
+{{- end }}
--- /dev/null
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: istio-init-crd-10
+spec:
+ template:
+ metadata:
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-init-service-account
+ containers:
+ - name: istio-init-crd-10
+ image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ volumeMounts:
+ - name: crd-10
+ mountPath: /etc/istio/crd-10
+ readOnly: true
+ command: ["kubectl", "apply", "-f", "/etc/istio/crd-10/crd-10.yaml"]
+ volumes:
+ - name: crd-10
+ configMap:
+ name: istio-crd-10
+ restartPolicy: OnFailure
--- /dev/null
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: istio-init-crd-11
+spec:
+ template:
+ metadata:
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-init-service-account
+ containers:
+ - name: istio-init-crd-11
+ image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ volumeMounts:
+ - name: crd-11
+ mountPath: /etc/istio/crd-11
+ readOnly: true
+ command: ["kubectl", "apply", "-f", "/etc/istio/crd-11/crd-11.yaml"]
+ volumes:
+ - name: crd-11
+ configMap:
+ name: istio-crd-11
+ restartPolicy: OnFailure
--- /dev/null
+{{- if .Values.certmanager.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: istio-init-crd-certmanager-10
+spec:
+ template:
+ metadata:
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-init-service-account
+ containers:
+ - name: istio-init-crd-certmanager-10
+ image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ volumeMounts:
+ - name: crd-certmanager-10
+ mountPath: /etc/istio/crd-certmanager-10
+ readOnly: true
+ command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-10/crd-certmanager-10.yaml"]
+ volumes:
+ - name: crd-certmanager-10
+ configMap:
+ name: istio-crd-certmanager-10
+ restartPolicy: OnFailure
+{{- end }}
--- /dev/null
+{{- if .Values.certmanager.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: istio-init-crd-certmanager-11
+spec:
+ template:
+ metadata:
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-init-service-account
+ containers:
+ - name: istio-init-crd-certmanager-11
+ image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ volumeMounts:
+ - name: crd-certmanager-11
+ mountPath: /etc/istio/crd-certmanager-11
+ readOnly: true
+ command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-11/crd-certmanager-11.yaml"]
+ volumes:
+ - name: crd-certmanager-11
+ configMap:
+ name: istio-crd-certmanager-11
+ restartPolicy: OnFailure
+{{- end }}
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-init-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: istio-init
+ istio: init
+
--- /dev/null
+global:
+ # Default hub for Istio images.
+ # Releases are published to docker hub under 'istio' project.
+ # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
+ hub: docker.io/istio
+
+ # Default tag for Istio images.
+ tag: 1.1.6
+
+ # imagePullPolicy is applied to istio control plane components.
+ # local tests require IfNotPresent, to avoid uploading to dockerhub.
+ # TODO: Switch to Always as default, and override in the local tests.
+ imagePullPolicy: IfNotPresent
+
+certmanager:
+ enabled: false
--- /dev/null
+apiVersion: v1
+name: istio
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2-0"
+description: Helm chart for all istio components
+keywords:
+ - istio
+ - security
+ - sidecarInjectorWebhook
+ - mixer
+ - pilot
+ - galley
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+# Istio
+
+[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
+
+## Introduction
+
+This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Chart Details
+
+This chart can install multiple istio components as subcharts:
+- ingressgateway
+- egressgateway
+- sidecarInjectorWebhook
+- galley
+- mixer
+- pilot
+- security(citadel)
+- grafana
+- prometheus
+- servicegraph
+- tracing(jaeger)
+- kiali
+
+To enable or disable each component, change the corresponding `enabled` flag.
+
+## Prerequisites
+
+- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required
+- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required
+- If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order.
+- The `istio-init` chart must be run to completion prior to install the `istio` chart.
+
+## Resources Required
+
+The chart deploys pods that consume minimum resources as specified in the resources configuration parameter.
+
+## Installing the Chart
+
+1. If a service account has not already been installed for Tiller, install one:
+ ```
+ $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
+ ```
+
+1. Install Tiller on your cluster with the service account:
+ ```
+ $ helm init --service-account tiller
+ ```
+
+1. Set and create the namespace where Istio was installed:
+ ```
+ $ NAMESPACE=istio-system
+ $ kubectl create ns $NAMESPACE
+ ```
+
+1. If you are enabling `kiali`, you need to create the secret that contains the username and passphrase for `kiali` dashboard:
+ ```
+ $ echo -n 'admin' | base64
+ YWRtaW4=
+ $ echo -n '1f2d1e2e67df' | base64
+ MWYyZDFlMmU2N2Rm
+ $ cat <<EOF | kubectl apply -f -
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: kiali
+ namespace: $NAMESPACE
+ labels:
+ app: kiali
+ type: Opaque
+ data:
+ username: YWRtaW4=
+ passphrase: MWYyZDFlMmU2N2Rm
+ EOF
+ ```
+
+1. If you are using security mode for Grafana, create the secret first as follows:
+
+ - Encode username, you can change the username to the name as you want:
+ ```
+ $ echo -n 'admin' | base64
+ YWRtaW4=
+ ```
+
+ - Encode passphrase, you can change the passphrase to the passphrase as you want:
+ ```
+ $ echo -n '1f2d1e2e67df' | base64
+ MWYyZDFlMmU2N2Rm
+ ```
+
+ - Create secret for Grafana:
+ ```
+ $ cat <<EOF | kubectl apply -f -
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: grafana
+ namespace: $NAMESPACE
+ labels:
+ app: grafana
+ type: Opaque
+ data:
+ username: YWRtaW4=
+ passphrase: MWYyZDFlMmU2N2Rm
+ EOF
+ ```
+
+1. Add `istio.io` chart repository and point to the release:
+ ```
+ $ helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.1.6/charts
+ ```
+
+
+1. To install the chart with the release name `istio` in namespace $NAMESPACE you defined above:
+
+ - With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
+ ```
+ $ helm install istio --name istio --namespace $NAMESPACE
+ ```
+
+ - Without the sidecar injection webhook:
+ ```
+ $ helm install istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false
+ ```
+
+## Configuration
+
+The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides.
+To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation.
+
+Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table:
+
+| Parameter | Description | Values | Default |
+| --- | --- | --- | --- |
+| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` |
+| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` |
+| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` |
+| `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` |
+| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
+| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` |
+| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` |
+| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` |
+| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
+| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
+| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
+| `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` |
+| `gateways.enabled` | Specifies whether gateway(both Ingres and Egress) should be installed | true/false | `true` |
+| `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` |
+| `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` |
+| `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | true/false | `true` |
+| `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` |
+| `security.enabled` | Specifies whether Citadel should be installed | true/false | `true` |
+| `mixer.policy.enabled` | Specifies whether Mixer Policy should be installed | true/false | `true` |
+| `mixer.telemetry.enabled` | Specifies whether Mixer Telemetry should be installed | true/false | `true` |
+| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` |
+| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` |
+| `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` |
+| `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" |
+| `grafana.accessMode` | If `grafana.persist` is true, specifies the [`Access Mode`](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use for the `PersistentVolumeClaim` | RWO/ROX/RWX | `ReadWriteMany` |
+| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` |
+| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` |
+| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` |
+| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` |
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio` release but continue to track the release:
+ ```
+ $ helm delete istio
+ ```
+
+To uninstall/delete the `istio` release completely and make its name free for later use:
+ ```
+ $ helm delete istio --purge
+ ```
--- /dev/null
+apiVersion: v1
+description: A Helm chart for Kubernetes
+name: certmanager
+version: 1.1.0
+appVersion: 0.6.2
+tillerVersion: ">=2.7.2"
--- /dev/null
+certmanager has been deployed successfully!
+
+More information on the different types of issuers and how to configure them
+can be found in our documentation:
+
+https://cert-manager.readthedocs.io/en/latest/reference/issuers.html
\ No newline at end of file
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "certmanager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "certmanager.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "certmanager.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+ name: certmanager
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: certmanager
+ chart: {{ template "certmanager.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: certmanager
+ template:
+ metadata:
+ labels:
+ app: certmanager
+ chart: {{ template "certmanager.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ {{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+ {{- end }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+ {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+ {{- end }}
+ spec:
+ serviceAccountName: certmanager
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: certmanager
+ image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ args:
+ - --cluster-resource-namespace=$(POD_NAMESPACE)
+ - --leader-election-namespace=$(POD_NAMESPACE)
+ {{- if .Values.extraArgs }}
+{{ toYaml .Values.extraArgs | indent 8 }}
+ {{- end }}
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ resources:
+{{ toYaml .Values.resources | indent 10 }}
+
+ {{- if .Values.podDnsPolicy }}
+ dnsPolicy: {{ .Values.podDnsPolicy }}
+ {{- end }}
+ {{- if .Values.podDnsConfig }}
+ dnsConfig:
+ {{ toYaml .Values.podDnsConfig | indent 8 }}
+ {{- end }}
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+ name: letsencrypt-staging
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: certmanager
+ chart: {{ template "certmanager.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ acme:
+ server: https://acme-staging-v02.api.letsencrypt.org/directory
+ email: {{ .Values.email }}
+ # Name of a secret used to store the ACME account private key
+ privateKeySecretRef:
+ name: letsencrypt-staging
+ http01: {}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+ name: letsencrypt
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: certmanager
+ chart: {{ template "certmanager.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ acme:
+ server: https://acme-v02.api.letsencrypt.org/directory
+ email: {{ .Values.email }}
+ privateKeySecretRef:
+ name: letsencrypt
+ http01: {}
--- /dev/null
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: certmanager
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: certmanager
+ chart: {{ template "certmanager.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ version: {{ .Chart.Version }}
+ {{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 4 }}
+ {{- end }}
+spec:
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
+{{- end }}
+ selector:
+ matchLabels:
+ app: certmanager
+ release: {{ .Release.Name }}
+{{- end }}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: certmanager
+ labels:
+ app: certmanager
+ chart: {{ template "certmanager.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+ - apiGroups: ["certmanager.k8s.io"]
+ resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"]
+ verbs: ["*"]
+ - apiGroups: [""]
+ resources: ["configmaps", "secrets", "events", "services", "pods"]
+ verbs: ["*"]
+ - apiGroups: ["extensions"]
+ resources: ["ingresses"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: certmanager
+ labels:
+ app: certmanager
+ chart: {{ template "certmanager.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: certmanager
+subjects:
+ - name: certmanager
+ namespace: {{ .Release.Namespace }}
+ kind: ServiceAccount
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: certmanager
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: certmanager
+ chart: {{ template "certmanager.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
--- /dev/null
+# Certmanager uses ACME to sign certificates. Since Istio gateways are
+# mounting the TLS secrets the Certificate CRDs must be created in the
+# istio-system namespace. Once the certificate has been created, the
+# gateway must be updated by adding 'secretVolumes'. After the gateway
+# restart, DestinationRules can be created using the ACME-signed certificates.
+enabled: false
+hub: quay.io/jetstack
+tag: v0.6.2
+resources: {}
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
--- /dev/null
+apiVersion: v1
+name: galley
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
+description: Helm chart for galley deployment
+keywords:
+ - istio
+ - galley
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "galley.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "galley.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "galley.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-galley-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["*"]
+- apiGroups: ["config.istio.io"] # istio mixer CRD watcher
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["authentication.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["rbac.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions","apps"]
+ resources: ["deployments"]
+ resourceNames: ["istio-galley"]
+ verbs: ["get"]
+- apiGroups: [""]
+ resources: ["pods", "nodes", "services", "endpoints"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+ resources: ["deployments/finalizers"]
+ resourceNames: ["istio-galley"]
+ verbs: ["update"]
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-galley-admin-role-binding-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-galley-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-galley-service-account
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-galley-configuration
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: galley
+data:
+ validatingwebhookconfiguration.yaml: |-
+ {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}}
\ No newline at end of file
--- /dev/null
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-galley
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: galley
+spec:
+ replicas: {{ .Values.replicaCount }}
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ template:
+ metadata:
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: galley
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-galley-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: galley
+ image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: 443
+ - containerPort: {{ .Values.global.monitoringPort }}
+ - containerPort: 9901
+ command:
+ - /usr/local/bin/galley
+ - server
+ - --meshConfigFile=/etc/mesh-config/mesh
+ - --livenessProbeInterval=1s
+ - --livenessProbePath=/healthliveness
+ - --readinessProbePath=/healthready
+ - --readinessProbeInterval=1s
+ - --deployment-namespace={{ .Release.Namespace }}
+{{- if $.Values.global.controlPlaneSecurityEnabled}}
+ - --insecure=false
+{{- else }}
+ - --insecure=true
+{{- end }}
+{{- if not $.Values.global.useMCP }}
+ - --enable-server=false
+{{- end }}
+ - --validation-webhook-config-file
+ - /etc/config/validatingwebhookconfiguration.yaml
+ - --monitoringPort={{ .Values.global.monitoringPort }}
+{{- if $.Values.global.logging.level }}
+ - --log_output_level={{ $.Values.global.logging.level }}
+{{- end}}
+ volumeMounts:
+ - name: certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: config
+ mountPath: /etc/config
+ readOnly: true
+ - name: mesh-config
+ mountPath: /etc/mesh-config
+ readOnly: true
+ livenessProbe:
+ exec:
+ command:
+ - /usr/local/bin/galley
+ - probe
+ - --probe-path=/healthliveness
+ - --interval=10s
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ readinessProbe:
+ exec:
+ command:
+ - /usr/local/bin/galley
+ - probe
+ - --probe-path=/healthready
+ - --interval=10s
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ volumes:
+ - name: certs
+ secret:
+ secretName: istio.istio-galley-service-account
+ - name: config
+ configMap:
+ name: istio-galley-configuration
+ - name: mesh-config
+ configMap:
+ name: istio
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-galley
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: galley
+spec:
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
+{{- end }}
+ selector:
+ matchLabels:
+ app: {{ template "galley.name" . }}
+ release: {{ .Release.Name }}
+ istio: galley
+{{- end }}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-galley
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: galley
+spec:
+ ports:
+ - port: 443
+ name: https-validation
+ - port: {{ .Values.global.monitoringPort }}
+ name: http-monitoring
+ - port: 9901
+ name: grpc-mcp
+ selector:
+ istio: galley
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-galley-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
--- /dev/null
+{{ define "validatingwebhookconfiguration.yaml.tpl" }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istio-galley
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "galley.name" . }}
+ chart: {{ template "galley.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: galley
+webhooks:
+{{- if .Values.global.configValidation }}
+ - name: pilot.validation.istio.io
+ clientConfig:
+ service:
+ name: istio-galley
+ namespace: {{ .Release.Namespace }}
+ path: "/admitpilot"
+ caBundle: ""
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - config.istio.io
+ apiVersions:
+ - v1alpha2
+ resources:
+ - httpapispecs
+ - httpapispecbindings
+ - quotaspecs
+ - quotaspecbindings
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - rbac.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - authentication.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - networking.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - destinationrules
+ - envoyfilters
+ - gateways
+ - serviceentries
+ - sidecars
+ - virtualservices
+ failurePolicy: Fail
+ - name: mixer.validation.istio.io
+ clientConfig:
+ service:
+ name: istio-galley
+ namespace: {{ .Release.Namespace }}
+ path: "/admitmixer"
+ caBundle: ""
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - config.istio.io
+ apiVersions:
+ - v1alpha2
+ resources:
+ - rules
+ - attributemanifests
+ - circonuses
+ - deniers
+ - fluentds
+ - kubernetesenvs
+ - listcheckers
+ - memquotas
+ - noops
+ - opas
+ - prometheuses
+ - rbacs
+ - solarwindses
+ - stackdrivers
+ - cloudwatches
+ - dogstatsds
+ - statsds
+ - stdios
+ - apikeys
+ - authorizations
+ - checknothings
+ # - kuberneteses
+ - listentries
+ - logentries
+ - metrics
+ - quotas
+ - reportnothings
+ - tracespans
+ failurePolicy: Fail
+{{- end }}
+{{- end }}
--- /dev/null
+#
+# galley configuration
+#
+enabled: true
+replicaCount: 1
+image: galley
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
--- /dev/null
+apiVersion: v1
+name: gateways
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
+description: Helm chart for deploying Istio gateways
+keywords:
+ - istio
+ - ingressgateway
+ - egressgateway
+ - gateways
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
+
+{{- define "gatewaynodeaffinity" }}
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ {{- include "gatewayNodeAffinityRequiredDuringScheduling" . }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ {{- include "gatewayNodeAffinityPreferredDuringScheduling" . }}
+{{- end }}
+
+{{- define "gatewayNodeAffinityRequiredDuringScheduling" }}
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ {{- range $key, $val := .root.Values.global.arch }}
+ {{- if gt ($val | int) 0 }}
+ - {{ $key }}
+ {{- end }}
+ {{- end }}
+ {{- $nodeSelector := default .root.Values.global.defaultNodeSelector .nodeSelector -}}
+ {{- range $key, $val := $nodeSelector }}
+ - key: {{ $key }}
+ operator: In
+ values:
+ - {{ $val }}
+ {{- end }}
+{{- end }}
+
+{{- define "gatewayNodeAffinityPreferredDuringScheduling" }}
+ {{- range $key, $val := .root.Values.global.arch }}
+ {{- if gt ($val | int) 0 }}
+ - weight: {{ $val | int }}
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - {{ $key }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- define "gatewaypodAntiAffinity" }}
+{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
+ podAntiAffinity:
+ {{- if .podAntiAffinityLabelSelector }}
+ requiredDuringSchedulingIgnoredDuringExecution:
+ {{- include "gatewaypodAntiAffinityRequiredDuringScheduling" . }}
+ {{- end }}
+ {{- if .podAntiAffinityTermLabelSelector }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ {{- include "gatewaypodAntiAffinityPreferredDuringScheduling" . }}
+ {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gatewaypodAntiAffinityRequiredDuringScheduling" }}
+ {{- range $index, $item := .podAntiAffinityLabelSelector }}
+ - labelSelector:
+ matchExpressions:
+ - key: {{ $item.key }}
+ operator: {{ $item.operator }}
+ {{- if $item.values }}
+ values:
+ {{- $vals := split "," $item.values }}
+ {{- range $i, $v := $vals }}
+ - {{ $v }}
+ {{- end }}
+ {{- end }}
+ topologyKey: {{ $item.topologyKey }}
+ {{- end }}
+{{- end }}
+
+{{- define "gatewaypodAntiAffinityPreferredDuringScheduling" }}
+ {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: {{ $item.key }}
+ operator: {{ $item.operator }}
+ {{- if $item.values }}
+ values:
+ {{- $vals := split "," $item.values }}
+ {{- range $i, $v := $vals }}
+ - {{ $v }}
+ {{- end }}
+ {{- end }}
+ topologyKey: {{ $item.topologyKey }}
+ {{- end }}
+{{- end }}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gateway.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gateway.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gateway.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ $key }}
+ namespace: {{ $spec.namespace | default $.Release.Namespace }}
+ labels:
+ app: {{ $spec.labels.istio }}
+ chart: {{ template "gateway.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+spec:
+ maxReplicas: {{ $spec.autoscaleMax }}
+ minReplicas: {{ $spec.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: {{ $key }}
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ $key }}-{{ $.Release.Namespace }}
+ labels:
+ app: {{ $spec.labels.istio }}
+ chart: {{ template "gateway.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+rules:
+- apiGroups: ["networking.istio.io"]
+ resources: ["virtualservices", "destinationrules", "gateways"]
+ verbs: ["get", "watch", "list", "update"]
+---
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ $key }}-{{ $.Release.Namespace }}
+ labels:
+ app: {{ $spec.labels.istio }}
+ chart: {{ template "gateway.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ $key }}-{{ $.Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+ name: {{ $key }}-service-account
+ namespace: {{ $.Release.Namespace }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: {{ $key }}
+ namespace: {{ $spec.namespace | default $.Release.Namespace }}
+ labels:
+ chart: {{ template "gateway.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ {{- range $key, $val := $spec.labels }}
+ {{ $key }}: {{ $val }}
+ {{- end }}
+spec:
+{{- if not $spec.autoscaleEnabled }}
+{{- if $spec.replicaCount }}
+ replicas: {{ $spec.replicaCount }}
+{{- else }}
+ replicas: 1
+{{- end }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+ chart: {{ template "gateway.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ {{- range $key, $val := $spec.labels }}
+ {{ $key }}: {{ $val }}
+ {{- end }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+{{- if $spec.podAnnotations }}
+{{ toYaml $spec.podAnnotations | indent 8 }}
+{{ end }}
+ spec:
+ serviceAccountName: {{ $key }}-service-account
+{{- if $.Values.global.priorityClassName }}
+ priorityClassName: "{{ $.Values.global.priorityClassName }}"
+{{- end }}
+{{- if $.Values.global.proxy.enableCoreDump }}
+ initContainers:
+ - name: enable-core-dump
+{{- if contains "/" $.Values.global.proxy_init.image }}
+ image: "{{ $.Values.global.proxy_init.image }}"
+{{- else }}
+ image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy_init.image }}:{{ $.Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
+ securityContext:
+ privileged: true
+{{- end }}
+ containers:
+{{- if $spec.sds }}
+{{- if $spec.sds.enabled }}
+ - name: ingress-sds
+{{- if contains "/" $spec.sds.image }}
+ image: "{{ $spec.sds.image }}"
+{{- else }}
+ image: "{{ $.Values.global.hub }}/{{ $spec.sds.image }}:{{ $.Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
+ env:
+ - name: "ENABLE_WORKLOAD_SDS"
+ value: "false"
+ - name: "ENABLE_INGRESS_GATEWAY_SDS"
+ value: "true"
+ - name: "INGRESS_GATEWAY_NAMESPACE"
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ volumeMounts:
+ - name: ingressgatewaysdsudspath
+ mountPath: /var/run/ingress_gateway
+{{- end }}
+{{- end }}
+ - name: istio-proxy
+{{- if contains "/" $.Values.global.proxy.image }}
+ image: "{{ $.Values.global.proxy.image }}"
+{{- else }}
+ image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
+ ports:
+ {{- range $key, $val := $spec.ports }}
+ - containerPort: {{ $val.port }}
+ {{- end }}
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }}
+ {{- if $.Values.global.proxy.logLevel }}
+ - --proxyLogLevel={{ $.Values.global.proxy.logLevel }}
+ {{- end}}
+ {{- if $.Values.global.logging.level }}
+ - --log_output_level={{ $.Values.global.logging.level }}
+ {{- end}}
+ - --drainDuration
+ - '45s' #drainDuration
+ - --parentShutdownDuration
+ - '1m0s' #parentShutdownDuration
+ - --connectTimeout
+ - '10s' #connectTimeout
+ - --serviceCluster
+ - {{ $key }}
+ - --zipkinAddress
+ {{- if $.Values.global.tracer.zipkin.address }}
+ - {{ $.Values.global.tracer.zipkin.address }}
+ {{- else if $.Values.global.istioNamespace }}
+ - zipkin.{{ $.Values.global.istioNamespace }}:9411
+ {{- else }}
+ - zipkin:9411
+ {{- end }}
+ {{- if $.Values.global.proxy.envoyStatsd.enabled }}
+ - --statsdUdpAddress
+ - {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }}
+ {{- end }}
+ {{- if $.Values.global.proxy.envoyMetricsService.enabled }}
+ - --envoyMetricsServiceAddress
+ - {{ $.Values.global.proxy.envoyMetricsService.host }}:{{ $.Values.global.proxy.envoyMetricsService.port }}
+ {{- end }}
+ - --proxyAdminPort
+ - "15000"
+ - --statusPort
+ - "15020"
+ {{- if $.Values.global.controlPlaneSecurityEnabled }}
+ - --controlPlaneAuthPolicy
+ - MUTUAL_TLS
+ - --discoveryAddress
+ {{- if $.Values.global.istioNamespace }}
+ - istio-pilot.{{ $.Values.global.istioNamespace }}:15011
+ {{- else }}
+ - istio-pilot:15011
+ {{- end }}
+ {{- else }}
+ - --controlPlaneAuthPolicy
+ - NONE
+ - --discoveryAddress
+ {{- if $.Values.global.istioNamespace }}
+ - istio-pilot.{{ $.Values.global.istioNamespace }}:15010
+ {{- else }}
+ - istio-pilot:15010
+ {{- end }}
+ {{- end }}
+ {{- if $.Values.global.trustDomain }}
+ - --trust-domain={{ $.Values.global.trustDomain }}
+ {{- end }}
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15020
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+{{- if $spec.resources }}
+{{ toYaml $spec.resources | indent 12 }}
+{{- else }}
+{{ toYaml $.Values.global.defaultResources | indent 12 }}
+{{- end }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: ISTIO_META_POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: ISTIO_META_CONFIG_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ {{- if $spec.sds }}
+ {{- if $spec.sds.enabled }}
+ - name: ISTIO_META_USER_SDS
+ value: "true"
+ {{- end }}
+ {{- end }}
+ {{- if $spec.env }}
+ {{- range $key, $val := $spec.env }}
+ - name: {{ $key }}
+ value: {{ $val }}
+ {{- end }}
+ {{- end }}
+ volumeMounts:
+ {{- if $.Values.global.sds.enabled }}
+ - name: sdsudspath
+ mountPath: /var/run/sds/uds_path
+ readOnly: true
+ {{- if $.Values.global.sds.useTrustworthyJwt }}
+ - name: istio-token
+ mountPath: /var/run/secrets/tokens
+ {{- end }}
+ {{- end }}
+ {{- if $spec.sds }}
+ {{- if $spec.sds.enabled }}
+ - name: ingressgatewaysdsudspath
+ mountPath: /var/run/ingress_gateway
+ {{- end }}
+ {{- end }}
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ {{- range $spec.secretVolumes }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+{{- if $spec.additionalContainers }}
+{{ toYaml $spec.additionalContainers | indent 8 }}
+{{- end }}
+ volumes:
+ {{- if $spec.sds }}
+ {{- if $spec.sds.enabled }}
+ - name: ingressgatewaysdsudspath
+ emptyDir: {}
+ {{- end }}
+ {{- end }}
+ {{- if $.Values.global.sds.enabled }}
+ - name: sdsudspath
+ hostPath:
+ path: /var/run/sds/uds_path
+ type: Socket
+ {{- if $.Values.global.sds.useTrustworthyJwt }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ $.Values.global.trustDomain }}
+ {{- end }}
+ {{- end }}
+ - name: istio-certs
+ secret:
+ secretName: istio.{{ $key }}-service-account
+ optional: true
+ {{- range $spec.secretVolumes }}
+ - name: {{ .name }}
+ secret:
+ secretName: {{ .secretName | quote }}
+ optional: true
+ {{- end }}
+ {{- range $spec.configVolumes }}
+ - name: {{ .name }}
+ configMap:
+ name: {{ .configMapName | quote }}
+ optional: true
+ {{- end }}
+ affinity:
+ {{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }}
+ {{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if and (ne $key "enabled") }}
+{{- if $spec.enabled }}
+{{- if $.Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: {{ $key }}
+ namespace: {{ $spec.namespace | default $.Release.Namespace }}
+ labels:
+ chart: {{ template "gateway.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ {{- range $key, $val := $spec.labels }}
+ {{ $key }}: {{ $val }}
+ {{- end }}
+spec:
+{{- if $.Values.global.defaultPodDisruptionBudget.enabled }}
+{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }}
+{{- end }}
+ selector:
+ matchLabels:
+ release: {{ $.Release.Name }}
+ {{- range $key, $val := $spec.labels }}
+ {{ $key }}: {{ $val }}
+ {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- if .Values.global.k8sIngress.enabled }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: istio-autogenerated-k8s-ingress
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "gateway.name" . }}
+ chart: {{ template "gateway.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ selector:
+ istio: {{ .Values.global.k8sIngress.gatewayName }}
+ servers:
+ - port:
+ number: 80
+ protocol: HTTP2
+ name: http
+ hosts:
+ - "*"
+{{ if .Values.global.k8sIngress.enableHttps }}
+ - port:
+ number: 443
+ protocol: HTTPS
+ name: https-default
+ tls:
+ mode: SIMPLE
+ serverCertificate: /etc/istio/ingress-certs/tls.crt
+ privateKey: /etc/istio/ingress-certs/tls.key
+ hosts:
+ - "*"
+{{ end }}
+---
+{{ end }}
+
+{{- if .Values.global.meshExpansion.enabled }}
+{{- if .Values.global.meshExpansion.useILB }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: meshexpansion-ilb-gateway
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "gateway.name" . }}
+ chart: {{ template "gateway.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ selector:
+ istio: ilbgateway
+ servers:
+ - port:
+ number: 15011
+ protocol: TCP
+ name: tcp-pilot
+ hosts:
+ - "*"
+ - port:
+ number: 8060
+ protocol: TCP
+ name: tcp-citadel
+ hosts:
+ - "*"
+ - port:
+ number: 15004
+ name: tls-mixer
+ protocol: TLS
+ tls:
+ mode: AUTO_PASSTHROUGH
+ hosts:
+ - "*"
+---
+{{- else }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: meshexpansion-gateway
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "gateway.name" . }}
+ chart: {{ template "gateway.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 15011
+ protocol: TCP
+ name: tcp-pilot
+ hosts:
+ - "*"
+ - port:
+ number: 8060
+ protocol: TCP
+ name: tcp-citadel
+ hosts:
+ - "*"
+ - port:
+ number: 15004
+ name: tls-mixer
+ protocol: TLS
+ tls:
+ mode: AUTO_PASSTHROUGH
+ hosts:
+ - "*"
+---
+{{- end }}
+{{- end }}
+
+{{- if .Values.global.multiCluster.enabled }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: istio-multicluster-egressgateway
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "gateway.name" . }}
+ chart: {{ template "gateway.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ selector:
+ istio: egressgateway
+ servers:
+ - hosts:
+ - "*.global"
+ port:
+ name: tls
+ number: 15443
+ protocol: TLS
+ tls:
+ mode: AUTO_PASSTHROUGH
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: istio-multicluster-ingressgateway
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "gateway.name" . }}
+ chart: {{ template "gateway.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - hosts:
+ - "*.global"
+ port:
+ name: tls
+ number: 15443
+ protocol: TLS
+ tls:
+ mode: AUTO_PASSTHROUGH
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: istio-multicluster-ingressgateway
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "gateway.name" . }}
+ chart: {{ template "gateway.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ workloadLabels:
+ istio: ingressgateway
+ filters:
+ - listenerMatch:
+ portNumber: 15443
+ listenerType: GATEWAY
+ insertPosition:
+ index: AFTER
+ relativeTo: envoy.filters.network.sni_cluster
+ filterName: envoy.filters.network.tcp_cluster_rewrite
+ filterType: NETWORK
+ filterConfig:
+ cluster_pattern: "\\.global$"
+ cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
+---
+## To ensure all traffic to *.global is using mTLS
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: istio-multicluster-destinationrule
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "gateway.name" . }}
+ chart: {{ template "gateway.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ host: "*.global"
+ {{- if .Values.global.defaultConfigVisibilitySettings }}
+ exportTo:
+ - '*'
+ {{- end }}
+ trafficPolicy:
+ tls:
+ mode: ISTIO_MUTUAL
+---
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+{{- if ($spec.sds) and (eq $spec.sds.enabled true) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $key }}-sds
+ namespace: {{ $.Release.Namespace }}
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+{{- if ($spec.sds) and (eq $spec.sds.enabled true) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $key }}-sds
+ namespace: {{ $.Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $key }}-sds
+subjects:
+- kind: ServiceAccount
+ name: {{ $key }}-service-account
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ $key }}
+ namespace: {{ $spec.namespace | default $.Release.Namespace }}
+ annotations:
+ {{- range $key, $val := $spec.serviceAnnotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ labels:
+ chart: {{ template "gateway.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ {{- range $key, $val := $spec.labels }}
+ {{ $key }}: {{ $val }}
+ {{- end }}
+spec:
+{{- if $spec.loadBalancerIP }}
+ loadBalancerIP: "{{ $spec.loadBalancerIP }}"
+{{- end }}
+{{- if $spec.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+{{ toYaml $spec.loadBalancerSourceRanges | indent 4 }}
+{{- end }}
+{{- if $spec.externalTrafficPolicy }}
+ externalTrafficPolicy: {{$spec.externalTrafficPolicy }}
+{{- end }}
+{{- if $spec.externalIPs }}
+ externalIPs:
+{{ toYaml $spec.externalIPs | indent 4 }}
+{{- end }}
+ type: {{ .type }}
+ selector:
+ release: {{ $.Release.Name }}
+ {{- range $key, $val := $spec.labels }}
+ {{ $key }}: {{ $val }}
+ {{- end }}
+ ports:
+ {{- range $key, $val := $spec.ports }}
+ -
+ {{- range $pkey, $pval := $val }}
+ {{ $pkey}}: {{ $pval }}
+ {{- end }}
+ {{- end }}
+ {{- if $.Values.global.meshExpansion.enabled }}
+ {{- range $key, $val := $spec.meshExpansionPorts }}
+ -
+ {{- range $pkey, $pval := $val }}
+ {{ $pkey}}: {{ $pval }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if ne $key "enabled" }}
+{{- if $spec.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if $.Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range $.Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: {{ $key }}-service-account
+ namespace: {{ $spec.namespace | default $.Release.Namespace }}
+ labels:
+ app: {{ $spec.labels.app }}
+ chart: {{ template "gateway.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+
--- /dev/null
+#
+# Gateways Configuration
+# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
+# You can add more gateways in addition to the defaults but make sure those are uniquely named
+# and that NodePorts are not conflicting.
+# Disable specifc gateway by setting the `enabled` to false.
+#
+enabled: true
+
+istio-ingressgateway:
+ enabled: true
+ #
+ # Secret Discovery Service (SDS) configuration for ingress gateway.
+ #
+ sds:
+ # If true, ingress gateway fetches credentials from SDS server to handle TLS connections.
+ enabled: false
+ # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
+ # This server runs in the same pod as ingress gateway.
+ image: node-agent-k8s
+ labels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+ # specify replicaCount when autoscaleEnabled: false
+ # replicaCount: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 2000m
+ memory: 256Mi
+ cpu:
+ targetAverageUtilization: 80
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: []
+ externalIPs: []
+ serviceAnnotations: {}
+ podAnnotations: {}
+ type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
+ #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
+ ports:
+ ## You can add custom gateway ports
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15020
+ targetPort: 15020
+ name: status-port
+ - port: 80
+ targetPort: 80
+ name: http2
+ nodePort: 31380
+ - port: 443
+ name: https
+ nodePort: 31390
+ # Example of a port to add. Remove if not needed
+ - port: 31400
+ name: tcp
+ nodePort: 31400
+ ### PORTS FOR UI/metrics #####
+ ## Disable if not needed
+ - port: 15029
+ targetPort: 15029
+ name: https-kiali
+ - port: 15030
+ targetPort: 15030
+ name: https-prometheus
+ - port: 15031
+ targetPort: 15031
+ name: https-grafana
+ - port: 15032
+ targetPort: 15032
+ name: https-tracing
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ #### MESH EXPANSION PORTS ########
+ # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
+ # to pilot/citadel if global.meshExpansion settings are enabled.
+ # Delete these ports if mesh expansion is not enabled, to avoid
+ # exposing unnecessary ports on the web.
+ # You can remove these ports if you are not using mesh expansion
+ meshExpansionPorts:
+ - port: 15011
+ targetPort: 15011
+ name: tcp-pilot-grpc-tls
+ - port: 15004
+ targetPort: 15004
+ name: tcp-mixer-grpc-tls
+ - port: 8060
+ targetPort: 8060
+ name: tcp-citadel-grpc-tls
+ - port: 853
+ targetPort: 853
+ name: tcp-dns-tls
+ ####### end MESH EXPANSION PORTS ######
+ ##############
+ secretVolumes:
+ - name: ingressgateway-certs
+ secretName: istio-ingressgateway-certs
+ mountPath: /etc/istio/ingressgateway-certs
+ - name: ingressgateway-ca-certs
+ secretName: istio-ingressgateway-ca-certs
+ mountPath: /etc/istio/ingressgateway-ca-certs
+ ### Advanced options ############
+ env:
+ # A gateway with this mode ensures that pilot generates an additional
+ # set of clusters for internal services but without Istio mTLS, to
+ # enable cross cluster routing.
+ ISTIO_META_ROUTER_MODE: "sni-dnat"
+ nodeSelector: {}
+
+ # Specify the pod anti-affinity that allows you to constrain which nodes
+ # your pod is eligible to be scheduled based on labels on pods that are
+ # already running on the node rather than based on labels on nodes.
+ # There are currently two types of anti-affinity:
+ # "requiredDuringSchedulingIgnoredDuringExecution"
+ # "preferredDuringSchedulingIgnoredDuringExecution"
+ # which denote “hard” vs. “soft” requirements, you can define your values
+ # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+ # correspondingly.
+ # For example:
+ # podAntiAffinityLabelSelector:
+ # - key: security
+ # operator: In
+ # values: S1,S2
+ # topologyKey: "kubernetes.io/hostname"
+ # This pod anti-affinity rule says that the pod requires not to be scheduled
+ # onto a node if that node is already running a pod with label having key
+ # “security” and value “S1”.
+ podAntiAffinityLabelSelector: []
+ podAntiAffinityTermLabelSelector: []
+
+istio-egressgateway:
+ enabled: false
+ labels:
+ app: istio-egressgateway
+ istio: egressgateway
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+ # specify replicaCount when autoscaleEnabled: false
+ # replicaCount: 1
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 2000m
+ memory: 256Mi
+ cpu:
+ targetAverageUtilization: 80
+ serviceAnnotations: {}
+ podAnnotations: {}
+ type: ClusterIP #change to NodePort or LoadBalancer if need be
+ ports:
+ - port: 80
+ name: http2
+ - port: 443
+ name: https
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ secretVolumes:
+ - name: egressgateway-certs
+ secretName: istio-egressgateway-certs
+ mountPath: /etc/istio/egressgateway-certs
+ - name: egressgateway-ca-certs
+ secretName: istio-egressgateway-ca-certs
+ mountPath: /etc/istio/egressgateway-ca-certs
+ #### Advanced options ########
+ env:
+ # Set this to "external" if and only if you want the egress gateway to
+ # act as a transparent SNI gateway that routes mTLS/TLS traffic to
+ # external services defined using service entries, where the service
+ # entry has resolution set to DNS, has one or more endpoints with
+ # network field set to "external". By default its set to "" so that
+ # the egress gateway sees the same set of endpoints as the sidecars
+ # preserving backward compatibility
+ # ISTIO_META_REQUESTED_NETWORK_VIEW: ""
+ # A gateway with this mode ensures that pilot generates an additional
+ # set of clusters for internal services but without Istio mTLS, to
+ # enable cross cluster routing.
+ ISTIO_META_ROUTER_MODE: "sni-dnat"
+ nodeSelector: {}
+
+ # Specify the pod anti-affinity that allows you to constrain which nodes
+ # your pod is eligible to be scheduled based on labels on pods that are
+ # already running on the node rather than based on labels on nodes.
+ # There are currently two types of anti-affinity:
+ # "requiredDuringSchedulingIgnoredDuringExecution"
+ # "preferredDuringSchedulingIgnoredDuringExecution"
+ # which denote “hard” vs. “soft” requirements, you can define your values
+ # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+ # correspondingly.
+ # For example:
+ # podAntiAffinityLabelSelector:
+ # - key: security
+ # operator: In
+ # values: S1,S2
+ # topologyKey: "kubernetes.io/hostname"
+ # This pod anti-affinity rule says that the pod requires not to be scheduled
+ # onto a node if that node is already running a pod with label having key
+ # “security” and value “S1”.
+ podAntiAffinityLabelSelector: []
+ podAntiAffinityTermLabelSelector: []
+
+# Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
+# for mesh expansion. It exposes the mtls ports for Pilot,CA as well
+# as non-mtls ports to support upgrades and gradual transition.
+istio-ilbgateway:
+ enabled: false
+ labels:
+ app: istio-ilbgateway
+ istio: ilbgateway
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+ # specify replicaCount when autoscaleEnabled: false
+ # replicaCount: 1
+ cpu:
+ targetAverageUtilization: 80
+ resources:
+ requests:
+ cpu: 800m
+ memory: 512Mi
+ #limits:
+ # cpu: 1800m
+ # memory: 256Mi
+ loadBalancerIP: ""
+ serviceAnnotations:
+ cloud.google.com/load-balancer-type: "internal"
+ podAnnotations: {}
+ type: LoadBalancer
+ ports:
+ ## You can add custom gateway ports - google ILB default quota is 5 ports,
+ - port: 15011
+ name: grpc-pilot-mtls
+ # Insecure port - only for migration from 0.8. Will be removed in 1.1
+ - port: 15010
+ name: grpc-pilot
+ - port: 8060
+ targetPort: 8060
+ name: tcp-citadel-grpc-tls
+ # Port 5353 is forwarded to kube-dns
+ - port: 5353
+ name: tcp-dns
+ secretVolumes:
+ - name: ilbgateway-certs
+ secretName: istio-ilbgateway-certs
+ mountPath: /etc/istio/ilbgateway-certs
+ - name: ilbgateway-ca-certs
+ secretName: istio-ilbgateway-ca-certs
+ mountPath: /etc/istio/ilbgateway-ca-certs
+ nodeSelector: {}
--- /dev/null
+apiVersion: v1
+description: A Helm chart for Kubernetes
+name: grafana
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
--- /dev/null
+{
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": false,
+ "gnetId": null,
+ "graphTooltip": 0,
+ "links": [],
+ "panels": [
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 5,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 46,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(istio_build{component=\"galley\"}) by (tag)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ tag }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Galley Versions",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 5
+ },
+ "id": 40,
+ "panels": [],
+ "title": "Resource Usage",
+ "type": "row"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 8,
+ "w": 6,
+ "x": 0,
+ "y": 6
+ },
+ "id": 36,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "process_virtual_memory_bytes{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Virtual Memory",
+ "refId": "A"
+ },
+ {
+ "expr": "process_resident_memory_bytes{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Resident Memory",
+ "refId": "B"
+ },
+ {
+ "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "heap sys",
+ "refId": "C"
+ },
+ {
+ "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "heap alloc",
+ "refId": "D"
+ },
+ {
+ "expr": "go_memstats_alloc_bytes{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Alloc",
+ "refId": "F"
+ },
+ {
+ "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Heap in-use",
+ "refId": "G"
+ },
+ {
+ "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Stack in-use",
+ "refId": "H"
+ },
+ {
+ "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Total (kis)",
+ "refId": "E"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Memory",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 8,
+ "w": 6,
+ "x": 6,
+ "y": 6
+ },
+ "id": 38,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Total (k8s)",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ container_name }} (k8s)",
+ "refId": "B"
+ },
+ {
+ "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "galley (self-reported)",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "CPU",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 8,
+ "w": 6,
+ "x": 12,
+ "y": 6
+ },
+ "id": 42,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "process_open_fds{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Open FDs (galley)",
+ "refId": "A"
+ },
+ {
+ "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ container_name }} ",
+ "refId": "B"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Disk",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 8,
+ "w": 6,
+ "x": 18,
+ "y": 6
+ },
+ "id": 44,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "go_goroutines{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "goroutines_total",
+ "refId": "A"
+ },
+ {
+ "expr": "galley_mcp_source_clients_total",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "clients_total",
+ "refId": "B"
+ },
+ {
+ "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "avg_goroutines_per_client",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Goroutines",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 14
+ },
+ "id": 10,
+ "panels": [],
+ "title": "Runtime",
+ "type": "row"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 15
+ },
+ "id": 2,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Strategy Change Events",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Processed Events",
+ "refId": "B"
+ },
+ {
+ "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Snapshot Published",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Event Rates",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "Events/min",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": "",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 15
+ },
+ "id": 4,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Max Time Reached",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Quiesce Reached",
+ "refId": "B"
+ },
+ {
+ "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Timer Resets",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Timer Rates",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "Events/min",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 15
+ },
+ "id": 8,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 3,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": true,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "P50",
+ "refId": "A"
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "P90",
+ "refId": "B"
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "P95",
+ "refId": "C"
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "P99",
+ "refId": "D"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Events Per Snapshot",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 21
+ },
+ "id": 6,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ typeURL }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "State Type Instances",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "Count",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 27
+ },
+ "id": 34,
+ "panels": [],
+ "title": "Validation",
+ "type": "row"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 28
+ },
+ "id": 28,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "galley_validation_cert_key_updates{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Key Updates",
+ "refId": "A"
+ },
+ {
+ "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Key Update Errors: {{ error }}",
+ "refId": "B"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Validation Webhook Certificate",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 28
+ },
+ "id": 30,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})",
+ "refId": "B"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Resource Validation",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 28
+ },
+ "id": 32,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ status }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Validation HTTP Errors",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 34
+ },
+ "id": 12,
+ "panels": [],
+ "title": "Kubernetes Source",
+ "type": "row"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 35
+ },
+ "id": 14,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "rate(galley_source_kube_event_success_total[1m]) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Success",
+ "refId": "A"
+ },
+ {
+ "expr": "rate(galley_source_kube_event_error_total[1m]) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Error",
+ "refId": "B"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Source Event Rate",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "Events/min",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 35
+ },
+ "id": 16,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Kubernetes Object Conversion Successes",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "Conversions/min",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 35
+ },
+ "id": 24,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Error",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Kubernetes Object Conversion Failures",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "Failures/min",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 41
+ },
+ "id": 18,
+ "panels": [],
+ "title": "Mesh Configuration Protocol",
+ "type": "row"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 42
+ },
+ "id": 20,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(galley_mcp_source_clients_total)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Clients",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Connected Clients",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 42
+ },
+ "id": 22,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Request ACKs",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "ACKs/min",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 42
+ },
+ "id": 26,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeRegions": [],
+ "timeShift": null,
+ "title": "Request NACKs",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "NACKs/min",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ }
+ ],
+ "refresh": "5s",
+ "schemaVersion": 16,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": []
+ },
+ "time": {
+ "from": "now-5m",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "",
+ "title": "Istio Galley Dashboard",
+ "uid": "TSEY6jLmk",
+ "version": 1
+}
--- /dev/null
+{
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "5.2.3"
+ },
+ {
+ "type": "panel",
+ "id": "graph",
+ "name": "Graph",
+ "version": "5.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "5.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "singlestat",
+ "name": "Singlestat",
+ "version": "5.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": "5.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "text",
+ "name": "Text",
+ "version": "5.0.0"
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": false,
+ "gnetId": null,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [],
+ "panels": [
+ {
+ "content": "<div>\n <div style=\"position: absolute; bottom: 0\">\n <a href=\"https://istio.io\" target=\"_blank\" style=\"font-size: 30px; text-decoration: none; color: inherit\"><img src=\"https://istio.io/img/istio-logo.svg\" style=\"height: 50px\"> Istio</a>\n </div>\n <div style=\"position: absolute; bottom: 0; right: 0; font-size: 15px\">\n Istio is an <a href=\"https://github.com/istio/istio\" target=\"_blank\">open platform</a> that provides a uniform way to connect,\n <a href=\"https://istio.io/docs/concepts/traffic-management/overview.html\" target=\"_blank\">manage</a>, and \n <a href=\"https://istio.io/docs/concepts/network-and-auth/auth.html\" target=\"_blank\">secure</a> microservices.\n <br>\n Need help? Join the <a href=\"https://istio.io/community/\" target=\"_blank\">Istio community</a>.\n </div>\n</div>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "height": "50px",
+ "id": 13,
+ "links": [],
+ "mode": "html",
+ "style": {
+ "font-size": "18pt"
+ },
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "Prometheus",
+ "format": "ops",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 3,
+ "w": 6,
+ "x": 0,
+ "y": 3
+ },
+ "id": 20,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)",
+ "intervalFactor": 1,
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": "",
+ "title": "Global Request Volume",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "Prometheus",
+ "format": "percentunit",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 80,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": false
+ },
+ "gridPos": {
+ "h": 3,
+ "w": 6,
+ "x": 6,
+ "y": 3
+ },
+ "id": 21,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": "95, 99, 99.5",
+ "title": "Global Success Rate (non-5xx responses)",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "Prometheus",
+ "format": "ops",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 3,
+ "w": 6,
+ "x": 12,
+ "y": 3
+ },
+ "id": 22,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": "",
+ "title": "4xxs",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "Prometheus",
+ "format": "ops",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 3,
+ "w": 6,
+ "x": 18,
+ "y": 3
+ },
+ "id": 23,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": "",
+ "title": "5xxs",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "columns": [],
+ "datasource": "Prometheus",
+ "fontSize": "100%",
+ "gridPos": {
+ "h": 21,
+ "w": 24,
+ "x": 0,
+ "y": 6
+ },
+ "hideTimeOverride": false,
+ "id": 73,
+ "links": [],
+ "pageSize": null,
+ "repeat": null,
+ "repeatDirection": "v",
+ "scroll": true,
+ "showHeader": true,
+ "sort": {
+ "col": 4,
+ "desc": true
+ },
+ "styles": [
+ {
+ "alias": "Workload",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "link": false,
+ "linkTargetBlank": false,
+ "linkTooltip": "Workload dashboard",
+ "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_",
+ "pattern": "destination_workload",
+ "preserveFormat": false,
+ "sanitize": false,
+ "thresholds": [],
+ "type": "hidden",
+ "unit": "short"
+ },
+ {
+ "alias": "",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Time",
+ "thresholds": [],
+ "type": "hidden",
+ "unit": "short"
+ },
+ {
+ "alias": "Requests",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Value #A",
+ "thresholds": [],
+ "type": "number",
+ "unit": "ops"
+ },
+ {
+ "alias": "P50 Latency",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Value #B",
+ "thresholds": [],
+ "type": "number",
+ "unit": "s"
+ },
+ {
+ "alias": "P90 Latency",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Value #D",
+ "thresholds": [],
+ "type": "number",
+ "unit": "s"
+ },
+ {
+ "alias": "P99 Latency",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Value #E",
+ "thresholds": [],
+ "type": "number",
+ "unit": "s"
+ },
+ {
+ "alias": "Success Rate",
+ "colorMode": "cell",
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Value #F",
+ "thresholds": [
+ ".95",
+ " 1.00"
+ ],
+ "type": "number",
+ "unit": "percentunit"
+ },
+ {
+ "alias": "Workload",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "link": true,
+ "linkTooltip": "$__cell dashboard",
+ "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3",
+ "pattern": "destination_workload_var",
+ "thresholds": [],
+ "type": "number",
+ "unit": "short"
+ },
+ {
+ "alias": "Service",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "link": true,
+ "linkTooltip": "$__cell dashboard",
+ "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell",
+ "pattern": "destination_service",
+ "thresholds": [],
+ "type": "string",
+ "unit": "short"
+ },
+ {
+ "alias": "",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "destination_workload_namespace",
+ "thresholds": [],
+ "type": "hidden",
+ "unit": "short"
+ }
+ ],
+ "targets": [
+ {
+ "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}",
+ "refId": "A"
+ },
+ {
+ "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}",
+ "refId": "B"
+ },
+ {
+ "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}",
+ "refId": "D"
+ },
+ {
+ "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}",
+ "refId": "E"
+ },
+ {
+ "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "interval": "",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}",
+ "refId": "F"
+ }
+ ],
+ "timeFrom": null,
+ "title": "HTTP/GRPC Workloads",
+ "transform": "table",
+ "transparent": false,
+ "type": "table"
+ },
+ {
+ "columns": [],
+ "datasource": "Prometheus",
+ "fontSize": "100%",
+ "gridPos": {
+ "h": 18,
+ "w": 24,
+ "x": 0,
+ "y": 27
+ },
+ "hideTimeOverride": false,
+ "id": 109,
+ "links": [],
+ "pageSize": null,
+ "repeatDirection": "v",
+ "scroll": true,
+ "showHeader": true,
+ "sort": {
+ "col": 2,
+ "desc": true
+ },
+ "styles": [
+ {
+ "alias": "Workload",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "link": false,
+ "linkTargetBlank": false,
+ "linkTooltip": "$__cell dashboard",
+ "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell",
+ "pattern": "destination_workload",
+ "preserveFormat": false,
+ "sanitize": false,
+ "thresholds": [],
+ "type": "hidden",
+ "unit": "short"
+ },
+ {
+ "alias": "Bytes Sent",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Value #A",
+ "thresholds": [
+ ""
+ ],
+ "type": "number",
+ "unit": "Bps"
+ },
+ {
+ "alias": "Bytes Received",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Value #C",
+ "thresholds": [],
+ "type": "number",
+ "unit": "Bps"
+ },
+ {
+ "alias": "",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "Time",
+ "thresholds": [],
+ "type": "hidden",
+ "unit": "short"
+ },
+ {
+ "alias": "Workload",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "link": true,
+ "linkTooltip": "$__cell dashboard",
+ "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2",
+ "pattern": "destination_workload_var",
+ "thresholds": [],
+ "type": "string",
+ "unit": "short"
+ },
+ {
+ "alias": "",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "pattern": "destination_workload_namespace",
+ "thresholds": [],
+ "type": "hidden",
+ "unit": "short"
+ },
+ {
+ "alias": "Service",
+ "colorMode": null,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "dateFormat": "YYYY-MM-DD HH:mm:ss",
+ "decimals": 2,
+ "link": true,
+ "linkTooltip": "$__cell dashboard",
+ "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell",
+ "pattern": "destination_service",
+ "thresholds": [],
+ "type": "number",
+ "unit": "short"
+ }
+ ],
+ "targets": [
+ {
+ "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}",
+ "refId": "C"
+ },
+ {
+ "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")",
+ "format": "table",
+ "hide": false,
+ "instant": true,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}",
+ "refId": "A"
+ }
+ ],
+ "timeFrom": null,
+ "title": "TCP Workloads",
+ "transform": "table",
+ "transparent": false,
+ "type": "table"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 9,
+ "w": 24,
+ "x": 0,
+ "y": 45
+ },
+ "id": 111,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(istio_build) by (component, tag)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ component }}: {{ tag }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Istio Components by Version",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "transparent": false,
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ }
+ ],
+ "refresh": "5s",
+ "schemaVersion": 16,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": []
+ },
+ "time": {
+ "from": "now-5m",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "browser",
+ "title": "Istio Mesh Dashboard",
+ "version": 4
+}
--- /dev/null
+{
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "5.2.3"
+ },
+ {
+ "type": "panel",
+ "id": "graph",
+ "name": "Graph",
+ "version": "5.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "5.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "text",
+ "name": "Text",
+ "version": "5.0.0"
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": false,
+ "gnetId": null,
+ "graphTooltip": 0,
+ "id": null,
+ "links": [],
+ "panels": [
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 9,
+ "w": 12,
+ "x": 0,
+ "y": 0
+ },
+ "id": 2,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-telemetry",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-ingressgateway",
+ "refId": "B"
+ },
+ {
+ "expr": "(sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-proxy",
+ "refId": "C"
+ },
+ {
+ "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-policy",
+ "refId": "D"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "vCPU / 1k rps",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 9,
+ "w": 12,
+ "x": 12,
+ "y": 0
+ },
+ "id": 6,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-telemetry",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-ingressgateway",
+ "refId": "B"
+ },
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-proxy",
+ "refId": "C"
+ },
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-policy",
+ "refId": "D"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "vCPU",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 9,
+ "w": 12,
+ "x": 0,
+ "y": 9
+ },
+ "id": 4,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-telemetry / 1k rps",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "per istio-ingressgateway",
+ "refId": "C"
+ },
+ {
+ "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "per istio-proxy",
+ "refId": "B"
+ },
+ {
+ "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-policy / 1k rps",
+ "refId": "D"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Memory",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 9,
+ "w": 12,
+ "x": 12,
+ "y": 9
+ },
+ "id": 5,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-telemetry",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-ingressgateway",
+ "refId": "C"
+ },
+ {
+ "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-proxy",
+ "refId": "D"
+ },
+ {
+ "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "istio-policy",
+ "refId": "E"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes transferred / sec",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 9,
+ "w": 24,
+ "x": 0,
+ "y": 18
+ },
+ "id": 8,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(istio_build) by (component, tag)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ component }}: {{ tag }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Istio Components by Version",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "transparent": false,
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only. \n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance. \n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.",
+ "gridPos": {
+ "h": 4,
+ "w": 24,
+ "x": 0,
+ "y": 18
+ },
+ "id": 11,
+ "links": [],
+ "mode": "markdown",
+ "title": "Istio Performance Dashboard Readme",
+ "type": "text"
+ }
+ ],
+ "schemaVersion": 16,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": []
+ },
+ "time": {
+ "from": "now-5m",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "",
+ "title": "Istio Performance Dashboard",
+ "version": 4
+}
--- /dev/null
+{
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": false,
+ "gnetId": null,
+ "graphTooltip": 0,
+ "iteration": 1536442501501,
+ "links": [],
+ "panels": [
+ {
+ "content": "<div class=\"dashboard-header text-center\">\n<span>SERVICE: $service</span>\n</div>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 89,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "Prometheus",
+ "format": "ops",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 6,
+ "x": 0,
+ "y": 3
+ },
+ "id": 12,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": "",
+ "title": "Client Request Volume",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "Prometheus",
+ "decimals": null,
+ "format": "percentunit",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 80,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": false
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 6,
+ "x": 6,
+ "y": 3
+ },
+ "id": 14,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "B"
+ }
+ ],
+ "thresholds": "95, 99, 99.5",
+ "title": "Client Success Rate (non-5xx responses)",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 4,
+ "w": 6,
+ "x": 12,
+ "y": 3
+ },
+ "id": 87,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": false,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "rightSide": true,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))",
+ "format": "time_series",
+ "interval": "",
+ "intervalFactor": 1,
+ "legendFormat": "P50",
+ "refId": "A"
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "P90",
+ "refId": "B"
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "P99",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Client Request Duration",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "#299c46",
+ "rgba(237, 129, 40, 0.89)",
+ "#d44a3a"
+ ],
+ "datasource": "Prometheus",
+ "format": "Bps",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 6,
+ "x": 18,
+ "y": 3
+ },
+ "id": 84,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "thresholds": "",
+ "title": "TCP Received Bytes",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "Prometheus",
+ "format": "ops",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 6,
+ "x": 0,
+ "y": 7
+ },
+ "id": 97,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": "",
+ "title": "Server Request Volume",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "Prometheus",
+ "decimals": null,
+ "format": "percentunit",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 80,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": false
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 6,
+ "x": 6,
+ "y": 7
+ },
+ "id": 98,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "B"
+ }
+ ],
+ "thresholds": "95, 99, 99.5",
+ "title": "Server Success Rate (non-5xx responses)",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 4,
+ "w": 6,
+ "x": 12,
+ "y": 7
+ },
+ "id": 99,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": false,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "rightSide": true,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))",
+ "format": "time_series",
+ "interval": "",
+ "intervalFactor": 1,
+ "legendFormat": "P50",
+ "refId": "A"
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "P90",
+ "refId": "B"
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "P99",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Server Request Duration",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "#299c46",
+ "rgba(237, 129, 40, 0.89)",
+ "#d44a3a"
+ ],
+ "datasource": "Prometheus",
+ "format": "Bps",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 6,
+ "x": 18,
+ "y": 7
+ },
+ "id": 100,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "thresholds": "",
+ "title": "TCP Sent Bytes",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "content": "<div class=\"dashboard-header text-center\">\n<span>CLIENT WORKLOADS</span>\n</div>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 11
+ },
+ "id": 45,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 0,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 0,
+ "y": 14
+ },
+ "id": 25,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null as zero",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}",
+ "refId": "A",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Requests by Source And Response Code",
+ "tooltip": {
+ "shared": false,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": [
+ "total"
+ ]
+ },
+ "yaxes": [
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 12,
+ "y": 14
+ },
+ "id": 26,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Success Rate (non-5xx responses) By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "percentunit",
+ "label": null,
+ "logBase": 1,
+ "max": "1.01",
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "description": "",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 20
+ },
+ "id": 27,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Request Duration by Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 20
+ },
+ "id": 28,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Request Size By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 20
+ },
+ "id": 68,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Response Size By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 0,
+ "y": 26
+ },
+ "id": 80,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes Received from Incoming TCP Connection",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "Bps",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 12,
+ "y": 26
+ },
+ "id": 82,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes Sent to Incoming TCP Connection",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "Bps",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "content": "<div class=\"dashboard-header text-center\">\n<span>SERVICE WORKLOADS</span>\n</div>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 32
+ },
+ "id": 69,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 0,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 0,
+ "y": 35
+ },
+ "id": 90,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null as zero",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}",
+ "refId": "A",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Requests by Destination And Response Code",
+ "tooltip": {
+ "shared": false,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": [
+ "total"
+ ]
+ },
+ "yaxes": [
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 12,
+ "y": 35
+ },
+ "id": 91,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Success Rate (non-5xx responses) By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "percentunit",
+ "label": null,
+ "logBase": 1,
+ "max": "1.01",
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "description": "",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 41
+ },
+ "id": 94,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Request Duration by Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 41
+ },
+ "id": 95,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Request Size By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 41
+ },
+ "id": 96,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Response Size By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 0,
+ "y": 47
+ },
+ "id": 92,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes Received from Incoming TCP Connection",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "Bps",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 12,
+ "y": 47
+ },
+ "id": 93,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes Sent to Incoming TCP Connection",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "Bps",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ }
+ ],
+ "refresh": "10s",
+ "schemaVersion": 16,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": [
+ {
+ "allValue": null,
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": false,
+ "label": "Service",
+ "multi": false,
+ "name": "service",
+ "options": [],
+ "query": "label_values(destination_service)",
+ "refresh": 1,
+ "regex": "",
+ "sort": 0,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ },
+ {
+ "allValue": null,
+ "current": {
+ "text": "All",
+ "value": "$__all"
+ },
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Client Workload Namespace",
+ "multi": true,
+ "name": "srcns",
+ "options": [],
+ "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))",
+ "refresh": 1,
+ "regex": "/.*namespace=\"([^\"]*).*/",
+ "sort": 2,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ },
+ {
+ "allValue": null,
+ "current": {
+ "text": "All",
+ "value": "$__all"
+ },
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Client Workload",
+ "multi": true,
+ "name": "srcwl",
+ "options": [],
+ "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))",
+ "refresh": 1,
+ "regex": "/.*workload=\"([^\"]*).*/",
+ "sort": 3,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ },
+ {
+ "allValue": null,
+ "current": {
+ "text": "All",
+ "value": "$__all"
+ },
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Service Workload Namespace",
+ "multi": true,
+ "name": "dstns",
+ "options": [],
+ "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))",
+ "refresh": 1,
+ "regex": "/.*namespace=\"([^\"]*).*/",
+ "sort": 2,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ },
+ {
+ "allValue": null,
+ "current": {
+ "text": "All",
+ "value": "$__all"
+ },
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Service Workload",
+ "multi": true,
+ "name": "dstwl",
+ "options": [],
+ "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))",
+ "refresh": 1,
+ "regex": "/.*workload=\"([^\"]*).*/",
+ "sort": 3,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ }
+ ]
+ },
+ "time": {
+ "from": "now-5m",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "",
+ "title": "Istio Service Dashboard",
+ "uid": "LJ_uJAvmk",
+ "version": 1
+}
--- /dev/null
+{
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "5.0.4"
+ },
+ {
+ "type": "panel",
+ "id": "graph",
+ "name": "Graph",
+ "version": "5.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "5.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "singlestat",
+ "name": "Singlestat",
+ "version": "5.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "text",
+ "name": "Text",
+ "version": "5.0.0"
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": false,
+ "gnetId": null,
+ "graphTooltip": 0,
+ "id": null,
+ "iteration": 1531345461465,
+ "links": [],
+ "panels": [
+ {
+ "content": "<div class=\"dashboard-header text-center\">\n<span>WORKLOAD: $workload.$namespace</span>\n</div>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 89,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(245, 54, 54, 0.9)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(50, 172, 45, 0.97)"
+ ],
+ "datasource": "Prometheus",
+ "format": "ops",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 8,
+ "x": 0,
+ "y": 3
+ },
+ "id": 12,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "A",
+ "step": 4
+ }
+ ],
+ "thresholds": "",
+ "title": "Incoming Request Volume",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "current"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)",
+ "rgba(245, 54, 54, 0.9)"
+ ],
+ "datasource": "Prometheus",
+ "decimals": null,
+ "format": "percentunit",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 80,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": false
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 8,
+ "x": 8,
+ "y": 3
+ },
+ "id": 14,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "refId": "B"
+ }
+ ],
+ "thresholds": "95, 99, 99.5",
+ "title": "Incoming Success Rate (non-5xx responses)",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 4,
+ "w": 8,
+ "x": 16,
+ "y": 3
+ },
+ "id": 87,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": false,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "rightSide": true,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+ "format": "time_series",
+ "interval": "",
+ "intervalFactor": 1,
+ "legendFormat": "P50",
+ "refId": "A"
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "P90",
+ "refId": "B"
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "P99",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Request Duration",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "#299c46",
+ "rgba(237, 129, 40, 0.89)",
+ "#d44a3a"
+ ],
+ "datasource": "Prometheus",
+ "format": "Bps",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 12,
+ "x": 0,
+ "y": 7
+ },
+ "id": 84,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "thresholds": "",
+ "title": "TCP Server Traffic",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "cacheTimeout": null,
+ "colorBackground": false,
+ "colorValue": false,
+ "colors": [
+ "#299c46",
+ "rgba(237, 129, 40, 0.89)",
+ "#d44a3a"
+ ],
+ "datasource": "Prometheus",
+ "format": "Bps",
+ "gauge": {
+ "maxValue": 100,
+ "minValue": 0,
+ "show": false,
+ "thresholdLabels": false,
+ "thresholdMarkers": true
+ },
+ "gridPos": {
+ "h": 4,
+ "w": 12,
+ "x": 12,
+ "y": 7
+ },
+ "id": 85,
+ "interval": null,
+ "links": [],
+ "mappingType": 1,
+ "mappingTypes": [
+ {
+ "name": "value to text",
+ "value": 1
+ },
+ {
+ "name": "range to text",
+ "value": 2
+ }
+ ],
+ "maxDataPoints": 100,
+ "nullPointMode": "connected",
+ "nullText": null,
+ "postfix": "",
+ "postfixFontSize": "50%",
+ "prefix": "",
+ "prefixFontSize": "50%",
+ "rangeMaps": [
+ {
+ "from": "null",
+ "text": "N/A",
+ "to": "null"
+ }
+ ],
+ "sparkline": {
+ "fillColor": "rgba(31, 118, 189, 0.18)",
+ "full": true,
+ "lineColor": "rgb(31, 120, 193)",
+ "show": true
+ },
+ "tableColumn": "",
+ "targets": [
+ {
+ "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "thresholds": "",
+ "title": "TCP Client Traffic",
+ "transparent": false,
+ "type": "singlestat",
+ "valueFontSize": "80%",
+ "valueMaps": [
+ {
+ "op": "=",
+ "text": "N/A",
+ "value": "null"
+ }
+ ],
+ "valueName": "avg"
+ },
+ {
+ "content": "<div class=\"dashboard-header text-center\">\n<span>INBOUND WORKLOADS</span>\n</div>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 11
+ },
+ "id": 45,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 0,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 0,
+ "y": 14
+ },
+ "id": 25,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null as zero",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}",
+ "refId": "A",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Requests by Source And Response Code",
+ "tooltip": {
+ "shared": false,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": [
+ "total"
+ ]
+ },
+ "yaxes": [
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 12,
+ "y": 14
+ },
+ "id": 26,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Success Rate (non-5xx responses) By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "percentunit",
+ "label": null,
+ "logBase": 1,
+ "max": "1.01",
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "description": "",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 20
+ },
+ "id": 27,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Request Duration by Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 20
+ },
+ "id": 28,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Request Size By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 20
+ },
+ "id": 68,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Response Size By Source",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 0,
+ "y": 26
+ },
+ "id": 80,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes Received from Incoming TCP Connection",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "Bps",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 12,
+ "y": 26
+ },
+ "id": 82,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes Sent to Incoming TCP Connection",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "Bps",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ]
+ },
+ {
+ "content": "<div class=\"dashboard-header text-center\">\n<span>OUTBOUND SERVICES</span>\n</div>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 32
+ },
+ "id": 69,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 0,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 0,
+ "y": 35
+ },
+ "id": 70,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null as zero",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} : {{ response_code }}",
+ "refId": "A",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Outgoing Requests by Destination And Response Code",
+ "tooltip": {
+ "shared": false,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": [
+ "total"
+ ]
+ },
+ "yaxes": [
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 12,
+ "y": 35
+ },
+ "id": 71,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{destination_service }}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Outgoing Success Rate (non-5xx responses) By Destination",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "percentunit",
+ "label": null,
+ "logBase": 1,
+ "max": "1.01",
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "description": "",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 41
+ },
+ "id": 72,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "hideZero": false,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Outgoing Request Duration by Destination",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 41
+ },
+ "id": 73,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Outgoing Request Size By Destination",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 41
+ },
+ "id": 74,
+ "legend": {
+ "alignAsTable": false,
+ "avg": false,
+ "current": false,
+ "hideEmpty": true,
+ "max": false,
+ "min": false,
+ "rightSide": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P50 (🔐mTLS)",
+ "refId": "D",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P90 (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P95 (🔐mTLS)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P99 (🔐mTLS)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P50",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P90",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P95",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} P99",
+ "refId": "H",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Response Size By Destination",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "decbytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 0,
+ "y": 47
+ },
+ "id": 76,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes Sent on Outgoing TCP Connection",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "Bps",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ]
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 12,
+ "x": 12,
+ "y": 47
+ },
+ "id": 78,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }} (🔐mTLS)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ destination_service }}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Bytes Received from Outgoing TCP Connection",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "Bps",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": "0",
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ]
+ }
+ ],
+ "refresh": "10s",
+ "schemaVersion": 16,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": [
+ {
+ "allValue": null,
+ "current": {},
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": false,
+ "label": "Namespace",
+ "multi": false,
+ "name": "namespace",
+ "options": [],
+ "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))",
+ "refresh": 1,
+ "regex": "/.*_namespace=\"([^\"]*).*/",
+ "sort": 0,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ },
+ {
+ "allValue": null,
+ "current": {},
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": false,
+ "label": "Workload",
+ "multi": false,
+ "name": "workload",
+ "options": [],
+ "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))",
+ "refresh": 1,
+ "regex": "/.*workload=\"([^\"]*).*/",
+ "sort": 1,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ },
+ {
+ "allValue": null,
+ "current": {},
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Inbound Workload Namespace",
+ "multi": true,
+ "name": "srcns",
+ "options": [],
+ "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))",
+ "refresh": 1,
+ "regex": "/.*namespace=\"([^\"]*).*/",
+ "sort": 2,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ },
+ {
+ "allValue": null,
+ "current": {},
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Inbound Workload",
+ "multi": true,
+ "name": "srcwl",
+ "options": [],
+ "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))",
+ "refresh": 1,
+ "regex": "/.*workload=\"([^\"]*).*/",
+ "sort": 3,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ },
+ {
+ "allValue": null,
+ "current": {},
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Destination Service",
+ "multi": true,
+ "name": "dstsvc",
+ "options": [],
+ "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))",
+ "refresh": 1,
+ "regex": "/.*destination_service=\"([^\"]*).*/",
+ "sort": 4,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ }
+ ]
+ },
+ "time": {
+ "from": "now-5m",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "",
+ "title": "Istio Workload Dashboard",
+ "uid": "UbsSZTDik",
+ "version": 1
+}
--- /dev/null
+{
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "5.2.3"
+ },
+ {
+ "type": "panel",
+ "id": "graph",
+ "name": "Graph",
+ "version": "5.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "5.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "text",
+ "name": "Text",
+ "version": "5.0.0"
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "limit": 100,
+ "name": "Annotations & Alerts",
+ "showIn": 0,
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": false,
+ "gnetId": null,
+ "graphTooltip": 1,
+ "id": null,
+ "iteration": 1543881232533,
+ "links": [],
+ "panels": [
+ {
+ "content": "<center><h2>Deployed Versions</h2></center>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "height": "40",
+ "id": 62,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 5,
+ "w": 24,
+ "x": 0,
+ "y": 3
+ },
+ "id": 64,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(istio_build{component=\"mixer\"}) by (tag)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ tag }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Mixer Versions",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "content": "<center><h2>Resource Usage</h2></center>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 8
+ },
+ "height": "40",
+ "id": 29,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 0,
+ "y": 11
+ },
+ "id": 5,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "instant": false,
+ "intervalFactor": 2,
+ "legendFormat": "Virtual Memory ({{ job }})",
+ "refId": "I"
+ },
+ {
+ "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Resident Memory ({{ job }})",
+ "refId": "H"
+ },
+ {
+ "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "hide": true,
+ "intervalFactor": 2,
+ "legendFormat": "heap sys ({{ job }})",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "hide": true,
+ "intervalFactor": 2,
+ "legendFormat": "heap alloc ({{ job }})",
+ "refId": "D"
+ },
+ {
+ "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Alloc ({{ job }})",
+ "refId": "F"
+ },
+ {
+ "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "Heap in-use ({{ job }})",
+ "refId": "E"
+ },
+ {
+ "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Stack in-use ({{ job }})",
+ "refId": "G"
+ },
+ {
+ "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "{{ service }} total (k8s)",
+ "refId": "C"
+ },
+ {
+ "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "{{ service }} - {{ container_name }} (k8s)",
+ "refId": "B"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Memory",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 6,
+ "y": 11
+ },
+ "id": 6,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "{{ service }} total (k8s)",
+ "refId": "A"
+ },
+ {
+ "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "{{ service }} - {{ container_name }} (k8s)",
+ "refId": "B"
+ },
+ {
+ "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "{{ job }} (self-reported)",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "CPU",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 12,
+ "y": 11
+ },
+ "id": 7,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "hide": true,
+ "instant": false,
+ "interval": "",
+ "intervalFactor": 2,
+ "legendFormat": "Open FDs ({{ job }})",
+ "refId": "A"
+ },
+ {
+ "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ service }} - {{ container_name }}",
+ "refId": "B"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Disk",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bytes",
+ "label": "",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "decimals": null,
+ "format": "none",
+ "label": "",
+ "logBase": 1024,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 18,
+ "y": 11
+ },
+ "id": 4,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": false,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Number of Goroutines ({{ job }})",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Goroutines",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "content": "<center><h2>Mixer Overview</h2></center>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 18
+ },
+ "height": "40px",
+ "id": 30,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 6,
+ "x": 0,
+ "y": 21
+ },
+ "id": 9,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "mixer (Total)",
+ "refId": "B"
+ },
+ {
+ "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "mixer ({{ grpc_server_method }})",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Incoming Requests",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 6,
+ "x": 6,
+ "y": 21
+ },
+ "id": 8,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [
+ {
+ "alias": "{}",
+ "yaxis": 1
+ }
+ ],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ grpc_server_method }} 0.5",
+ "refId": "B"
+ },
+ {
+ "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ grpc_server_method }} 0.9",
+ "refId": "C"
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ grpc_server_method }} 0.99",
+ "refId": "D"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Response Durations",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "ms",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 6,
+ "x": 12,
+ "y": 21
+ },
+ "id": 11,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Mixer {{ grpc_method }}",
+ "refId": "B"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Server Error Rate (5xx responses)",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 6,
+ "x": 18,
+ "y": 21
+ },
+ "id": 12,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Mixer {{ grpc_method }}",
+ "refId": "B"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Non-successes (4xxs)",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "content": "<center><h2>Adapters and Config</h2></center>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 27
+ },
+ "id": 28,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 12,
+ "x": 0,
+ "y": 30
+ },
+ "id": 13,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ adapter }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Adapter Dispatch Count",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 12,
+ "x": 12,
+ "y": 30
+ },
+ "id": 14,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ adapter }} - p50",
+ "refId": "A"
+ },
+ {
+ "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ adapter }} - p90 ",
+ "refId": "B"
+ },
+ {
+ "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ adapter }} - p99",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Adapter Dispatch Duration",
+ "tooltip": {
+ "shared": true,
+ "sort": 1,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 0,
+ "y": 37
+ },
+ "id": 60,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Rules",
+ "refId": "A"
+ },
+ {
+ "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Config Errors",
+ "refId": "B"
+ },
+ {
+ "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Match Errors",
+ "refId": "C"
+ },
+ {
+ "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Unsatisfied Actions",
+ "refId": "D"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Rules",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 6,
+ "y": 37
+ },
+ "id": 56,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Instances",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Instances in Latest Config",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 12,
+ "y": 37
+ },
+ "id": 54,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Handlers",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Handlers in Latest Config",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 18,
+ "y": 37
+ },
+ "id": 58,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))",
+ "format": "time_series",
+ "instant": false,
+ "intervalFactor": 1,
+ "legendFormat": "Attributes",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Attributes in Latest Config",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "content": "<center><h2>Individual Adapters</h2></center>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 44
+ },
+ "id": 23,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "collapsed": false,
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 47
+ },
+ "id": 46,
+ "panels": [],
+ "repeat": "adapter",
+ "title": "$adapter Adapter",
+ "type": "row"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 12,
+ "x": 0,
+ "y": 48
+ },
+ "id": 17,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ handler }} (error: {{ error }})",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Dispatch Count By Handler",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 12,
+ "x": 12,
+ "y": 48
+ },
+ "id": 18,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})",
+ "refId": "A"
+ },
+ {
+ "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})",
+ "refId": "D"
+ },
+ {
+ "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})",
+ "refId": "E"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Dispatch Duration By Handler",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "s",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ }
+ ],
+ "refresh": "5s",
+ "schemaVersion": 16,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": [
+ {
+ "allValue": null,
+ "current": {},
+ "datasource": "Prometheus",
+ "hide": 0,
+ "includeAll": true,
+ "label": "Adapter",
+ "multi": true,
+ "name": "adapter",
+ "options": [],
+ "query": "label_values(adapter)",
+ "refresh": 2,
+ "regex": "",
+ "sort": 1,
+ "tagValuesQuery": "",
+ "tags": [],
+ "tagsQuery": "",
+ "type": "query",
+ "useTags": false
+ }
+ ]
+ },
+ "time": {
+ "from": "now-5m",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "",
+ "title": "Istio Mixer Dashboard",
+ "version": 4
+}
--- /dev/null
+{
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "5.2.3"
+ },
+ {
+ "type": "panel",
+ "id": "graph",
+ "name": "Graph",
+ "version": "5.0.0"
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "5.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "text",
+ "name": "Text",
+ "version": "5.0.0"
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "type": "dashboard"
+ }
+ ]
+ },
+ "editable": false,
+ "gnetId": null,
+ "graphTooltip": 1,
+ "id": null,
+ "links": [],
+ "panels": [
+ {
+ "content": "<center><h2>Deployed Versions</h2></center>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "height": "40",
+ "id": 58,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 5,
+ "w": 24,
+ "x": 0,
+ "y": 3
+ },
+ "id": 56,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(istio_build{component=\"pilot\"}) by (tag)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ tag }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Pilot Versions",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "content": "<center><h2>Resource Usage</h2></center>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 8
+ },
+ "height": "40",
+ "id": 29,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 0,
+ "y": 11
+ },
+ "id": 5,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "process_virtual_memory_bytes{job=\"pilot\"}",
+ "format": "time_series",
+ "instant": false,
+ "intervalFactor": 2,
+ "legendFormat": "Virtual Memory",
+ "refId": "I",
+ "step": 2
+ },
+ {
+ "expr": "process_resident_memory_bytes{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Resident Memory",
+ "refId": "H",
+ "step": 2
+ },
+ {
+ "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}",
+ "format": "time_series",
+ "hide": true,
+ "intervalFactor": 2,
+ "legendFormat": "heap sys",
+ "refId": "A"
+ },
+ {
+ "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}",
+ "format": "time_series",
+ "hide": true,
+ "intervalFactor": 2,
+ "legendFormat": "heap alloc",
+ "refId": "D"
+ },
+ {
+ "expr": "go_memstats_alloc_bytes{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Alloc",
+ "refId": "F",
+ "step": 2
+ },
+ {
+ "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "Heap in-use",
+ "refId": "E",
+ "step": 2
+ },
+ {
+ "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Stack in-use",
+ "refId": "G",
+ "step": 2
+ },
+ {
+ "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "Total (k8s)",
+ "refId": "C",
+ "step": 2
+ },
+ {
+ "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "{{ container_name }} (k8s)",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Memory",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bytes",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 6,
+ "y": 11
+ },
+ "id": 6,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "Total (k8s)",
+ "refId": "A",
+ "step": 2
+ },
+ {
+ "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "{{ container_name }} (k8s)",
+ "refId": "B",
+ "step": 2
+ },
+ {
+ "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 2,
+ "legendFormat": "pilot (self-reported)",
+ "refId": "C",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "CPU",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 12,
+ "y": 11
+ },
+ "id": 7,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "process_open_fds{job=\"pilot\"}",
+ "format": "time_series",
+ "hide": true,
+ "instant": false,
+ "interval": "",
+ "intervalFactor": 2,
+ "legendFormat": "Open FDs (pilot)",
+ "refId": "A"
+ },
+ {
+ "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "{{ container_name }}",
+ "refId": "B",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Disk",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "bytes",
+ "label": "",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "decimals": null,
+ "format": "none",
+ "label": "",
+ "logBase": 1024,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 6,
+ "x": 18,
+ "y": 11
+ },
+ "id": 4,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": false,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "go_goroutines{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Number of Goroutines",
+ "refId": "A",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Goroutines",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": "",
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "content": "<center><h2>xDS</h2></center>",
+ "gridPos": {
+ "h": 3,
+ "w": 24,
+ "x": 0,
+ "y": 18
+ },
+ "id": 28,
+ "links": [],
+ "mode": "html",
+ "title": "",
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 0,
+ "y": 21
+ },
+ "id": 40,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))",
+ "format": "time_series",
+ "hide": false,
+ "intervalFactor": 1,
+ "legendFormat": "XDS GRPC Successes",
+ "refId": "C"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Updates",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 8,
+ "y": 21
+ },
+ "id": 42,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "XDS GRPC ",
+ "refId": "A",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Failures",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "ops",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": false
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 6,
+ "w": 8,
+ "x": 16,
+ "y": 21
+ },
+ "id": 41,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})",
+ "format": "time_series",
+ "intervalFactor": 2,
+ "legendFormat": "Pilot (XDS GRPC)",
+ "refId": "C",
+ "step": 2
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Active Connections",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 8,
+ "w": 8,
+ "x": 0,
+ "y": 27
+ },
+ "id": 45,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Inbound Listeners",
+ "refId": "B"
+ },
+ {
+ "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Outbound Listeners (http over current tcp)",
+ "refId": "A"
+ },
+ {
+ "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Outbound Listeners (tcp over current tcp)",
+ "refId": "C"
+ },
+ {
+ "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Outbound Listeners (tcp over current http)",
+ "refId": "D"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Conflicts",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 8,
+ "w": 8,
+ "x": 8,
+ "y": 27
+ },
+ "id": 47,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "pilot_virt_services{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Virtual Services",
+ "refId": "A"
+ },
+ {
+ "expr": "pilot_services{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Services",
+ "refId": "B"
+ },
+ {
+ "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")",
+ "format": "time_series",
+ "hide": true,
+ "intervalFactor": 1,
+ "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}",
+ "refId": "C"
+ },
+ {
+ "expr": "pilot_xds_eds_reject{job=\"pilot\"}",
+ "format": "time_series",
+ "hide": true,
+ "intervalFactor": 1,
+ "legendFormat": "Rejected EDS Configs",
+ "refId": "D"
+ },
+ {
+ "expr": "pilot_xds{job=\"pilot\"}",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Connected Endpoints",
+ "refId": "E"
+ },
+ {
+ "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Write Timeouts",
+ "refId": "F"
+ },
+ {
+ "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Push Timeouts",
+ "refId": "G"
+ },
+ {
+ "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Pushes ({{ type }})",
+ "refId": "H"
+ },
+ {
+ "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "Push Errors ({{ type }})",
+ "refId": "I"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "ADS Monitoring",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 8,
+ "w": 8,
+ "x": 16,
+ "y": 27
+ },
+ "id": 49,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ node }} ({{ err }})",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Rejected CDS Configs",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 8,
+ "x": 0,
+ "y": 35
+ },
+ "id": 52,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ node }} ({{err}})",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Rejected EDS Configs",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 8,
+ "x": 8,
+ "y": 35
+ },
+ "id": 54,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ node }} ({{err}})",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Rejected LDS Configs",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {},
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 8,
+ "x": 16,
+ "y": 35
+ },
+ "id": 53,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ node }} ({{err}})",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Rejected RDS Configs",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ },
+ {
+ "aliasColors": {
+ "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)"
+ },
+ "bars": false,
+ "dashLength": 10,
+ "dashes": false,
+ "datasource": "Prometheus",
+ "fill": 1,
+ "gridPos": {
+ "h": 7,
+ "w": 8,
+ "x": 0,
+ "y": 42
+ },
+ "id": 51,
+ "legend": {
+ "avg": false,
+ "current": false,
+ "max": false,
+ "min": false,
+ "show": true,
+ "total": false,
+ "values": false
+ },
+ "lines": true,
+ "linewidth": 1,
+ "links": [],
+ "nullPointMode": "null",
+ "percentage": false,
+ "pointradius": 5,
+ "points": false,
+ "renderer": "flot",
+ "seriesOverrides": [
+ {
+ "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local",
+ "yaxis": 1
+ }
+ ],
+ "spaceLength": 10,
+ "stack": false,
+ "steppedLine": false,
+ "targets": [
+ {
+ "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)",
+ "format": "time_series",
+ "intervalFactor": 1,
+ "legendFormat": "{{ cluster }}",
+ "refId": "A"
+ }
+ ],
+ "thresholds": [],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "EDS Instances",
+ "tooltip": {
+ "shared": true,
+ "sort": 0,
+ "value_type": "individual"
+ },
+ "type": "graph",
+ "xaxis": {
+ "buckets": null,
+ "mode": "time",
+ "name": null,
+ "show": true,
+ "values": []
+ },
+ "yaxes": [
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ },
+ {
+ "format": "short",
+ "label": null,
+ "logBase": 1,
+ "max": null,
+ "min": null,
+ "show": true
+ }
+ ],
+ "yaxis": {
+ "align": false,
+ "alignLevel": null
+ }
+ }
+ ],
+ "refresh": "5s",
+ "schemaVersion": 16,
+ "style": "dark",
+ "tags": [],
+ "templating": {
+ "list": []
+ },
+ "time": {
+ "from": "now-5m",
+ "to": "now"
+ },
+ "timepicker": {
+ "refresh_intervals": [
+ "5s",
+ "10s",
+ "30s",
+ "1m",
+ "5m",
+ "15m",
+ "30m",
+ "1h",
+ "2h",
+ "1d"
+ ],
+ "time_options": [
+ "5m",
+ "15m",
+ "1h",
+ "6h",
+ "12h",
+ "24h",
+ "2d",
+ "7d",
+ "30d"
+ ]
+ },
+ "timezone": "browser",
+ "title": "Istio Pilot Dashboard",
+ "version": 4
+}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "grafana.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "grafana.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "grafana.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-grafana-custom-resources
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: grafana
+data:
+ custom-resources.yaml: |-
+ {{- include "grafana-default.yaml.tpl" . | indent 4}}
+ run.sh: |-
+ {{- include "install-custom-resources.sh.tpl" . | indent 4}}
--- /dev/null
+{{- $files := .Files }}
+{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }}
+{{- $filename := trimSuffix (ext $path) (base $path) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-grafana-configuration-dashboards-{{ $filename }}
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" $ }}
+ chart: {{ template "grafana.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ istio: grafana
+data:
+ {{ base $path }}: '{{ $files.Get $path }}'
+---
+{{- end }}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-grafana
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: grafana
+data:
+{{- if .Values.datasources }}
+ {{- range $key, $value := .Values.datasources }}
+ {{ $key }}: |
+{{ toYaml $value | indent 4 }}
+ {{- end -}}
+{{- end -}}
+
+{{- if .Values.dashboardProviders }}
+ {{- range $key, $value := .Values.dashboardProviders }}
+ {{ $key }}: |
+{{ toYaml $value | indent 4 }}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-grafana-post-install-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-grafana-post-install-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
+ resources: ["*"]
+ verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-grafana-post-install-role-binding-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-grafana-post-install-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-grafana-post-install-account
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: istio-grafana-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-delete-policy": hook-succeeded
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ template:
+ metadata:
+ name: istio-grafana-post-install
+ labels:
+ app: istio-grafana
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ spec:
+ serviceAccountName: istio-grafana-post-install-account
+ containers:
+ - name: kubectl
+ image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+ command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ]
+ volumeMounts:
+ - mountPath: "/tmp/grafana"
+ name: tmp-configmap-grafana
+ volumes:
+ - name: tmp-configmap-grafana
+ configMap:
+ name: istio-grafana-custom-resources
+ restartPolicy: OnFailure
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: grafana
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata:
+ labels:
+ app: grafana
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ securityContext:
+ runAsUser: 472
+ fsGroup: 472
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: 3000
+ readinessProbe:
+ httpGet:
+ path: /login
+ port: 3000
+ env:
+ - name: GRAFANA_PORT
+ value: "3000"
+{{- if .Values.security.enabled }}
+ - name: GF_SECURITY_ADMIN_USER
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.security.secretName }}
+ key: {{ .Values.security.usernameKey }}
+ - name: GF_SECURITY_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.security.secretName }}
+ key: {{ .Values.security.passphraseKey }}
+ - name: GF_AUTH_BASIC_ENABLED
+ value: "true"
+ - name: GF_AUTH_ANONYMOUS_ENABLED
+ value: "false"
+ - name: GF_AUTH_DISABLE_LOGIN_FORM
+ value: "false"
+{{- else }}
+ - name: GF_AUTH_BASIC_ENABLED
+ value: "false"
+ - name: GF_AUTH_ANONYMOUS_ENABLED
+ value: "true"
+ - name: GF_AUTH_ANONYMOUS_ORG_ROLE
+ value: Admin
+{{- end }}
+ - name: GF_PATHS_DATA
+ value: /data/grafana
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ volumeMounts:
+ - name: data
+ mountPath: /data/grafana
+ {{- range $path, $bytes := .Files.Glob "dashboards/*.json" }}
+ {{- $filename := trimSuffix (ext $path) (base $path) }}
+ - name: dashboards-istio-{{ $filename }}
+ mountPath: "/var/lib/grafana/dashboards/istio/{{ base $path }}"
+ subPath: {{ base $path }}
+ readOnly: true
+ {{- end }}
+ - name: config
+ mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml"
+ subPath: datasources.yaml
+ - name: config
+ mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml"
+ subPath: dashboardproviders.yaml
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
+ volumes:
+ - name: config
+ configMap:
+ name: istio-grafana
+ - name: data
+{{- if .Values.persist }}
+ persistentVolumeClaim:
+ claimName: istio-grafana-pvc
+{{- else }}
+ emptyDir: {}
+{{- end }}
+{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }}
+{{- $filename := trimSuffix (ext $path) (base $path) }}
+ - name: dashboards-istio-{{ $filename }}
+ configMap:
+ name: istio-grafana-configuration-dashboards-{{ $filename }}
+{{- end }}
--- /dev/null
+{{ define "grafana-default.yaml.tpl" }}
+apiVersion: authentication.istio.io/v1alpha1
+kind: Policy
+metadata:
+ name: grafana-ports-mtls-disabled
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ targets:
+ - name: grafana
+ ports:
+ - number: {{ .Values.service.externalPort }}
+{{- end }}
--- /dev/null
+{{- if .Values.ingress.enabled -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: grafana
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ {{- range $key, $value := .Values.ingress.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+spec:
+ rules:
+{{- if .Values.ingress.hosts }}
+ {{- range $host := .Values.ingress.hosts }}
+ - host: {{ $host }}
+ http:
+ paths:
+ - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }}
+ backend:
+ serviceName: grafana
+ servicePort: 3000
+ {{- end -}}
+{{- else }}
+ - http:
+ paths:
+ - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }}
+ backend:
+ serviceName: grafana
+ servicePort: 3000
+{{- end }}
+ {{- if .Values.ingress.tls }}
+ tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{- if .Values.persist }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: istio-grafana-pvc
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ storageClassName: {{ .Values.storageClassName }}
+ accessModes:
+ - {{ .Values.accessMode }}
+ resources:
+ requests:
+ storage: 5Gi
+{{- end }}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: grafana
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ {{- range $key, $val := .Values.service.annotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ labels:
+ app: {{ template "grafana.name" . }}
+ chart: {{ template "grafana.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: {{ .Values.service.externalPort }}
+ targetPort: 3000
+ protocol: TCP
+ name: {{ .Values.service.name }}
+ selector:
+ app: grafana
+{{- if .Values.service.loadBalancerIP }}
+ loadBalancerIP: "{{ .Values.service.loadBalancerIP }}"
+{{- end }}
+ {{if .Values.service.loadBalancerSourceRanges}}
+ loadBalancerSourceRanges:
+ {{range $rangeList := .Values.service.loadBalancerSourceRanges}}
+ - {{ $rangeList }}
+ {{end}}
+ {{end}}
\ No newline at end of file
--- /dev/null
+{{- if .Values.global.enableHelmTest }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ template "grafana.fullname" . }}-test
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: grafana-test
+ chart: {{ template "grafana.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ istio: grafana
+ annotations:
+ sidecar.istio.io/inject: "false"
+ helm.sh/hook: test-success
+spec:
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: "{{ template "grafana.fullname" . }}-test"
+ image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
+ imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+ command: ['curl']
+ args: ['http://grafana:{{ .Values.grafana.service.externalPort }}']
+ restartPolicy: Never
+ affinity:
+ {{- include "nodeaffinity" . | indent 4 }}
+ {{- include "podAntiAffinity" . | indent 4 }}
+{{- end }}
--- /dev/null
+#
+# addon grafana configuration
+#
+enabled: false
+replicaCount: 1
+image:
+ repository: grafana/grafana
+ tag: 6.0.2
+ingress:
+ enabled: false
+ ## Used to create an Ingress record.
+ hosts:
+ - grafana.local
+ annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ tls:
+ # Secrets must be manually created in the namespace.
+ # - secretName: grafana-tls
+ # hosts:
+ # - grafana.local
+persist: false
+storageClassName: ""
+accessMode: ReadWriteMany
+security:
+ enabled: false
+ secretName: grafana
+ usernameKey: username
+ passphraseKey: passphrase
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+contextPath: /grafana
+service:
+ annotations: {}
+ name: http
+ type: ClusterIP
+ externalPort: 3000
+ loadBalancerIP:
+ loadBalancerSourceRanges:
+
+datasources:
+ datasources.yaml:
+ apiVersion: 1
+ datasources:
+ - name: Prometheus
+ type: prometheus
+ orgId: 1
+ url: http://prometheus:9090
+ access: proxy
+ isDefault: true
+ jsonData:
+ timeInterval: 5s
+ editable: true
+
+dashboardProviders:
+ dashboardproviders.yaml:
+ apiVersion: 1
+ providers:
+ - name: 'istio'
+ orgId: 1
+ folder: 'istio'
+ type: file
+ disableDeletion: false
+ options:
+ path: /var/lib/grafana/dashboards/istio
--- /dev/null
+apiVersion: v1
+description: Istio CoreDNS provides DNS resolution for services in multicluster setups.
+name: istiocoredns
+version: 1.1.0
+appVersion: 0.1
+tillerVersion: ">=2.7.2"
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "istiocoredns.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "istiocoredns.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "istiocoredns.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiocoredns
+ labels:
+ app: {{ template "istiocoredns.name" . }}
+ chart: {{ template "istiocoredns.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: ["networking.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "watch", "list"]
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-istiocoredns-role-binding-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "istiocoredns.name" . }}
+ chart: {{ template "istiocoredns.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiocoredns
+subjects:
+- kind: ServiceAccount
+ name: istiocoredns-service-account
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: coredns
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "istiocoredns.name" . }}
+ chart: {{ template "istiocoredns.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+data:
+ Corefile: |
+ .:53 {
+ errors
+ health
+ proxy global 127.0.0.1:8053 {
+ protocol grpc insecure
+ }
+ prometheus :9153
+ proxy . /etc/resolv.conf
+ cache 30
+ reload
+ }
+---
--- /dev/null
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istiocoredns
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "istiocoredns.name" . }}
+ chart: {{ template "istiocoredns.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata:
+ name: istiocoredns
+ labels:
+ app: istiocoredns
+ chart: {{ template "istiocoredns.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istiocoredns-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: coredns
+ image: {{ .Values.coreDNSImage }}
+ imagePullPolicy: IfNotPresent
+ args: [ "-conf", "/etc/coredns/Corefile" ]
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/coredns
+ ports:
+ - containerPort: 53
+ name: dns
+ protocol: UDP
+ - containerPort: 53
+ name: dns-tcp
+ protocol: TCP
+ - containerPort: 9153
+ name: metrics
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: 8080
+ scheme: HTTP
+ initialDelaySeconds: 60
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 10 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 10 }}
+{{- end }}
+ - name: istio-coredns-plugin
+ command:
+ - /usr/local/bin/plugin
+ image: {{ .Values.coreDNSPluginImage }}
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 8053
+ name: dns-grpc
+ protocol: TCP
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 10 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 10 }}
+{{- end }}
+ dnsPolicy: Default
+ volumes:
+ - name: config-volume
+ configMap:
+ name: coredns
+ items:
+ - key: Corefile
+ path: Corefile
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: istiocoredns
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "istiocoredns.name" . }}
+ chart: {{ template "istiocoredns.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ selector:
+ app: istiocoredns
+ ports:
+ - name: dns
+ port: 53
+ protocol: UDP
+ - name: dns-tcp
+ port: 53
+ protocol: TCP
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istiocoredns-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "istiocoredns.name" . }}
+ chart: {{ template "istiocoredns.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
--- /dev/null
+#
+# addon istiocoredns tracing configuration
+#
+enabled: false
+replicaCount: 1
+coreDNSImage: coredns/coredns:1.1.2
+# Source code for the plugin can be found at
+# https://github.com/istio-ecosystem/istio-coredns-plugin
+# The plugin listens for DNS requests from coredns server at 127.0.0.1:8053
+coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
--- /dev/null
+apiVersion: v1
+description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details.
+name: kiali
+version: 1.1.0
+appVersion: 0.16
+tillerVersion: ">=2.7.2"
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kiali.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kiali.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kiali.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kiali
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: [""]
+ resources:
+ - configmaps
+ - endpoints
+ - namespaces
+ - nodes
+ - pods
+ - services
+ - replicationcontrollers
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["extensions", "apps"]
+ resources:
+ - deployments
+ - statefulsets
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["autoscaling"]
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["batch"]
+ resources:
+ - cronjobs
+ - jobs
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["config.istio.io"]
+ resources:
+ - apikeys
+ - authorizations
+ - checknothings
+ - circonuses
+ - deniers
+ - fluentds
+ - handlers
+ - kubernetesenvs
+ - kuberneteses
+ - listcheckers
+ - listentries
+ - logentries
+ - memquotas
+ - metrics
+ - opas
+ - prometheuses
+ - quotas
+ - quotaspecbindings
+ - quotaspecs
+ - rbacs
+ - reportnothings
+ - rules
+ - solarwindses
+ - stackdrivers
+ - statsds
+ - stdios
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - watch
+- apiGroups: ["networking.istio.io"]
+ resources:
+ - destinationrules
+ - gateways
+ - serviceentries
+ - virtualservices
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - watch
+- apiGroups: ["authentication.istio.io"]
+ resources:
+ - policies
+ - meshpolicies
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - watch
+- apiGroups: ["rbac.istio.io"]
+ resources:
+ - clusterrbacconfigs
+ - rbacconfigs
+ - serviceroles
+ - servicerolebindings
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - watch
+- apiGroups: ["monitoring.kiali.io"]
+ resources:
+ - monitoringdashboards
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kiali-viewer
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: [""]
+ resources:
+ - configmaps
+ - endpoints
+ - namespaces
+ - nodes
+ - pods
+ - services
+ - replicationcontrollers
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["extensions", "apps"]
+ resources:
+ - deployments
+ - statefulsets
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["autoscaling"]
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["batch"]
+ resources:
+ - cronjobs
+ - jobs
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["config.istio.io"]
+ resources:
+ - apikeys
+ - authorizations
+ - checknothings
+ - circonuses
+ - deniers
+ - fluentds
+ - handlers
+ - kubernetesenvs
+ - kuberneteses
+ - listcheckers
+ - listentries
+ - logentries
+ - memquotas
+ - metrics
+ - opas
+ - prometheuses
+ - quotas
+ - quotaspecbindings
+ - quotaspecs
+ - rbacs
+ - reportnothings
+ - rules
+ - servicecontrolreports
+ - servicecontrols
+ - solarwindses
+ - stackdrivers
+ - statsds
+ - stdios
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["networking.istio.io"]
+ resources:
+ - destinationrules
+ - gateways
+ - serviceentries
+ - virtualservices
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["authentication.istio.io"]
+ resources:
+ - policies
+ - meshpolicies
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["rbac.istio.io"]
+ resources:
+ - clusterrbacconfigs
+ - rbacconfigs
+ - serviceroles
+ - servicerolebindings
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups: ["monitoring.kiali.io"]
+ resources:
+ - monitoringdashboards
+ verbs:
+ - get
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-kiali-admin-role-binding-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kiali
+subjects:
+- kind: ServiceAccount
+ name: kiali-service-account
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: kiali
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+data:
+ config.yaml: |
+ istio_namespace: {{ .Release.Namespace }}
+ server:
+ port: 20001
+ external_services:
+ istio:
+ url_service_version: http://istio-pilot:8080/version
+ jaeger:
+ url: {{ .Values.dashboard.jaegerURL }}
+ grafana:
+ url: {{ .Values.dashboard.grafanaURL }}
--- /dev/null
+{{- if .Values.createDemoSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.dashboard.secretName }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+type: Opaque
+data:
+ username: YWRtaW4= # admin
+ passphrase: YWRtaW4= # admin
+{{- end }}
--- /dev/null
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: kiali
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ app: kiali
+ template:
+ metadata:
+ name: kiali
+ labels:
+ app: kiali
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+ scheduler.alpha.kubernetes.io/critical-pod: ""
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "9090"
+ spec:
+ serviceAccountName: kiali-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - image: "{{ .Values.hub }}/kiali:{{ .Values.tag }}"
+ name: kiali
+ command:
+ - "/opt/kiali/kiali"
+ - "-config"
+ - "/kiali-configuration/config.yaml"
+ - "-v"
+ - "4"
+ env:
+ - name: ACTIVE_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: PROMETHEUS_SERVICE_URL
+ value: {{ .Values.prometheusAddr }}
+{{- if .Values.contextPath }}
+ - name: SERVER_WEB_ROOT
+ value: {{ .Values.contextPath }}
+{{- end }}
+ volumeMounts:
+ - name: kiali-configuration
+ mountPath: "/kiali-configuration"
+ - name: kiali-secret
+ mountPath: "/kiali-secret"
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 10 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 10 }}
+{{- end }}
+ volumes:
+ - name: kiali-configuration
+ configMap:
+ name: kiali
+ - name: kiali-secret
+ secret:
+ secretName: {{ .Values.dashboard.secretName }}
+ optional: true
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+{{- if .Values.ingress.enabled -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: kiali
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ {{- range $key, $value := .Values.ingress.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+spec:
+ rules:
+{{- if .Values.ingress.hosts }}
+ {{- range $host := .Values.ingress.hosts }}
+ - host: {{ $host }}
+ http:
+ paths:
+ - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }}
+ backend:
+ serviceName: kiali
+ servicePort: 20001
+ {{- end -}}
+{{- else }}
+ - http:
+ paths:
+ - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }}
+ backend:
+ serviceName: kiali
+ servicePort: 20001
+{{- end }}
+ {{- if .Values.ingress.tls }}
+ tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: kiali
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ ports:
+ - name: http-kiali
+ protocol: TCP
+ port: 20001
+ selector:
+ app: kiali
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: kiali-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "kiali.name" . }}
+ chart: {{ template "kiali.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
--- /dev/null
+{{- if .Values.global.enableHelmTest }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ template "kiali.fullname" . }}-test
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: kiali-test
+ chart: {{ template "kiali.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ istio: kiali
+ annotations:
+ sidecar.istio.io/inject: "false"
+ helm.sh/hook: test-success
+spec:
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: "{{ template "kiali.fullname" . }}-test"
+ image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
+ imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+ command: ['curl']
+ args: ['http://kiali:20001']
+ restartPolicy: Never
+ affinity:
+ {{- include "nodeaffinity" . | indent 4 }}
+ {{- include "podAntiAffinity" . | indent 4 }}
+{{- end }}
--- /dev/null
+#
+# addon kiali
+#
+enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`.
+replicaCount: 1
+hub: docker.io/kiali
+tag: v0.16
+contextPath: /kiali # The root context path to access the Kiali UI.
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+ingress:
+ enabled: false
+ ## Used to create an Ingress record.
+ hosts:
+ - kiali.local
+ annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ tls:
+ # Secrets must be manually created in the namespace.
+ # - secretName: kiali-tls
+ # hosts:
+ # - kiali.local
+
+dashboard:
+ secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
+ grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.
+ jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.
+prometheusAddr: http://prometheus:9090
+
+# When true, a secret will be created with a default username and password. Useful for demos.
+createDemoSecret: false
--- /dev/null
+apiVersion: v1
+name: mixer
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
+description: Helm chart for mixer deployment
+keywords:
+ - istio
+ - mixer
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "mixer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "mixer.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "mixer.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if or (eq $key "policy") (eq $key "telemetry") }}
+{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-{{ $key }}
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" $ }}
+ chart: {{ template "mixer.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+spec:
+ maxReplicas: {{ $spec.autoscaleMax }}
+ minReplicas: {{ $spec.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-{{ $key }}
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-mixer-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: ["config.istio.io"] # istio CRD watcher
+ resources: ["*"]
+ verbs: ["create", "get", "list", "watch", "patch"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions", "apps"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
+{{- end }}
--- /dev/null
+{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-mixer-admin-role-binding-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-mixer-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-mixer-service-account
+ namespace: {{ .Release.Namespace }}
+{{- end }}
--- /dev/null
+{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }}
+apiVersion: "config.istio.io/v1alpha2"
+kind: attributemanifest
+metadata:
+ name: istioproxy
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ attributes:
+ origin.ip:
+ valueType: IP_ADDRESS
+ origin.uid:
+ valueType: STRING
+ origin.user:
+ valueType: STRING
+ request.headers:
+ valueType: STRING_MAP
+ request.id:
+ valueType: STRING
+ request.host:
+ valueType: STRING
+ request.method:
+ valueType: STRING
+ request.path:
+ valueType: STRING
+ request.url_path:
+ valueType: STRING
+ request.query_params:
+ valueType: STRING_MAP
+ request.reason:
+ valueType: STRING
+ request.referer:
+ valueType: STRING
+ request.scheme:
+ valueType: STRING
+ request.total_size:
+ valueType: INT64
+ request.size:
+ valueType: INT64
+ request.time:
+ valueType: TIMESTAMP
+ request.useragent:
+ valueType: STRING
+ response.code:
+ valueType: INT64
+ response.duration:
+ valueType: DURATION
+ response.headers:
+ valueType: STRING_MAP
+ response.total_size:
+ valueType: INT64
+ response.size:
+ valueType: INT64
+ response.time:
+ valueType: TIMESTAMP
+ response.grpc_status:
+ valueType: STRING
+ response.grpc_message:
+ valueType: STRING
+ source.uid:
+ valueType: STRING
+ source.user: # DEPRECATED
+ valueType: STRING
+ source.principal:
+ valueType: STRING
+ destination.uid:
+ valueType: STRING
+ destination.principal:
+ valueType: STRING
+ destination.port:
+ valueType: INT64
+ connection.event:
+ valueType: STRING
+ connection.id:
+ valueType: STRING
+ connection.received.bytes:
+ valueType: INT64
+ connection.received.bytes_total:
+ valueType: INT64
+ connection.sent.bytes:
+ valueType: INT64
+ connection.sent.bytes_total:
+ valueType: INT64
+ connection.duration:
+ valueType: DURATION
+ connection.mtls:
+ valueType: BOOL
+ connection.requested_server_name:
+ valueType: STRING
+ context.protocol:
+ valueType: STRING
+ context.proxy_error_code:
+ valueType: STRING
+ context.timestamp:
+ valueType: TIMESTAMP
+ context.time:
+ valueType: TIMESTAMP
+ # Deprecated, kept for compatibility
+ context.reporter.local:
+ valueType: BOOL
+ context.reporter.kind:
+ valueType: STRING
+ context.reporter.uid:
+ valueType: STRING
+ api.service:
+ valueType: STRING
+ api.version:
+ valueType: STRING
+ api.operation:
+ valueType: STRING
+ api.protocol:
+ valueType: STRING
+ request.auth.principal:
+ valueType: STRING
+ request.auth.audiences:
+ valueType: STRING
+ request.auth.presenter:
+ valueType: STRING
+ request.auth.claims:
+ valueType: STRING_MAP
+ request.auth.raw_claims:
+ valueType: STRING
+ request.api_key:
+ valueType: STRING
+ rbac.permissive.response_code:
+ valueType: STRING
+ rbac.permissive.effective_policy_id:
+ valueType: STRING
+ check.error_code:
+ valueType: INT64
+ check.error_message:
+ valueType: STRING
+ check.cache_hit:
+ valueType: BOOL
+ quota.cache_hit:
+ valueType: BOOL
+
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: attributemanifest
+metadata:
+ name: kubernetes
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ attributes:
+ source.ip:
+ valueType: IP_ADDRESS
+ source.labels:
+ valueType: STRING_MAP
+ source.metadata:
+ valueType: STRING_MAP
+ source.name:
+ valueType: STRING
+ source.namespace:
+ valueType: STRING
+ source.owner:
+ valueType: STRING
+ source.serviceAccount:
+ valueType: STRING
+ source.services:
+ valueType: STRING
+ source.workload.uid:
+ valueType: STRING
+ source.workload.name:
+ valueType: STRING
+ source.workload.namespace:
+ valueType: STRING
+ destination.ip:
+ valueType: IP_ADDRESS
+ destination.labels:
+ valueType: STRING_MAP
+ destination.metadata:
+ valueType: STRING_MAP
+ destination.owner:
+ valueType: STRING
+ destination.name:
+ valueType: STRING
+ destination.container.name:
+ valueType: STRING
+ destination.namespace:
+ valueType: STRING
+ destination.service.uid:
+ valueType: STRING
+ destination.service.name:
+ valueType: STRING
+ destination.service.namespace:
+ valueType: STRING
+ destination.service.host:
+ valueType: STRING
+ destination.serviceAccount:
+ valueType: STRING
+ destination.workload.uid:
+ valueType: STRING
+ destination.workload.name:
+ valueType: STRING
+ destination.workload.namespace:
+ valueType: STRING
+---
+{{- if and .Values.adapters.stdio.enabled .Values.telemetry.enabled }}
+apiVersion: "config.istio.io/v1alpha2"
+kind: handler
+metadata:
+ name: stdio
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ compiledAdapter: stdio
+ params:
+ outputAsJson: {{ .Values.adapters.stdio.outputAsJson }}
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: logentry
+metadata:
+ name: accesslog
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ severity: '"Info"'
+ timestamp: request.time
+ variables:
+ sourceIp: source.ip | ip("0.0.0.0")
+ sourceApp: source.labels["app"] | ""
+ sourcePrincipal: source.principal | ""
+ sourceName: source.name | ""
+ sourceWorkload: source.workload.name | ""
+ sourceNamespace: source.namespace | ""
+ sourceOwner: source.owner | ""
+ destinationApp: destination.labels["app"] | ""
+ destinationIp: destination.ip | ip("0.0.0.0")
+ destinationServiceHost: destination.service.host | ""
+ destinationWorkload: destination.workload.name | ""
+ destinationName: destination.name | ""
+ destinationNamespace: destination.namespace | ""
+ destinationOwner: destination.owner | ""
+ destinationPrincipal: destination.principal | ""
+ apiClaims: request.auth.raw_claims | ""
+ apiKey: request.api_key | request.headers["x-api-key"] | ""
+ protocol: request.scheme | context.protocol | "http"
+ method: request.method | ""
+ url: request.path | ""
+ responseCode: response.code | 0
+ responseFlags: context.proxy_error_code | ""
+ responseSize: response.size | 0
+ permissiveResponseCode: rbac.permissive.response_code | "none"
+ permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none"
+ requestSize: request.size | 0
+ requestId: request.headers["x-request-id"] | ""
+ clientTraceId: request.headers["x-client-trace-id"] | ""
+ latency: response.duration | "0ms"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ requestedServerName: connection.requested_server_name | ""
+ userAgent: request.useragent | ""
+ responseTimestamp: response.time
+ receivedBytes: request.total_size | 0
+ sentBytes: response.total_size | 0
+ referer: request.referer | ""
+ httpAuthority: request.headers[":authority"] | request.host | ""
+ xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ grpcStatus: response.grpc_status | ""
+ grpcMessage: response.grpc_message | ""
+ monitored_resource_type: '"global"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: logentry
+metadata:
+ name: tcpaccesslog
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ severity: '"Info"'
+ timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
+ variables:
+ connectionEvent: connection.event | ""
+ sourceIp: source.ip | ip("0.0.0.0")
+ sourceApp: source.labels["app"] | ""
+ sourcePrincipal: source.principal | ""
+ sourceName: source.name | ""
+ sourceWorkload: source.workload.name | ""
+ sourceNamespace: source.namespace | ""
+ sourceOwner: source.owner | ""
+ destinationApp: destination.labels["app"] | ""
+ destinationIp: destination.ip | ip("0.0.0.0")
+ destinationServiceHost: destination.service.host | ""
+ destinationWorkload: destination.workload.name | ""
+ destinationName: destination.name | ""
+ destinationNamespace: destination.namespace | ""
+ destinationOwner: destination.owner | ""
+ destinationPrincipal: destination.principal | ""
+ protocol: context.protocol | "tcp"
+ connectionDuration: connection.duration | "0ms"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ requestedServerName: connection.requested_server_name | ""
+ receivedBytes: connection.received.bytes | 0
+ sentBytes: connection.sent.bytes | 0
+ totalReceivedBytes: connection.received.bytes_total | 0
+ totalSentBytes: connection.sent.bytes_total | 0
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ responseFlags: context.proxy_error_code | ""
+ monitored_resource_type: '"global"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: stdio
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ match: context.protocol == "http" || context.protocol == "grpc"
+ actions:
+ - handler: stdio
+ instances:
+ - accesslog.logentry
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: stdiotcp
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: stdio
+ instances:
+ - tcpaccesslog.logentry
+{{- end }}
+---
+{{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }}
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestcount
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ value: "1"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ response_flags: context.proxy_error_code | "-"
+ permissive_response_code: rbac.permissive.response_code | "none"
+ permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestduration
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ value: response.duration | "0ms"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ response_flags: context.proxy_error_code | "-"
+ permissive_response_code: rbac.permissive.response_code | "none"
+ permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: requestsize
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ value: request.size | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ response_flags: context.proxy_error_code | "-"
+ permissive_response_code: rbac.permissive.response_code | "none"
+ permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: responsesize
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ value: response.size | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ request_protocol: api.protocol | context.protocol | "unknown"
+ response_code: response.code | 200
+ response_flags: context.proxy_error_code | "-"
+ permissive_response_code: rbac.permissive.response_code | "none"
+ permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpbytesent
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ value: connection.sent.bytes | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ response_flags: context.proxy_error_code | "-"
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpbytereceived
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ value: connection.received.bytes | 0
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.host | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ response_flags: context.proxy_error_code | "-"
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpconnectionsopened
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ value: "1"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.name | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ response_flags: context.proxy_error_code | "-"
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: metric
+metadata:
+ name: tcpconnectionsclosed
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ value: "1"
+ dimensions:
+ reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
+ source_workload: source.workload.name | "unknown"
+ source_workload_namespace: source.workload.namespace | "unknown"
+ source_principal: source.principal | "unknown"
+ source_app: source.labels["app"] | "unknown"
+ source_version: source.labels["version"] | "unknown"
+ destination_workload: destination.workload.name | "unknown"
+ destination_workload_namespace: destination.workload.namespace | "unknown"
+ destination_principal: destination.principal | "unknown"
+ destination_app: destination.labels["app"] | "unknown"
+ destination_version: destination.labels["version"] | "unknown"
+ destination_service: destination.service.name | "unknown"
+ destination_service_name: destination.service.name | "unknown"
+ destination_service_namespace: destination.service.namespace | "unknown"
+ connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
+ response_flags: context.proxy_error_code | "-"
+ monitored_resource_type: '"UNSPECIFIED"'
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: handler
+metadata:
+ name: prometheus
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ compiledAdapter: prometheus
+ params:
+ metricsExpirationPolicy:
+ metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}"
+ metrics:
+ - name: requests_total
+ instance_name: requestcount.metric.{{ .Release.Namespace }}
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - response_flags
+ - permissive_response_code
+ - permissive_response_policyid
+ - connection_security_policy
+ - name: request_duration_seconds
+ instance_name: requestduration.metric.{{ .Release.Namespace }}
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - response_flags
+ - permissive_response_code
+ - permissive_response_policyid
+ - connection_security_policy
+ buckets:
+ explicit_buckets:
+ bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
+ - name: request_bytes
+ instance_name: requestsize.metric.{{ .Release.Namespace }}
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - response_flags
+ - permissive_response_code
+ - permissive_response_policyid
+ - connection_security_policy
+ buckets:
+ exponentialBuckets:
+ numFiniteBuckets: 8
+ scale: 1
+ growthFactor: 10
+ - name: response_bytes
+ instance_name: responsesize.metric.{{ .Release.Namespace }}
+ kind: DISTRIBUTION
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - request_protocol
+ - response_code
+ - response_flags
+ - permissive_response_code
+ - permissive_response_policyid
+ - connection_security_policy
+ buckets:
+ exponentialBuckets:
+ numFiniteBuckets: 8
+ scale: 1
+ growthFactor: 10
+ - name: tcp_sent_bytes_total
+ instance_name: tcpbytesent.metric.{{ .Release.Namespace }}
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - response_flags
+ - name: tcp_received_bytes_total
+ instance_name: tcpbytereceived.metric.{{ .Release.Namespace }}
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - response_flags
+ - name: tcp_connections_opened_total
+ instance_name: tcpconnectionsopened.metric.{{ .Release.Namespace }}
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - response_flags
+ - name: tcp_connections_closed_total
+ instance_name: tcpconnectionsclosed.metric.{{ .Release.Namespace }}
+ kind: COUNTER
+ label_names:
+ - reporter
+ - source_app
+ - source_principal
+ - source_workload
+ - source_workload_namespace
+ - source_version
+ - destination_app
+ - destination_principal
+ - destination_workload
+ - destination_workload_namespace
+ - destination_version
+ - destination_service
+ - destination_service_name
+ - destination_service_namespace
+ - connection_security_policy
+ - response_flags
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promhttp
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false)
+ actions:
+ - handler: prometheus
+ instances:
+ - requestcount.metric
+ - requestduration.metric
+ - requestsize.metric
+ - responsesize.metric
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promtcp
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: prometheus
+ instances:
+ - tcpbytesent.metric
+ - tcpbytereceived.metric
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promtcpconnectionopen
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ match: context.protocol == "tcp" && ((connection.event | "na") == "open")
+ actions:
+ - handler: prometheus
+ instances:
+ - tcpconnectionsopened.metric
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: promtcpconnectionclosed
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ match: context.protocol == "tcp" && ((connection.event | "na") == "close")
+ actions:
+ - handler: prometheus
+ instances:
+ - tcpconnectionsclosed.metric
+{{- end }}
+---
+{{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }}
+apiVersion: "config.istio.io/v1alpha2"
+kind: handler
+metadata:
+ name: kubernetesenv
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ compiledAdapter: kubernetesenv
+ params:
+ # when running from mixer root, use the following config after adding a
+ # symbolic link to a kubernetes config file via:
+ #
+ # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
+ #
+ # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
+
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: kubeattrgenrulerule
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ actions:
+ - handler: kubernetesenv
+ instances:
+ - attributes.kubernetes
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+ name: tcpkubeattrgenrulerule
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ match: context.protocol == "tcp"
+ actions:
+ - handler: kubernetesenv
+ instances:
+ - attributes.kubernetes
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: kubernetes
+metadata:
+ name: attributes
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ # Pass the required attribute data to the adapter
+ source_uid: source.uid | ""
+ source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
+ destination_uid: destination.uid | ""
+ destination_port: destination.port | 0
+ attribute_bindings:
+ # Fill the new attributes from the adapter produced output.
+ # $out refers to an instance of OutputTemplate message
+ source.ip: $out.source_pod_ip | ip("0.0.0.0")
+ source.uid: $out.source_pod_uid | "unknown"
+ source.labels: $out.source_labels | emptyStringMap()
+ source.name: $out.source_pod_name | "unknown"
+ source.namespace: $out.source_namespace | "default"
+ source.owner: $out.source_owner | "unknown"
+ source.serviceAccount: $out.source_service_account_name | "unknown"
+ source.workload.uid: $out.source_workload_uid | "unknown"
+ source.workload.name: $out.source_workload_name | "unknown"
+ source.workload.namespace: $out.source_workload_namespace | "unknown"
+ destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
+ destination.uid: $out.destination_pod_uid | "unknown"
+ destination.labels: $out.destination_labels | emptyStringMap()
+ destination.name: $out.destination_pod_name | "unknown"
+ destination.container.name: $out.destination_container_name | "unknown"
+ destination.namespace: $out.destination_namespace | "default"
+ destination.owner: $out.destination_owner | "unknown"
+ destination.serviceAccount: $out.destination_service_account_name | "unknown"
+ destination.workload.uid: $out.destination_workload_uid | "unknown"
+ destination.workload.name: $out.destination_workload_name | "unknown"
+ destination.workload.namespace: $out.destination_workload_namespace | "unknown"
+{{- end }}
+---
+{{- if .Values.policy.enabled }}
+# Configuration needed by Mixer.
+# Mixer cluster is delivered via CDS
+# Specify mixer cluster settings
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: istio-policy
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ host: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ {{- if .Values.global.defaultConfigVisibilitySettings }}
+ exportTo:
+ - '*'
+ {{- end }}
+ trafficPolicy:
+ {{- if .Values.global.controlPlaneSecurityEnabled }}
+ portLevelSettings:
+ - port:
+ number: 15004
+ tls:
+ mode: ISTIO_MUTUAL
+ {{- end}}
+ connectionPool:
+ http:
+ http2MaxRequests: 10000
+ maxRequestsPerConnection: 10000
+{{- end }}
+---
+{{- if .Values.telemetry.enabled }}
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: istio-telemetry
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ host: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ {{- if .Values.global.defaultConfigVisibilitySettings }}
+ exportTo:
+ - '*'
+ {{- end }}
+ trafficPolicy:
+ {{- if .Values.global.controlPlaneSecurityEnabled }}
+ portLevelSettings:
+ - port:
+ number: 15004
+ tls:
+ mode: ISTIO_MUTUAL
+ {{- end}}
+ connectionPool:
+ http:
+ http2MaxRequests: 10000
+ maxRequestsPerConnection: 10000
+{{- end }}
+---
+{{- end }}
--- /dev/null
+{{- define "policy_container" }}
+ spec:
+ serviceAccountName: istio-mixer-service-account
+{{- if $.Values.global.priorityClassName }}
+ priorityClassName: "{{ $.Values.global.priorityClassName }}"
+{{- end }}
+ volumes:
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-mixer-service-account
+ optional: true
+ - name: uds-socket
+ emptyDir: {}
+ - name: policy-adapter-secret
+ secret:
+ secretName: policy-adapter-secret
+ optional: true
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
+ containers:
+ - name: mixer
+{{- if contains "/" .Values.image }}
+ image: "{{ .Values.image }}"
+{{- else }}
+ image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: {{ .Values.global.monitoringPort }}
+ - containerPort: 42422
+ args:
+ - --monitoringPort={{ .Values.global.monitoringPort }}
+ - --address
+ - unix:///sock/mixer.socket
+{{- if $.Values.global.logging.level }}
+ - --log_output_level={{ $.Values.global.logging.level }}
+{{- end}}
+{{- if $.Values.global.useMCP }}
+ {{- if $.Values.global.controlPlaneSecurityEnabled}}
+ - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901
+ {{- else }}
+ - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901
+ {{- end }}
+{{- else }}
+ - --configStoreURL=k8s://
+{{- end }}
+ - --configDefaultNamespace={{ $.Release.Namespace }}
+ {{- if $.Values.adapters.useAdapterCRDs }}
+ - --useAdapterCRDs=true
+ {{- else }}
+ - --useAdapterCRDs=false
+ {{- end }}
+ {{- if $.Values.global.tracer.zipkin.address }}
+ - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
+ {{- else }}
+ - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
+ {{- end }}
+ {{- if .Values.env }}
+ env:
+ {{- range $key, $val := .Values.env }}
+ - name: {{ $key }}
+ value: "{{ $val }}"
+ {{- end }}
+ {{- end }}
+ resources:
+{{- if .Values.policy.resources }}
+{{ toYaml .Values.policy.resources | indent 10 }}
+{{- else if .Values.resources }}
+{{ toYaml .Values.resources | indent 10 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 10 }}
+{{- end }}
+ volumeMounts:
+{{- if $.Values.global.useMCP }}
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+{{- end }}
+ - name: uds-socket
+ mountPath: /sock
+ livenessProbe:
+ httpGet:
+ path: /version
+ port: {{ .Values.global.monitoringPort }}
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ - name: istio-proxy
+{{- if contains "/" $.Values.global.proxy.image }}
+ image: "{{ $.Values.global.proxy.image }}"
+{{- else }}
+ image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: 9091
+ - containerPort: 15004
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }}
+ - --serviceCluster
+ - istio-policy
+ - --templateFile
+ - /etc/istio/proxy/envoy_policy.yaml.tmpl
+ {{- if $.Values.global.controlPlaneSecurityEnabled }}
+ - --controlPlaneAuthPolicy
+ - MUTUAL_TLS
+ {{- else }}
+ - --controlPlaneAuthPolicy
+ - NONE
+ {{- end }}
+ {{- if $.Values.global.trustDomain }}
+ - --trust-domain={{ $.Values.global.trustDomain }}
+ {{- end }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+{{- if $.Values.global.proxy.resources }}
+{{ toYaml $.Values.global.proxy.resources | indent 10 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 10 }}
+{{- end }}
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: uds-socket
+ mountPath: /sock
+ - name: policy-adapter-secret
+ mountPath: /var/run/secrets/istio.io/policy/adapter
+ readOnly: true
+{{- end }}
+
+{{- define "telemetry_container" }}
+ spec:
+ serviceAccountName: istio-mixer-service-account
+ volumes:
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-mixer-service-account
+ optional: true
+ - name: uds-socket
+ emptyDir: {}
+ - name: telemetry-adapter-secret
+ secret:
+ secretName: telemetry-adapter-secret
+ optional: true
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
+ containers:
+ - name: mixer
+{{- if contains "/" .Values.image }}
+ image: "{{ .Values.image }}"
+{{- else }}
+ image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: {{ .Values.global.monitoringPort }}
+ - containerPort: 42422
+ args:
+ - --monitoringPort={{ .Values.global.monitoringPort }}
+ - --address
+ - unix:///sock/mixer.socket
+{{- if $.Values.global.logging.level }}
+ - --log_output_level={{ $.Values.global.logging.level }}
+{{- end}}
+{{- if $.Values.global.useMCP }}
+ {{- if $.Values.global.controlPlaneSecurityEnabled}}
+ - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901
+ - --certFile=/etc/certs/cert-chain.pem
+ - --keyFile=/etc/certs/key.pem
+ - --caCertFile=/etc/certs/root-cert.pem
+ {{- else }}
+ - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901
+ {{- end }}
+{{- else }}
+ - --configStoreURL=k8s://
+{{- end }}
+ - --configDefaultNamespace={{ $.Release.Namespace }}
+ {{- if $.Values.adapters.useAdapterCRDs }}
+ - --useAdapterCRDs=true
+ {{- else }}
+ - --useAdapterCRDs=false
+ {{- end }}
+ {{- if $.Values.global.tracer.zipkin.address }}
+ - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans
+ {{- else }}
+ - --trace_zipkin_url=http://zipkin:9411/api/v1/spans
+ {{- end }}
+ - --averageLatencyThreshold
+ - {{ $.Values.telemetry.loadshedding.latencyThreshold }}
+ - --loadsheddingMode
+ - {{ $.Values.telemetry.loadshedding.mode }}
+ {{- if .Values.env }}
+ env:
+ {{- range $key, $val := .Values.env }}
+ - name: {{ $key }}
+ value: "{{ $val }}"
+ {{- end }}
+ {{- end }}
+ resources:
+{{- if .Values.telemetry.resources }}
+{{ toYaml .Values.telemetry.resources | indent 10 }}
+{{- else if .Values.resources }}
+{{ toYaml .Values.resources | indent 10 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 10 }}
+{{- end }}
+ volumeMounts:
+{{- if $.Values.global.useMCP }}
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+{{- end }}
+ - name: telemetry-adapter-secret
+ mountPath: /var/run/secrets/istio.io/telemetry/adapter
+ readOnly: true
+ - name: uds-socket
+ mountPath: /sock
+ livenessProbe:
+ httpGet:
+ path: /version
+ port: {{ .Values.global.monitoringPort }}
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ - name: istio-proxy
+{{- if contains "/" $.Values.global.proxy.image }}
+ image: "{{ $.Values.global.proxy.image }}"
+{{- else }}
+ image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: 9091
+ - containerPort: 15004
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --serviceCluster
+ - istio-telemetry
+ - --templateFile
+ - /etc/istio/proxy/envoy_telemetry.yaml.tmpl
+ {{- if $.Values.global.controlPlaneSecurityEnabled }}
+ - --controlPlaneAuthPolicy
+ - MUTUAL_TLS
+ {{- else }}
+ - --controlPlaneAuthPolicy
+ - NONE
+ {{- end }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+{{- if $.Values.global.proxy.resources }}
+{{ toYaml $.Values.global.proxy.resources | indent 10 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 10 }}
+{{- end }}
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ - name: uds-socket
+ mountPath: /sock
+{{- end }}
+
+
+{{- range $key, $spec := .Values }}
+{{- if or (eq $key "policy") (eq $key "telemetry") }}
+{{- if $spec.enabled }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-{{ $key }}
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ app: istio-mixer
+ chart: {{ template "mixer.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ istio: mixer
+spec:
+{{- if not $spec.autoscaleEnabled }}
+{{- if $spec.replicaCount }}
+ replicas: {{ $spec.replicaCount }}
+{{- else }}
+ replicas: 1
+{{- end }}
+{{- end }}
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ selector:
+ matchLabels:
+ istio: mixer
+ istio-mixer-type: {{ $key }}
+ template:
+ metadata:
+ labels:
+ app: {{ $key }}
+ chart: {{ template "mixer.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ istio: mixer
+ istio-mixer-type: {{ $key }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+{{- with $.Values.podAnnotations }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- if eq $key "policy"}}
+{{- template "policy_container" $ }}
+{{- else }}
+{{- template "telemetry_container" $ }}
+{{- end }}
+
+---
+{{- end }}
+{{- end }}
+{{- end }} {{/* range */}}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if or (eq $key "policy") (eq $key "telemetry") }}
+{{- if $spec.enabled }}
+{{- if $.Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-{{ $key }}
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ app: {{ $key }}
+ chart: {{ template "mixer.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ version: {{ $.Chart.Version }}
+ istio: mixer
+ istio-mixer-type: {{ $key }}
+spec:
+{{- if $.Values.global.defaultPodDisruptionBudget.enabled }}
+{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }}
+{{- end }}
+ selector:
+ matchLabels:
+ app: {{ $key }}
+ release: {{ $.Release.Name }}
+ istio: mixer
+ istio-mixer-type: {{ $key }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{- range $key, $spec := .Values }}
+{{- if or (eq $key "policy") (eq $key "telemetry") }}
+{{- if $spec.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-{{ $key }}
+ namespace: {{ $.Release.Namespace }}
+ annotations:
+ networking.istio.io/exportTo: "*"
+ labels:
+ app: {{ template "mixer.name" $ }}
+ chart: {{ template "mixer.chart" $ }}
+ heritage: {{ $.Release.Service }}
+ release: {{ $.Release.Name }}
+ istio: mixer
+spec:
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: {{ $.Values.global.monitoringPort }}
+{{- if eq $key "telemetry" }}
+ - name: prometheus
+ port: 42422
+{{- if $spec.sessionAffinityEnabled }}
+ sessionAffinity: ClientIP
+{{- end }}
+{{- end }}
+ selector:
+ istio: mixer
+ istio-mixer-type: {{ $key }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+
--- /dev/null
+{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-mixer-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "mixer.name" . }}
+ chart: {{ template "mixer.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+{{- end }}
--- /dev/null
+#
+# mixer configuration
+#
+enabled: true
+image: mixer
+
+env:
+ GODEBUG: gctrace=1
+ # max procs should be ceil(cpu limit + 1)
+ GOMAXPROCS: "6"
+
+policy:
+ # if policy is enabled, global.disablePolicyChecks has affect.
+ enabled: false
+ replicaCount: 1
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+ cpu:
+ targetAverageUtilization: 80
+
+telemetry:
+ enabled: true
+ replicaCount: 1
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+ cpu:
+ targetAverageUtilization: 80
+ sessionAffinityEnabled: false
+
+ # mixer load shedding configuration.
+ # When mixer detects that it is overloaded, it starts rejecting grpc requests.
+ loadshedding:
+ # disabled, logonly or enforce
+ mode: enforce
+ # based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.
+ latencyThreshold: 100ms
+ resources:
+ requests:
+ cpu: 1000m
+ memory: 1G
+ limits:
+ # It is best to do horizontal scaling of mixer using moderate cpu allocation.
+ # We have experimentally found that these values work well.
+ cpu: 4800m
+ memory: 4G
+
+podAnnotations: {}
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+adapters:
+ kubernetesenv:
+ enabled: true
+
+ # stdio is a debug adapter in istio-telemetry, it is not recommended for production use.
+ stdio:
+ enabled: false
+ outputAsJson: true
+ prometheus:
+ enabled: true
+ metricsExpiryDuration: 10m
+ # Setting this to false sets the useAdapterCRDs mixer startup argument to false
+ useAdapterCRDs: true
--- /dev/null
+apiVersion: v1
+name: nodeagent
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
+description: Helm chart for nodeagent deployment
+keywords:
+ - istio
+ - nodeagent
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "nodeagent.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "nodeagent.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "nodeagent.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-nodeagent-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "nodeagent.name" . }}
+ chart: {{ template "nodeagent.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get"]
\ No newline at end of file
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-nodeagent-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "nodeagent.name" . }}
+ chart: {{ template "nodeagent.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-nodeagent-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-nodeagent-service-account
+ namespace: {{ .Release.Namespace }}
\ No newline at end of file
--- /dev/null
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: istio-nodeagent
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "nodeagent.name" . }}
+ chart: {{ template "nodeagent.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ istio: nodeagent
+spec:
+ template:
+ metadata:
+ labels:
+ app: {{ template "nodeagent.name" . }}
+ chart: {{ template "nodeagent.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ istio: nodeagent
+ spec:
+ serviceAccountName: istio-nodeagent-service-account
+ containers:
+ - name: nodeagent
+{{- if contains "/" .Values.image }}
+ image: "{{ .Values.image }}"
+{{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ volumeMounts:
+ - mountPath: /var/run/sds
+ name: sdsudspath
+ env:
+ {{- if .Values.env }}
+ {{- range $key, $val := .Values.env }}
+ - name: {{ $key }}
+ value: "{{ $val }}"
+ {{- end }}
+ {{- end }}
+ - name: "Trust_Domain"
+ value: "{{ .Values.global.trustDomain }}"
+ volumes:
+ - name: sdsudspath
+ hostPath:
+ path: /var/run/sds
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-nodeagent-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "nodeagent.name" . }}
+ chart: {{ template "nodeagent.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
\ No newline at end of file
--- /dev/null
+#
+# nodeagent configuration
+#
+enabled: false
+image: node-agent-k8s
+env:
+ # name of authentication provider.
+ CA_PROVIDER: ""
+ # CA endpoint.
+ CA_ADDR: ""
+ # names of authentication provider's plugins.
+ Plugins: ""
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
--- /dev/null
+apiVersion: v1
+name: pilot
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
+description: Helm chart for pilot deployment
+keywords:
+ - istio
+ - pilot
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "pilot.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "pilot.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "pilot.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istio-pilot
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ maxReplicas: {{ .Values.autoscaleMax }}
+ minReplicas: {{ .Values.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1beta1
+ kind: Deployment
+ name: istio-pilot
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+---
+{{- end }}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-pilot-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: ["config.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["rbac.istio.io"]
+ resources: ["*"]
+ verbs: ["get", "watch", "list"]
+- apiGroups: ["networking.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["authentication.istio.io"]
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["*"]
+- apiGroups: ["extensions"]
+ resources: ["ingresses", "ingresses/status"]
+ verbs: ["*"]
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+- apiGroups: [""]
+ resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"]
+ verbs: ["get", "list", "watch"]
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-pilot-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-pilot-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-pilot-service-account
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-pilot
+ namespace: {{ .Release.Namespace }}
+ # TODO: default template doesn't have this, which one is right ?
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: pilot
+ annotations:
+ checksum/config-volume: {{ template "istio.configmap.checksum" . }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+ replicas: {{ .Values.replicaCount }}
+{{- else }}
+ replicas: 1
+{{- end }}
+{{- end }}
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ selector:
+ matchLabels:
+ istio: pilot
+ template:
+ metadata:
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: pilot
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-pilot-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: discovery
+{{- if contains "/" .Values.image }}
+ image: "{{ .Values.image }}"
+{{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ args:
+ - "discovery"
+ - --monitoringAddr=:{{ .Values.global.monitoringPort }}
+{{- if $.Values.global.logging.level }}
+ - --log_output_level={{ $.Values.global.logging.level }}
+{{- end}}
+ - --domain
+ - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.global.oneNamespace }}
+ - "-a"
+ - {{ .Release.Namespace }}
+{{- end }}
+{{- if $.Values.global.controlPlaneSecurityEnabled}}
+ {{- if not .Values.sidecar }}
+ - --secureGrpcAddr
+ - ":15011"
+ {{- end }}
+{{- else }}
+ - --secureGrpcAddr
+ - ""
+{{- end }}
+{{- if .Values.global.trustDomain }}
+ - --trust-domain={{ .Values.global.trustDomain }}
+{{- end }}
+ - --keepaliveMaxServerConnectionAge
+ - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+ ports:
+ - containerPort: 8080
+ - containerPort: 15010
+{{- if not .Values.sidecar }}
+ - containerPort: 15011
+{{- end }}
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 30
+ timeoutSeconds: 5
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ {{- if .Values.env }}
+ {{- range $key, $val := .Values.env }}
+ - name: {{ $key }}
+ value: "{{ $val }}"
+ {{- end }}
+ {{- end }}
+{{- if .Values.traceSampling }}
+ - name: PILOT_TRACE_SAMPLING
+ value: "{{ .Values.traceSampling }}"
+{{- end }}
+ - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY
+ value: "1"
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/istio/config
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+{{- if .Values.sidecar }}
+ - name: istio-proxy
+{{- if contains "/" .Values.global.proxy.image }}
+ image: "{{ .Values.global.proxy.image }}"
+{{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
+{{- end }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: 15003
+ - containerPort: 15005
+ - containerPort: 15007
+ - containerPort: 15011
+ args:
+ - proxy
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --serviceCluster
+ - istio-pilot
+ - --templateFile
+ - /etc/istio/proxy/envoy_pilot.yaml.tmpl
+ {{- if $.Values.global.controlPlaneSecurityEnabled}}
+ - --controlPlaneAuthPolicy
+ - MUTUAL_TLS
+ {{- else }}
+ - --controlPlaneAuthPolicy
+ - NONE
+ {{- end }}
+ {{- if .Values.global.trustDomain }}
+ - --trust-domain={{ .Values.global.trustDomain }}
+ {{- end }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ resources:
+{{- if .Values.global.proxy.resources }}
+{{ toYaml .Values.global.proxy.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ volumeMounts:
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: config-volume
+ configMap:
+ name: istio
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-pilot-service-account
+ optional: true
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+{{- if .Values.global.meshExpansion.enabled }}
+{{- if .Values.global.meshExpansion.useILB }}
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: meshexpansion-ilb-vs-pilot
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ hosts:
+ - istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ gateways:
+ - meshexpansion-ilb-gateway
+ tcp:
+ - match:
+ - port: 15011
+ route:
+ - destination:
+ host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ port:
+ number: 15011
+ - match:
+ - port: 15010
+ route:
+ - destination:
+ host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ port:
+ number: 15010
+ - match:
+ - port: 5353
+ route:
+ - destination:
+ host: kube-dns.kube-system.svc.{{ .Values.global.proxy.clusterDomain }}
+ port:
+ number: 53
+---
+{{- else }}
+
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: meshexpansion-vs-pilot
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ hosts:
+ - istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ gateways:
+ - meshexpansion-gateway
+ tcp:
+ - match:
+ - port: 15011
+ route:
+ - destination:
+ host: istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ port:
+ number: 15011
+---
+{{- end }}
+
+{{- if .Values.global.controlPlaneSecurityEnabled }}
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: meshexpansion-dr-pilot
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 15011
+ tls:
+ mode: DISABLE
+---
+{{- end }}
+{{- end }}
+
--- /dev/null
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: istio-pilot
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: pilot
+spec:
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }}
+{{- end }}
+ selector:
+ matchLabels:
+ app: {{ template "pilot.name" . }}
+ release: {{ .Release.Name }}
+ istio: pilot
+{{- end }}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-pilot
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: pilot
+spec:
+ ports:
+ - port: 15010
+ name: grpc-xds # direct
+ - port: 15011
+ name: https-xds # mTLS
+ - port: 8080
+ name: http-legacy-discovery # direct
+ - port: {{ .Values.global.monitoringPort }}
+ name: http-monitoring
+ selector:
+ istio: pilot
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-pilot-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "pilot.name" . }}
+ chart: {{ template "pilot.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
--- /dev/null
+#
+# pilot configuration
+#
+enabled: true
+autoscaleEnabled: true
+autoscaleMin: 1
+autoscaleMax: 5
+# specify replicaCount when autoscaleEnabled: false
+# replicaCount: 1
+image: pilot
+sidecar: true
+traceSampling: 1.0
+# Resources for a small pilot install
+resources:
+ requests:
+ cpu: 500m
+ memory: 2048Mi
+env:
+ PILOT_PUSH_THROTTLE: 100
+ GODEBUG: gctrace=1
+cpu:
+ targetAverageUtilization: 80
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+# The following is used to limit how long a sidecar can be connected
+# to a pilot. It balances out load across pilot instances at the cost of
+# increasing system churn.
+keepaliveMaxServerConnectionAge: 30m
--- /dev/null
+apiVersion: v1
+description: A Helm chart for Kubernetes
+name: prometheus
+version: 1.1.0
+appVersion: 2.3.1
+tillerVersion: ">=2.7.2"
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "prometheus.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "prometheus.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "prometheus.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: prometheus-{{ .Release.Namespace }}
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: [""]
+ resources:
+ - nodes
+ - services
+ - endpoints
+ - pods
+ - nodes/proxy
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources:
+ - configmaps
+ verbs: ["get"]
+- nonResourceURLs: ["/metrics"]
+ verbs: ["get"]
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: prometheus-{{ .Release.Namespace }}
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: prometheus-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+ name: prometheus
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: prometheus
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+data:
+ prometheus.yml: |-
+ global:
+ scrape_interval: {{ .Values.scrapeInterval }}
+ scrape_configs:
+
+ - job_name: 'istio-mesh'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - {{ .Release.Namespace }}
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-telemetry;prometheus
+
+ # Scrape config for envoy stats
+ - job_name: 'envoy-stats'
+ metrics_path: /stats/prometheus
+ kubernetes_sd_configs:
+ - role: pod
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_container_port_name]
+ action: keep
+ regex: '.*-envoy-prom'
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:15090
+ target_label: __address__
+ - action: labelmap
+ regex: __meta_kubernetes_pod_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: pod_name
+
+ metric_relabel_configs:
+ # Exclude some of the envoy metrics that have massive cardinality
+ # This list may need to be pruned further moving forward, as informed
+ # by performance and scalability testing.
+ - source_labels: [ cluster_name ]
+ regex: '(outbound|inbound|prometheus_stats).*'
+ action: drop
+ - source_labels: [ tcp_prefix ]
+ regex: '(outbound|inbound|prometheus_stats).*'
+ action: drop
+ - source_labels: [ listener_address ]
+ regex: '(.+)'
+ action: drop
+ - source_labels: [ http_conn_manager_listener_prefix ]
+ regex: '(.+)'
+ action: drop
+ - source_labels: [ http_conn_manager_prefix ]
+ regex: '(.+)'
+ action: drop
+ - source_labels: [ __name__ ]
+ regex: 'envoy_tls.*'
+ action: drop
+ - source_labels: [ __name__ ]
+ regex: 'envoy_tcp_downstream.*'
+ action: drop
+ - source_labels: [ __name__ ]
+ regex: 'envoy_http_(stats|admin).*'
+ action: drop
+ - source_labels: [ __name__ ]
+ regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*'
+ action: drop
+
+ - job_name: 'istio-policy'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - {{ .Release.Namespace }}
+
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-policy;http-monitoring
+
+ - job_name: 'istio-telemetry'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - {{ .Release.Namespace }}
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-telemetry;http-monitoring
+
+ - job_name: 'pilot'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - {{ .Release.Namespace }}
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-pilot;http-monitoring
+
+ - job_name: 'galley'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - {{ .Release.Namespace }}
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-galley;http-monitoring
+
+ - job_name: 'citadel'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - {{ .Release.Namespace }}
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: istio-citadel;http-monitoring
+
+ # scrape config for API servers
+ - job_name: 'kubernetes-apiservers'
+ kubernetes_sd_configs:
+ - role: endpoints
+ namespaces:
+ names:
+ - default
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: kubernetes;https
+
+ # scrape config for nodes (kubelet)
+ - job_name: 'kubernetes-nodes'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics
+
+ # Scrape config for Kubelet cAdvisor.
+ #
+ # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
+ # (those whose names begin with 'container_') have been removed from the
+ # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
+ # retrieve those metrics.
+ #
+ # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
+ # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
+ # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
+ # the --cadvisor-port=0 Kubelet flag).
+ #
+ # This job is not necessary and should be removed in Kubernetes 1.6 and
+ # earlier versions, or it will cause the metrics to be scraped twice.
+ - job_name: 'kubernetes-cadvisor'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
+
+ # scrape config for service endpoints.
+ - job_name: 'kubernetes-service-endpoints'
+ kubernetes_sd_configs:
+ - role: endpoints
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
+ action: replace
+ target_label: __scheme__
+ regex: (https?)
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
+ action: replace
+ target_label: __address__
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ - action: labelmap
+ regex: __meta_kubernetes_service_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: kubernetes_namespace
+ - source_labels: [__meta_kubernetes_service_name]
+ action: replace
+ target_label: kubernetes_name
+
+ - job_name: 'kubernetes-pods'
+ kubernetes_sd_configs:
+ - role: pod
+ relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job.
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http"
+ - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme]
+ action: keep
+ regex: ((;.*)|(.*;http))
+ - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls]
+ action: drop
+ regex: (true)
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ - action: labelmap
+ regex: __meta_kubernetes_pod_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: pod_name
+
+ - job_name: 'kubernetes-pods-istio-secure'
+ scheme: https
+ tls_config:
+ ca_file: /etc/istio-certs/root-cert.pem
+ cert_file: /etc/istio-certs/cert-chain.pem
+ key_file: /etc/istio-certs/key.pem
+ insecure_skip_verify: true # prometheus does not support secure naming.
+ kubernetes_sd_configs:
+ - role: pod
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ # sidecar status annotation is added by sidecar injector and
+ # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
+ - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
+ action: keep
+ regex: (([^;]+);([^;]*))|(([^;]*);(true))
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
+ action: drop
+ regex: (http)
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__] # Only keep address that is host:port
+ action: keep # otherwise an extra target with ':443' is added for https scheme
+ regex: ([^:]+):(\d+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ - action: labelmap
+ regex: __meta_kubernetes_pod_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: pod_name
\ No newline at end of file
--- /dev/null
+# TODO: the original template has service account, roles, etc
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: prometheus
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ app: prometheus
+ template:
+ metadata:
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: prometheus
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: prometheus
+ image: "{{ .Values.hub }}/prometheus:{{ .Values.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ args:
+ - '--storage.tsdb.retention={{ .Values.retention }}'
+ - '--config.file=/etc/prometheus/prometheus.yml'
+ ports:
+ - containerPort: 9090
+ name: http
+ livenessProbe:
+ httpGet:
+ path: /-/healthy
+ port: 9090
+ readinessProbe:
+ httpGet:
+ path: /-/ready
+ port: 9090
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/prometheus
+ - mountPath: /etc/istio-certs
+ name: istio-certs
+ volumes:
+ - name: config-volume
+ configMap:
+ name: prometheus
+ - name: istio-certs
+ secret:
+ defaultMode: 420
+{{- if not .Values.security.enabled }}
+ optional: true
+{{- end }}
+ secretName: istio.default
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+{{- if .Values.ingress.enabled -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: prometheus
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ {{- range $key, $value := .Values.ingress.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+spec:
+ rules:
+{{- if .Values.ingress.hosts }}
+ {{- range $host := .Values.ingress.hosts }}
+ - host: {{ $host }}
+ http:
+ paths:
+ - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }}
+ backend:
+ serviceName: prometheus
+ servicePort: 9090
+ {{- end -}}
+{{- else }}
+ - http:
+ paths:
+ - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }}
+ backend:
+ serviceName: prometheus
+ servicePort: 9090
+{{- end }}
+ {{- if .Values.ingress.tls }}
+ tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: prometheus
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ prometheus.io/scrape: 'true'
+ {{- range $key, $val := .Values.service.annotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ selector:
+ app: prometheus
+ ports:
+ - name: http-prometheus
+ protocol: TCP
+ port: 9090
+
+{{- if .Values.service.nodePort.enabled }}
+# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs.
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: prometheus-nodeport
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ type: NodePort
+ ports:
+ - port: 9090
+ nodePort: {{ .Values.service.nodePort.port }}
+ name: http-prometheus
+ selector:
+ app: prometheus
+{{- end }}
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: prometheus
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: prometheus
+ chart: {{ template "prometheus.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
--- /dev/null
+{{- if .Values.global.enableHelmTest }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ template "prometheus.fullname" . }}-test
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: prometheus-test
+ chart: {{ template "prometheus.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ istio: prometheus
+ annotations:
+ sidecar.istio.io/inject: "false"
+ helm.sh/hook: test-success
+spec:
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: "{{ template "prometheus.fullname" . }}-test"
+ image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
+ imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+ command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && break || sleep 15; done']
+ restartPolicy: Never
+ affinity:
+ {{- include "nodeaffinity" . | indent 4 }}
+ {{- include "podAntiAffinity" . | indent 4 }}
+{{- end }}
--- /dev/null
+#
+# addon prometheus configuration
+#
+enabled: true
+replicaCount: 1
+hub: docker.io/prom
+tag: v2.3.1
+retention: 6h
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+# Controls the frequency of prometheus scraping
+scrapeInterval: 15s
+
+contextPath: /prometheus
+
+ingress:
+ enabled: false
+ ## Used to create an Ingress record.
+ hosts:
+ - prometheus.local
+ annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ tls:
+ # Secrets must be manually created in the namespace.
+ # - secretName: prometheus-tls
+ # hosts:
+ # - prometheus.local
+
+service:
+ annotations: {}
+ nodePort:
+ enabled: false
+ port: 32090
+
+security:
+ enabled: true
--- /dev/null
+apiVersion: v1
+name: security
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
+description: Helm chart for istio authentication
+keywords:
+ - istio
+ - security
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "security.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "security.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "security.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+# The reason for creating a ServiceAccount and ClusterRole specifically for this
+# post-delete hooked job is because the citadel ServiceAccount is being deleted
+# before this hook is launched. On the other hand, running this hook before the
+# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they
+# will be re-created immediately by the to-be-deleted citadel.
+#
+# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding
+# will be ready before running the hooked Job therefore the hook weights.
+
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-cleanup-secrets-service-account
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "1"
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-cleanup-secrets-{{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "1"
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-cleanup-secrets-{{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "2"
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-cleanup-secrets-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-cleanup-secrets-service-account
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: istio-cleanup-secrets-{{ .Values.global.tag | printf "%v" | trunc 32 }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": post-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ "helm.sh/hook-weight": "3"
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ template:
+ metadata:
+ name: istio-cleanup-secrets
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ spec:
+ serviceAccountName: istio-cleanup-secrets-service-account
+ containers:
+ - name: kubectl
+ image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+ imagePullPolicy: IfNotPresent
+ command:
+ - /bin/bash
+ - -c
+ - >
+ kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do
+ ns=$(echo $entry | awk '{print $1}');
+ name=$(echo $entry | awk '{print $2}');
+ kubectl delete secret $name -n $ns;
+ done
+ restartPolicy: OnFailure
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-citadel-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "update"]
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create", "get", "watch", "list", "update", "delete"]
+- apiGroups: [""]
+ resources: ["serviceaccounts", "services"]
+ verbs: ["get", "watch", "list"]
+- apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-citadel-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-citadel-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-citadel-service-account
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-security-custom-resources
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: citadel
+data:
+ custom-resources.yaml: |-
+ {{- if .Values.global.mtls.enabled }}
+ {{- include "security-default.yaml.tpl" . | indent 4}}
+ {{- else }}
+ {{- include "security-permissive.yaml.tpl" . | indent 4}}
+ {{- end }}
+ run.sh: |-
+ {{- include "install-custom-resources.sh.tpl" . | indent 4}}
--- /dev/null
+{{- if .Values.createMeshPolicy }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-security-post-install-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: istio-security-post-install-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["networking.istio.io"] # needed to create security destination rules
+ resources: ["*"]
+ verbs: ["*"]
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["get"]
+- apiGroups: ["extensions", "apps"]
+ resources: ["deployments", "replicasets"]
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-security-post-install-role-binding-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-security-post-install-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-security-post-install-account
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-delete-policy": hook-succeeded
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ template:
+ metadata:
+ name: istio-security-post-install
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ spec:
+ serviceAccountName: istio-security-post-install-account
+ containers:
+ - name: kubectl
+ image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}"
+ imagePullPolicy: IfNotPresent
+ command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
+ volumeMounts:
+ - mountPath: "/tmp/security"
+ name: tmp-configmap-security
+ volumes:
+ - name: tmp-configmap-security
+ configMap:
+ name: istio-security-custom-resources
+ restartPolicy: OnFailure
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
+{{- end }}
--- /dev/null
+# istio CA watching all namespaces
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-citadel
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: citadel
+spec:
+ replicas: 1
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ template:
+ metadata:
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: citadel
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-citadel-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: citadel
+ image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ args:
+ - --append-dns-names=true
+ - --grpc-port=8060
+ - --grpc-hostname=citadel
+ - --citadel-storage-namespace={{ .Release.Namespace }}
+ - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }}
+ - --monitoring-port={{ .Values.global.monitoringPort }}
+ {{- if .Values.selfSigned }}
+ - --self-signed-ca=true
+ {{- else }}
+ - --self-signed-ca=false
+ - --signing-cert=/etc/cacerts/ca-cert.pem
+ - --signing-key=/etc/cacerts/ca-key.pem
+ - --root-cert=/etc/cacerts/root-cert.pem
+ - --cert-chain=/etc/cacerts/cert-chain.pem
+ {{- end }}
+ {{- if .Values.global.trustDomain }}
+ - --trust-domain={{ .Values.global.trustDomain }}
+ {{- end }}
+ livenessProbe:
+ httpGet:
+ path: /version
+ port: {{ .Values.global.monitoringPort }}
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+{{- if not .Values.selfSigned }}
+ volumeMounts:
+ - name: cacerts
+ mountPath: /etc/cacerts
+ readOnly: true
+ volumes:
+ - name: cacerts
+ secret:
+ secretName: cacerts
+ optional: true
+{{- end }}
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+{{- define "security-default.yaml.tpl" }}
+# These policy and destination rules effectively enable mTLS for all services in the mesh. For now,
+# they are added to Istio installation yaml for backward compatible. In future, they should be in
+# a separated yaml file so that customer can enable mTLS independent from installation.
+
+# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "MeshPolicy"
+metadata:
+ name: "default"
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ peers:
+ - mtls: {}
+---
+# Corresponding destination rule to configure client side to use mutual TLS when talking to
+# any service (host) in the mesh.
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: "default"
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ host: "*.local"
+ {{- if .Values.global.defaultConfigVisibilitySettings }}
+ exportTo:
+ - '*'
+ {{- end }}
+ trafficPolicy:
+ tls:
+ mode: ISTIO_MUTUAL
+---
+# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar.
+# Customer should add similar destination rules for other services that dont' have sidecar.
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: "api-server"
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ host: "kubernetes.default.svc.{{ .Values.global.proxy.clusterDomain }}"
+ {{- if .Values.global.defaultConfigVisibilitySettings }}
+ exportTo:
+ - '*'
+ {{- end }}
+ trafficPolicy:
+ tls:
+ mode: DISABLE
+{{- end }}
--- /dev/null
+{{- define "security-permissive.yaml.tpl" }}
+# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh.
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "MeshPolicy"
+metadata:
+ name: "default"
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ peers:
+ - mtls:
+ mode: PERMISSIVE
+{{- end }}
--- /dev/null
+{{- if .Values.global.meshExpansion.enabled }}
+{{- if .Values.global.meshExpansion.useILB }}
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: meshexpansion-vs-citadel-ilb
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: citadel
+spec:
+ hosts:
+ - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ gateways:
+ - meshexpansion-ilb-gateway
+ tcp:
+ - match:
+ - port: 8060
+ route:
+ - destination:
+ host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ port:
+ number: 8060
+---
+{{- else }}
+
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: meshexpansion-vs-citadel
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: citadel
+spec:
+ hosts:
+ - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ gateways:
+ - meshexpansion-gateway
+ tcp:
+ - match:
+ - port: 8060
+ route:
+ - destination:
+ host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+ port:
+ number: 8060
+---
+{{- end }}
+{{- end }}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ # we use the normal name here (e.g. 'prometheus')
+ # as grafana is configured to use this as a data source
+ name: istio-citadel
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: citadel
+spec:
+ ports:
+ - name: grpc-citadel
+ port: 8060
+ targetPort: 8060
+ protocol: TCP
+ - name: http-monitoring
+ port: {{ .Values.global.monitoringPort }}
+ selector:
+ istio: citadel
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-citadel-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "security.name" . }}
+ chart: {{ template "security.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
--- /dev/null
+{{- if .Values.global.enableHelmTest }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ template "security.fullname" . }}-test
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: istio-citadel-test
+ chart: {{ template "security.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ istio: citadel
+ annotations:
+ sidecar.istio.io/inject: "false"
+ helm.sh/hook: test-success
+spec:
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: "{{ template "security.fullname" . }}-test"
+ image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
+ imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+ command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && break || sleep 15; done']
+ restartPolicy: Never
+ affinity:
+ {{- include "nodeaffinity" . | indent 4 }}
+ {{- include "podAntiAffinity" . | indent 4 }}
+{{- end }}
--- /dev/null
+#
+# security configuration
+#
+enabled: true
+image: citadel
+selfSigned: true # indicate if self-signed CA is used.
+createMeshPolicy: true
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
--- /dev/null
+apiVersion: v1
+description: A Helm chart for Kubernetes
+name: servicegraph
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
--- /dev/null
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range .Values.ingress.hosts }}
+ http://{{ . }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "servicegraph.fullname" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ You can watch the status of by running 'kubectl get svc -w {{ template "servicegraph.fullname" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "servicegraph.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+ echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "servicegraph.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+ echo "Visit http://127.0.0.1:8080 to use your application"
+ kubectl port-forward $POD_NAME 8080:8088
+{{- end }}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "servicegraph.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "servicegraph.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "servicegraph.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: servicegraph
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: servicegraph
+ chart: {{ template "servicegraph.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata:
+ labels:
+ app: servicegraph
+ chart: {{ template "servicegraph.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+ containers:
+ - name: servicegraph
+ image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: 8088
+ args:
+ - --prometheusAddr={{- .Values.prometheusAddr }}
+ livenessProbe:
+ httpGet:
+ path: /graph
+ port: 8088
+ readinessProbe:
+ httpGet:
+ path: /graph
+ port: 8088
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+{{- if .Values.ingress.enabled -}}
+{{- $servicePort := .Values.service.externalPort -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: {{ template "servicegraph.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: servicegraph
+ chart: {{ template "servicegraph.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ {{- range $key, $value := .Values.ingress.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+spec:
+ rules:
+ {{- range $host := .Values.ingress.hosts }}
+ - host: {{ $host }}
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: servicegraph
+ servicePort: {{ $servicePort }}
+ {{- end -}}
+ {{- if .Values.ingress.tls }}
+ tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: servicegraph
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ {{- range $key, $val := .Values.service.annotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ labels:
+ app: servicegraph
+ chart: {{ template "servicegraph.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: {{ .Values.service.externalPort }}
+ targetPort: 8088
+ protocol: TCP
+ name: {{ .Values.service.name }}
+ selector:
+ app: servicegraph
+{{- if .Values.service.loadBalancerIP }}
+ loadBalancerIP: "{{ .Values.service.loadBalancerIP }}"
+{{- end }}
+ {{if .Values.service.loadBalancerSourceRanges}}
+ loadBalancerSourceRanges:
+ {{range $rangeList := .Values.service.loadBalancerSourceRanges}}
+ - {{ $rangeList }}
+ {{end}}
+ {{end}}
\ No newline at end of file
--- /dev/null
+{{- if .Values.global.enableHelmTest }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ template "servicegraph.fullname" . }}-test
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: servicegraph-test
+ chart: {{ template "servicegraph.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ istio: servicegraph
+ annotations:
+ sidecar.istio.io/inject: "false"
+ helm.sh/hook: test-success
+spec:
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: "{{ template "servicegraph.fullname" . }}-test"
+ image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
+ imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+ command: ['curl']
+ args: ['http://servicegraph:{{ .Values.servicegraph.service.externalPort }}']
+ restartPolicy: Never
+ affinity:
+ {{- include "nodeaffinity" . | indent 4 }}
+ {{- include "podAntiAffinity" . | indent 4 }}
+{{- end }}
--- /dev/null
+#
+# addon servicegraph configuration
+#
+enabled: false
+replicaCount: 1
+image: servicegraph
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+service:
+ annotations: {}
+ name: http
+ type: ClusterIP
+ externalPort: 8088
+ loadBalancerIP:
+ loadBalancerSourceRanges:
+ingress:
+ enabled: false
+ # Used to create an Ingress record.
+ hosts:
+ - servicegraph.local
+ annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ tls:
+ # Secrets must be manually created in the namespace.
+ # - secretName: servicegraph-tls
+ # hosts:
+ # - servicegraph.local
+# prometheus address
+prometheusAddr: http://prometheus:9090
--- /dev/null
+apiVersion: v1
+name: sidecarInjectorWebhook
+version: 1.1.0
+appVersion: 1.1.0
+tillerVersion: ">=2.7.2"
+description: Helm chart for sidecar injector webhook deployment
+keywords:
+ - istio
+ - sidecarInjectorWebhook
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "sidecar-injector.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "sidecar-injector.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "sidecar-injector.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-sidecar-injector-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "sidecar-injector.name" . }}
+ chart: {{ template "sidecar-injector.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: sidecar-injector
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "patch"]
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }}
+ labels:
+ app: {{ template "sidecar-injector.name" . }}
+ chart: {{ template "sidecar-injector.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: sidecar-injector
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-sidecar-injector-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-sidecar-injector-service-account
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-sidecar-injector
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "sidecar-injector.name" . }}
+ chart: {{ template "sidecar-injector.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: sidecar-injector
+spec:
+ replicas: {{ .Values.replicaCount }}
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ template:
+ metadata:
+ labels:
+ app: {{ template "sidecar-injector.name" . }}
+ chart: {{ template "sidecar-injector.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: sidecar-injector
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ serviceAccountName: istio-sidecar-injector-service-account
+ {{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: sidecar-injector-webhook
+ image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ args:
+ - --caCertFile=/etc/istio/certs/root-cert.pem
+ - --tlsCertFile=/etc/istio/certs/cert-chain.pem
+ - --tlsKeyFile=/etc/istio/certs/key.pem
+ - --injectConfig=/etc/istio/inject/config
+ - --meshConfig=/etc/istio/config/mesh
+ - --healthCheckInterval=2s
+ - --healthCheckFile=/health
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/istio/config
+ readOnly: true
+ - name: certs
+ mountPath: /etc/istio/certs
+ readOnly: true
+ - name: inject-config
+ mountPath: /etc/istio/inject
+ readOnly: true
+ livenessProbe:
+ exec:
+ command:
+ - /usr/local/bin/sidecar-injector
+ - probe
+ - --probe-path=/health
+ - --interval=4s
+ initialDelaySeconds: 4
+ periodSeconds: 4
+ readinessProbe:
+ exec:
+ command:
+ - /usr/local/bin/sidecar-injector
+ - probe
+ - --probe-path=/health
+ - --interval=4s
+ initialDelaySeconds: 4
+ periodSeconds: 4
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ volumes:
+ - name: config-volume
+ configMap:
+ name: istio
+ - name: certs
+ secret:
+ secretName: istio.istio-sidecar-injector-service-account
+ - name: inject-config
+ configMap:
+ name: istio-sidecar-injector
+ items:
+ - key: config
+ path: config
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
--- /dev/null
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: istio-sidecar-injector
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "sidecar-injector.name" . }}
+ chart: {{ template "sidecar-injector.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+webhooks:
+ - name: sidecar-injector.istio.io
+ clientConfig:
+ service:
+ name: istio-sidecar-injector
+ namespace: {{ .Release.Namespace }}
+ path: "/inject"
+ caBundle: ""
+ rules:
+ - operations: [ "CREATE" ]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ failurePolicy: Fail
+ namespaceSelector:
+{{- if .Values.enableNamespacesByDefault }}
+ matchExpressions:
+ - key: istio-injection
+ operator: NotIn
+ values:
+ - disabled
+{{- else }}
+ matchLabels:
+ istio-injection: enabled
+{{- end }}
+
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-sidecar-injector
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "sidecar-injector.name" . }}
+ chart: {{ template "sidecar-injector.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: sidecar-injector
+spec:
+ ports:
+ - port: 443
+ selector:
+ istio: sidecar-injector
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-sidecar-injector-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "sidecar-injector.name" . }}
+ chart: {{ template "sidecar-injector.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: sidecar-injector
--- /dev/null
+#
+# sidecar-injector webhook configuration
+#
+enabled: true
+replicaCount: 1
+image: sidecar_injector
+enableNamespacesByDefault: false
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+# If true, webhook or istioctl injector will rewrite PodSpec for liveness
+# health check to redirect request to sidecar. This makes liveness check work
+# even when mTLS is enabled.
+rewriteAppHTTPProbe: false
--- /dev/null
+apiVersion: v1
+description: A Helm chart for Kubernetes
+name: tracing
+version: 1.1.0
+appVersion: 1.5.1
+tillerVersion: ">=2.7.2"
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "tracing.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "tracing.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "tracing.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+{{ if eq .Values.provider "jaeger" }}
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: istio-tracing
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: jaeger
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ template:
+ metadata:
+ labels:
+ app: jaeger
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "16686"
+{{- if .Values.contextPath }}
+ prometheus.io/path: "{{ .Values.contextPath }}/metrics"
+{{- else }}
+ prometheus.io/path: "/{{ .Values.provider }}/metrics"
+{{- end }}
+ spec:
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+ containers:
+ - name: jaeger
+ image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ ports:
+ - containerPort: 9411
+ - containerPort: 16686
+ - containerPort: 5775
+ protocol: UDP
+ - containerPort: 6831
+ protocol: UDP
+ - containerPort: 6832
+ protocol: UDP
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: COLLECTOR_ZIPKIN_HTTP_PORT
+ value: "9411"
+ - name: MEMORY_MAX_TRACES
+ value: "{{ .Values.jaeger.memory.max_traces }}"
+ - name: QUERY_BASE_PATH
+ value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }}
+ livenessProbe:
+ httpGet:
+ path: /
+ port: 16686
+ readinessProbe:
+ httpGet:
+ path: /
+ port: 16686
+ resources:
+{{- if .Values.jaeger.resources }}
+{{ toYaml .Values.jaeger.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
+{{ end }}
--- /dev/null
+{{ if eq .Values.provider "zipkin" }}
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: {{ .Release.Name }}-zipkin
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: zipkin
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ template:
+ metadata:
+ labels:
+ app: zipkin
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "{{ .Values.zipkin.hub }}/zipkin:{{ .Values.zipkin.tag }}"
+ ports:
+ - containerPort: {{ .Values.zipkin.queryPort }}
+ livenessProbe:
+ initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }}
+ tcpSocket:
+ port: {{ .Values.zipkin.queryPort }}
+ readinessProbe:
+ initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }}
+ httpGet:
+ path: /health
+ port: {{ .Values.zipkin.queryPort }}
+ resources:
+{{- if .Values.zipkin.resources }}
+{{ toYaml .Values.zipkin.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: QUERY_PORT
+ value: "{{ .Values.zipkin.queryPort }}"
+ - name: JAVA_OPTS
+ value: "-XX:ConcGCThreads={{ .Values.zipkin.node.cpus }} -XX:ParallelGCThreads={{ .Values.zipkin.node.cpus }} -Djava.util.concurrent.ForkJoinPool.common.parallelism={{ .Values.zipkin.node.cpus }} -Xms{{ .Values.zipkin.javaOptsHeap }}M -Xmx{{ .Values.zipkin.javaOptsHeap }}M -XX:+UseG1GC -server"
+ - name: STORAGE_METHOD
+ value: "mem"
+ - name: ZIPKIN_STORAGE_MEM_MAXSPANS
+ value: "{{ .Values.zipkin.maxSpans }}"
+ affinity:
+ {{- include "nodeaffinity" . | indent 6 }}
+ {{- include "podAntiAffinity" . | indent 6 }}
+{{ end }}
--- /dev/null
+{{- if .Values.ingress.enabled -}}
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: {{ template "tracing.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ .Values.provider }}
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ annotations:
+ {{- range $key, $value := .Values.ingress.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+spec:
+ rules:
+{{- if .Values.ingress.hosts }}
+ {{- range $host := .Values.ingress.hosts }}
+ - host: {{ $host }}
+ http:
+ paths:
+ - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} /{{ $.Values.provider }} {{ end }}
+ backend:
+ serviceName: tracing
+ servicePort: 80
+
+ {{- end -}}
+{{- else }}
+ - http:
+ paths:
+ - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }}
+ backend:
+ serviceName: tracing
+ servicePort: 80
+{{- end }}
+ {{- if .Values.ingress.tls }}
+ tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+ {{- end -}}
+{{- end -}}
--- /dev/null
+{{ if eq .Values.provider "jaeger" }}
+
+apiVersion: v1
+kind: List
+metadata:
+ name: jaeger-services
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: jaeger
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+items:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: jaeger-query
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ {{- range $key, $val := .Values.service.annotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ labels:
+ app: jaeger
+ jaeger-infra: jaeger-service
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ spec:
+ ports:
+ - name: query-http
+ port: 16686
+ protocol: TCP
+ targetPort: 16686
+ selector:
+ app: jaeger
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: jaeger-collector
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: jaeger
+ jaeger-infra: collector-service
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ spec:
+ ports:
+ - name: jaeger-collector-tchannel
+ port: 14267
+ protocol: TCP
+ targetPort: 14267
+ - name: jaeger-collector-http
+ port: 14268
+ targetPort: 14268
+ protocol: TCP
+ selector:
+ app: jaeger
+ type: ClusterIP
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: jaeger-agent
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: jaeger
+ jaeger-infra: agent-service
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ spec:
+ ports:
+ - name: agent-zipkin-thrift
+ port: 5775
+ protocol: UDP
+ targetPort: 5775
+ - name: agent-compact
+ port: 6831
+ protocol: UDP
+ targetPort: 6831
+ - name: agent-binary
+ port: 6832
+ protocol: UDP
+ targetPort: 6832
+ clusterIP: None
+ selector:
+ app: jaeger
+{{ end }}
+
--- /dev/null
+apiVersion: v1
+kind: List
+metadata:
+ name: tracing-services
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ .Values.provider }}
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+items:
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: zipkin
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ .Values.provider }}
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: {{ .Values.service.externalPort }}
+ targetPort: 9411
+ protocol: TCP
+ name: {{ .Values.service.name }}
+ selector:
+ app: {{ .Values.provider }}
+- apiVersion: v1
+ kind: Service
+ metadata:
+ name: tracing
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ {{- range $key, $val := .Values.service.annotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ labels:
+ app: {{ .Values.provider }}
+ chart: {{ template "tracing.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ spec:
+ ports:
+ - name: http-query
+ port: 80
+ protocol: TCP
+{{ if eq .Values.provider "jaeger" }}
+ targetPort: 16686
+{{ else }}
+ targetPort: 9411
+{{ end}}
+ selector:
+ app: {{ .Values.provider }}
--- /dev/null
+{{- if .Values.global.enableHelmTest }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ .Release.Name }}-{{ .Values.provider }}-test
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ .Values.provider }}-test
+ chart: {{ template "tracing.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ annotations:
+ sidecar.istio.io/inject: "false"
+ helm.sh/hook: test-success
+spec:
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: "{{ .Values.provider }}-test"
+ image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
+ imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+ command: ['curl']
+ {{- if eq .Values.provider "jaeger" }}
+ args: ['http://tracing:80{{ .Values.jaeger.contextPath}}']
+ {{- else }}
+ args: ['http://tracing:80']
+ {{- end }}
+ restartPolicy: Never
+ affinity:
+ {{- include "nodeaffinity" . | indent 4 }}
+ {{- include "podAntiAffinity" . | indent 4 }}
+{{- end }}
--- /dev/null
+#
+# addon jeager tracing configuration
+#
+enabled: false
+
+provider: jaeger
+nodeSelector: {}
+
+# Specify the pod anti-affinity that allows you to constrain which nodes
+# your pod is eligible to be scheduled based on labels on pods that are
+# already running on the node rather than based on labels on nodes.
+# There are currently two types of anti-affinity:
+# "requiredDuringSchedulingIgnoredDuringExecution"
+# "preferredDuringSchedulingIgnoredDuringExecution"
+# which denote “hard” vs. “soft” requirements, you can define your values
+# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+# correspondingly.
+# For example:
+# podAntiAffinityLabelSelector:
+# - key: security
+# operator: In
+# values: S1,S2
+# topologyKey: "kubernetes.io/hostname"
+# This pod anti-affinity rule says that the pod requires not to be scheduled
+# onto a node if that node is already running a pod with label having key
+# “security” and value “S1”.
+podAntiAffinityLabelSelector: []
+podAntiAffinityTermLabelSelector: []
+
+jaeger:
+ hub: docker.io/jaegertracing
+ tag: 1.9
+ memory:
+ max_traces: 50000
+
+zipkin:
+ hub: docker.io/openzipkin
+ tag: 2
+ probeStartupDelay: 200
+ queryPort: 9411
+ resources:
+ limits:
+ cpu: 300m
+ memory: 900Mi
+ requests:
+ cpu: 150m
+ memory: 900Mi
+ javaOptsHeap: 700
+ # From: https://github.com/openzipkin/zipkin/blob/master/zipkin-server/src/main/resources/zipkin-server-shared.yml#L51
+ # Maximum number of spans to keep in memory. When exceeded, oldest traces (and their spans) will be purged.
+ # A safe estimate is 1K of memory per span (each span with 2 annotations + 1 binary annotation), plus
+ # 100 MB for a safety buffer. You'll need to verify in your own environment.
+ maxSpans: 500000
+ node:
+ cpus: 2
+
+service:
+ annotations: {}
+ name: http
+ type: ClusterIP
+ externalPort: 9411
+
+ingress:
+ enabled: false
+ # Used to create an Ingress record.
+ hosts:
+ # - tracing.local
+ annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ tls:
+ # Secrets must be manually created in the namespace.
+ # - secretName: tracing-tls
+ # hosts:
+ # - tracing.local
+
--- /dev/null
+# Example Values
+
+These files provide various example values for different Istio setups.
+
+To use them, [read the docs](https://istio.io/docs/setup/kubernetes/helm-install/) and add the flag `--values example-file.yaml`.
--- /dev/null
+global:
+ controlPlaneSecurityEnabled: false
+
+ mtls:
+ # Default setting for service-to-service mtls. Can be set explicitly using
+ # destination rules or service annotations.
+ enabled: true
+
+ sds:
+ enabled: true
+ udsPath: "unix:/var/run/sds/uds_path"
+ useNormalJwt: true
+
+nodeagent:
+ enabled: true
+ image: node-agent-k8s
+ env:
+ # The IP address and the port number of a publicly accessible example Vault server.
+ CA_ADDR: "https://34.83.129.211:8200"
+ CA_PROVIDER: "VaultCA"
+ VALID_TOKEN: true
+ # The IP address and the port number of a publicly accessible example Vault server.
+ VAULT_ADDR: "https://34.83.129.211:8200"
+ VAULT_AUTH_PATH: "auth/kubernetes/login"
+ VAULT_ROLE: "istio-cert"
+ VAULT_SIGN_CSR_PATH: "istio_ca/sign/istio-pki-role"
+ VAULT_TLS_ROOT_CERT: '-----BEGIN CERTIFICATE-----\nMIIC3jCCAcagAwIBAgIRAO1S7vuRQmo2He+RtBq3fv8wDQYJKoZIhvcNAQELBQAw\nEDEOMAwGA1UEChMFVmF1bHQwIBcNMTkwNDI3MTY1ODE1WhgPMjExOTA0MDMxNjU4\nMTVaMBAxDjAMBgNVBAoTBVZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA7/CTbnENEIvFZg9hmVtYnOx3OfMy/GNCuP7sqtAeVVTopAKKkcAAWQck\nrhpBooEGpCugNxXGNCuJh/2nu0AfGFRfdafwSJRoI6yHwQouDm0o4r3h9uL3tu5N\nD+x9j+eejbFsoZVn84CxGkEB6oyeXYHjc6eWh3PFGMtKuOQD4pezvDH0yNCx5waK\nhtPuYtl0ebfdbyh+WQuptO+Q9VSaQNqE3ipZ461y8PduwRRll241W0gQB2iasX03\nD36F2ZrMz3KEVRVKM1yCUDCy2RPJqkXPdnVMWmDGbe8Uw69zr25JltzuRZFT9HL3\nY1RnMTecmSc4ikTUHcMhFX3PYbfR5wIDAQABozEwLzAOBgNVHQ8BAf8EBAMCBaAw\nDAYDVR0TAQH/BAIwADAPBgNVHREECDAGhwQiU4HTMA0GCSqGSIb3DQEBCwUAA4IB\nAQCdLh6olDVQB71LD6srbfAE4EsxLEBbIRnv7Nf1S0KQwgW/QxK8DHBwJBxJkr1N\nzgEPx86f2Fo2UsY9m6rvgP3+iquyMsKi0ooUah3y3LSnONuZcdfSTl/HYd38S6Dp\nVkVOZ7781xxpFVUqQ5voQX1Y1Ipn5qw0FyIcNYWLkNX+iMf1b9kpEIWQNhRC/Yiv\nTS0VA/BzQemGyf2UB6QsuZLH+JFEZnzU859qURnNIITa1Wf4YUtka5Sp1kDnEll3\nwj4IlXKU+Wl1CzxJyn4SSQAXy/Lb08ZKrF/YSzcIISnRX5j+wa8ApOSwwA/B7iaT\nTWz1g+RlV9qHap70eIjPsQvb\n-----END CERTIFICATE-----'
\ No newline at end of file
--- /dev/null
+# Common settings.
+global:
+ # Omit the istio-sidecar-injector configmap when generate a
+ # standalone gateway. Gateways may be created in namespaces other
+ # than `istio-system` and we don't want to re-create the injector
+ # configmap in those.
+ omitSidecarInjectorConfigMap: true
+
+ # Istio control plane namespace: This specifies where the Istio control
+ # plane was installed earlier. Modify this if you installed the control
+ # plane in a different namespace than istio-system.
+ istioNamespace: istio-system
+
+ proxy:
+ # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
+ # would be <host>:<port>).
+ # Disabled by default.
+ # The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
+ envoyStatsd:
+ # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
+ enabled: false
+ host: # example: statsd-svc.istio-system
+ port: # example: 9125
+
+
+#
+# Gateways Configuration
+# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
+# You can add more gateways in addition to the defaults but make sure those are uniquely named
+# and that NodePorts are not conflicting.
+# Disable specifc gateway by setting the `enabled` to false.
+#
+gateways:
+ enabled: true
+
+ custom-gateway:
+ enabled: true
+ labels:
+ app: custom-gateway
+ replicaCount: 1
+ autoscaleMin: 1
+ autoscaleMax: 5
+ resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ #requests:
+ # cpu: 1800m
+ # memory: 256Mi
+ cpu:
+ targetAverageUtilization: 80
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: {}
+ externalIPs: []
+ serviceAnnotations: {}
+ podAnnotations: {}
+ type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
+ #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
+ ports:
+ ## You can add custom gateway ports
+ - port: 80
+ targetPort: 80
+ name: http2
+ # nodePort: 31380
+ - port: 443
+ name: https
+ # nodePort: 31390
+ - port: 31400
+ name: tcp
+ # nodePort: 31400
+ # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
+ # to pilot/citadel if global.meshExpansion settings are enabled.
+ - port: 15011
+ targetPort: 15011
+ name: tcp-pilot-grpc-tls
+ - port: 8060
+ targetPort: 8060
+ name: tcp-citadel-grpc-tls
+ # Addon ports for kiali are enabled in gateway - but will only redirect if
+ # the gateway configuration for the various components are enabled.
+ - port: 15029
+ targetPort: 15029
+ name: http2-kiali
+ # Telemetry-related ports are enabled in gateway - but will only redirect if
+ # the gateway configuration for the various components are enabled.
+ - port: 15030
+ targetPort: 15030
+ name: http2-prometheus
+ - port: 15031
+ targetPort: 15031
+ name: http2-grafana
+ - port: 15032
+ targetPort: 15032
+ name: http2-tracing
+ secretVolumes:
+ - name: customgateway-certs
+ secretName: istio-customgateway-certs
+ mountPath: /etc/istio/customgateway-certs
+ - name: customgateway-ca-certs
+ secretName: istio-customgateway-ca-certs
+ mountPath: /etc/istio/customgateway-ca-certs
+
+# all other components are disabled except the gateways
+security:
+ enabled: false
+
+sidecarInjectorWebhook:
+ enabled: false
+
+galley:
+ enabled: false
+
+mixer:
+ policy:
+ enabled: false
+ telemetry:
+ enabled: false
+
+pilot:
+ enabled: false
+
+grafana:
+ enabled: false
+
+prometheus:
+ enabled: false
+
+servicegraph:
+ enabled: false
+
+tracing:
+ enabled: false
+
+kiali:
+ enabled: false
+
+certmanager:
+ enabled: false
--- /dev/null
+global:
+ controlPlaneSecurityEnabled: false
+
+ mtls:
+ # Default setting for service-to-service mtls. Can be set explicitly using
+ # destination rules or service annotations.
+ enabled: true
+
+ sds:
+ enabled: true
+ udsPath: "unix:/var/run/sds/uds_path"
+ useTrustworthyJwt: true
+
+ trustDomain: ""
+
+nodeagent:
+ enabled: true
+ image: node-agent-k8s
+ env:
+ CA_PROVIDER: "GoogleCA"
+ CA_ADDR: "istioca.googleapis.com:443"
+ Plugins: "GoogleTokenExchange"
--- /dev/null
+global:
+ # Provides dns resolution for global services
+ podDNSSearchNamespaces:
+ - global
+ - "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global"
+
+ multiCluster:
+ enabled: true
+
+ controlPlaneSecurityEnabled: true
+
+# Multicluster with gateways requires a root CA
+# Cluster local CAs are bootstrapped with the root CA.
+security:
+ selfSigned: false
+
+# Provides dns resolution for service entries of form
+# name.namespace.global
+istiocoredns:
+ enabled: true
+
+gateways:
+ istio-egressgateway:
+ enabled: true
+ env:
+ # Needed to route traffic via egress gateway if desired.
+ ISTIO_META_REQUESTED_NETWORK_VIEW: "external"
--- /dev/null
+dependencies:
+ - name: sidecarInjectorWebhook
+ version: 1.1.0
+ condition: sidecarInjectorWebhook.enabled
+ - name: security
+ version: 1.1.0
+ condition: security.enabled
+ - name: gateways
+ version: 1.1.0
+ condition: gateways.enabled
+ - name: mixer
+ version: 1.1.0
+ condition: or mixer.policy.enabled mixer.telemetry.enabled
+ - name: nodeagent
+ version: 1.1.0
+ condition: nodeagent.enabled
+ - name: pilot
+ version: 1.1.0
+ condition: pilot.enabled
+ - name: grafana
+ version: 1.1.0
+ condition: grafana.enabled
+ - name: prometheus
+ version: 1.1.0
+ condition: prometheus.enabled
+ - name: servicegraph
+ version: 1.1.0
+ condition: servicegraph.enabled
+ - name: tracing
+ version: 1.1.0
+ condition: tracing.enabled
+ - name: galley
+ version: 1.1.0
+ condition: galley.enabled
+ - name: kiali
+ version: 1.1.0
+ condition: kiali.enabled
+ - name: istiocoredns
+ version: 1.1.0
+ condition: istiocoredns.enabled
+ - name: certmanager
+ version: 1.1.0
+ condition: certmanager.enabled
--- /dev/null
+Thank you for installing {{ .Chart.Name }}.
+
+Your release is named {{ .Release.Name }}.
+
+To get started running application with Istio, execute the following steps:
+
+{{- if index .Values "sidecarInjectorWebhook" "enabled" }}
+1. Label namespace that application object will be deployed to by the following command (take default namespace as an example)
+
+$ kubectl label namespace default istio-injection=enabled
+$ kubectl get namespace -L istio-injection
+
+2. Deploy your applications
+
+$ kubectl apply -f <your-application>.yaml
+{{- else }}
+1. Download the latest release package to get sidecar injection tool
+
+$ curl -L https://git.io/getLatestIstio | sh -
+$ mv istio-* istio-latest
+$ export PATH="$PATH:$PWD/istio-latest/bin"
+
+2. Deploy your application by manually injecting envoy sidecar with `istioctl kube-inject`
+
+$ kubectl apply -f <(istioctl kube-inject -f <your-application>.yaml)
+{{- end }}
+
+For more information on running Istio, visit:
+https://istio.io/
\ No newline at end of file
--- /dev/null
+{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
+
+{{- define "nodeaffinity" }}
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ {{- include "nodeAffinityRequiredDuringScheduling" . }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ {{- include "nodeAffinityPreferredDuringScheduling" . }}
+{{- end }}
+
+{{- define "nodeAffinityRequiredDuringScheduling" }}
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ {{- range $key, $val := .Values.global.arch }}
+ {{- if gt ($val | int) 0 }}
+ - {{ $key }}
+ {{- end }}
+ {{- end }}
+ {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}}
+ {{- range $key, $val := $nodeSelector }}
+ - key: {{ $key }}
+ operator: In
+ values:
+ - {{ $val }}
+ {{- end }}
+{{- end }}
+
+{{- define "nodeAffinityPreferredDuringScheduling" }}
+ {{- range $key, $val := .Values.global.arch }}
+ {{- if gt ($val | int) 0 }}
+ - weight: {{ $val | int }}
+ preference:
+ matchExpressions:
+ - key: beta.kubernetes.io/arch
+ operator: In
+ values:
+ - {{ $key }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- define "podAntiAffinity" }}
+{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}}
+ podAntiAffinity:
+ {{- if .Values.podAntiAffinityLabelSelector }}
+ requiredDuringSchedulingIgnoredDuringExecution:
+ {{- include "podAntiAffinityRequiredDuringScheduling" . }}
+ {{- end }}
+ {{- if or .Values.podAntiAffinityTermLabelSelector}}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ {{- include "podAntiAffinityPreferredDuringScheduling" . }}
+ {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "podAntiAffinityRequiredDuringScheduling" }}
+ {{- range $index, $item := .Values.podAntiAffinityLabelSelector }}
+ - labelSelector:
+ matchExpressions:
+ - key: {{ $item.key }}
+ operator: {{ $item.operator }}
+ {{- if $item.values }}
+ values:
+ {{- $vals := split "," $item.values }}
+ {{- range $i, $v := $vals }}
+ - {{ $v }}
+ {{- end }}
+ {{- end }}
+ topologyKey: {{ $item.topologyKey }}
+ {{- end }}
+{{- end }}
+
+{{- define "podAntiAffinityPreferredDuringScheduling" }}
+ {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }}
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: {{ $item.key }}
+ operator: {{ $item.operator }}
+ {{- if $item.values }}
+ values:
+ {{- $vals := split "," $item.values }}
+ {{- range $i, $v := $vals }}
+ - {{ $v }}
+ {{- end }}
+ {{- end }}
+ topologyKey: {{ $item.topologyKey }}
+ {{- end }}
+{{- end }}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "istio.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "istio.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "istio.chart" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a fully qualified configmap name.
+*/}}
+{{- define "istio.configmap.fullname" -}}
+{{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Configmap checksum.
+*/}}
+{{- define "istio.configmap.checksum" -}}
+{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}}
+{{- end -}}
--- /dev/null
+{{- define "podDisruptionBudget.spec" }}
+ minAvailable: 1
+{{- end }}
--- /dev/null
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: istio-reader
+rules:
+ - apiGroups: ['']
+ resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"]
+ verbs: ['get', 'watch', 'list']
+ - apiGroups: ["extensions", "apps"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-multi
+ labels:
+ chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-reader
+subjects:
+- kind: ServiceAccount
+ name: istio-multi
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+{{- if or .Values.pilot.enabled .Values.global.istioRemote }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "istio.name" . }}
+ chart: {{ template "istio.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+data:
+ mesh: |-
+ # Set the following variable to true to disable policy checks by the Mixer.
+ # Note that metrics will still be reported to the Mixer.
+ {{- if .Values.mixer.policy.enabled }}
+ disablePolicyChecks: {{ .Values.global.disablePolicyChecks }}
+ {{- else }}
+ disablePolicyChecks: true
+ {{- end }}
+
+ # Set enableTracing to false to disable request tracing.
+ enableTracing: {{ .Values.global.enableTracing }}
+
+ # Set accessLogFile to empty string to disable access log.
+ accessLogFile: "{{ .Values.global.proxy.accessLogFile }}"
+
+ # If accessLogEncoding is TEXT, value will be used directly as the log format
+ # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n"
+ # If AccessLogEncoding is JSON, value will be parsed as map[string]string
+ # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}'
+ # Leave empty to use default log format
+ accessLogFormat: {{ .Values.global.proxy.accessLogFormat | quote }}
+
+ # Set accessLogEncoding to JSON or TEXT to configure sidecar access log
+ accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}'
+
+ {{- if .Values.global.istioRemote }}
+
+ {{- if .Values.global.remotePolicyAddress }}
+ {{- if .Values.global.createRemoteSvcEndpoints }}
+ mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004
+ {{- else }}
+ mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004
+ {{- end }}
+ {{- end }}
+ {{- if .Values.global.remoteTelemetryAddress }}
+ {{- if .Values.global.createRemoteSvcEndpoints }}
+ mixerReportServer: istio-telemetry.{{ .Release.Namespace }}:15004
+ {{- else }}
+ mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004
+ {{- end }}
+ {{- end }}
+
+ {{- else }}
+
+ {{- if .Values.mixer.policy.enabled }}
+ {{- if .Values.global.controlPlaneSecurityEnabled }}
+ mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004
+ {{- else }}
+ mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091
+ {{- end }}
+ {{- end }}
+ {{- if .Values.mixer.telemetry.enabled }}
+ {{- if .Values.global.controlPlaneSecurityEnabled }}
+ mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004
+ {{- else }}
+ mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091
+ {{- end }}
+ {{- end }}
+
+ {{- end }}
+
+ {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }}
+ # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
+ # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
+ policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }}
+ {{- end }}
+
+ {{- if .Values.gateways.enabled }}
+ # Let Pilot give ingresses the public IP of the Istio ingressgateway
+ ingressService: istio-ingressgateway
+ {{- end }}
+
+ # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS
+ connectTimeout: 10s
+
+ # DNS refresh rate for Envoy clusters of type STRICT_DNS
+ dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }}
+
+ # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
+ # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
+ sdsUdsPath: {{ .Values.global.sds.udsPath }}
+
+ # This flag is used by secret discovery service(SDS).
+ # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount
+ # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which
+ # will be used to generate key/cert eventually. This isn't supported for non-k8s case.
+ enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }}
+
+ # This flag is used by secret discovery service(SDS).
+ # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
+ # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
+ # and pass to sds server, which will be used to request key/cert eventually.
+ # this flag is ignored if enableSdsTokenMount is set.
+ # This isn't supported for non-k8s case.
+ sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }}
+
+ # The trust domain corresponds to the trust root of a system.
+ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+ trustDomain: {{ .Values.global.trustDomain }}
+
+ # Set the default behavior of the sidecar for handling outbound traffic from the application:
+ # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
+ # services or ServiceEntries for the destination port
+ # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
+ # as those defined through ServiceEntries
+ outboundTrafficPolicy:
+ mode: {{ .Values.global.outboundTrafficPolicy.mode }}
+
+ localityLbSetting:
+{{ toYaml .Values.global.localityLbSetting | indent 6 }}
+
+ # The namespace to treat as the administrative root namespace for istio
+ # configuration.
+ {{- if .Values.global.configRootNamespace }}
+ rootNamespace: {{ .Values.global.configRootNamespace }}
+ {{- else }}
+ rootNamespace: {{ .Release.Namespace }}
+ {{- end }}
+
+ {{- if .Values.global.defaultConfigVisibilitySettings }}
+ defaultServiceExportTo:
+ {{- range .Values.global.defaultConfigVisibilitySettings }}
+ - {{ . | quote }}
+ {{- end }}
+ defaultVirtualServiceExportTo:
+ {{- range .Values.global.defaultConfigVisibilitySettings }}
+ - {{ . | quote }}
+ {{- end }}
+ defaultDestinationRuleExportTo:
+ {{- range .Values.global.defaultConfigVisibilitySettings }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- end }}
+
+ {{- if $.Values.global.useMCP }}
+ configSources:
+ - address: istio-galley.{{ $.Release.Namespace }}.svc:9901
+ {{- if $.Values.global.controlPlaneSecurityEnabled}}
+ tlsSettings:
+ mode: ISTIO_MUTUAL
+ {{- end }}
+ {{- end }}
+
+ defaultConfig:
+ #
+ # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters
+ # defined in Envoy's configuration file
+ connectTimeout: 10s
+ #
+ ### ADVANCED SETTINGS #############
+ # Where should envoy's configuration be stored in the istio-proxy container
+ configPath: "/etc/istio/proxy"
+ binaryPath: "/usr/local/bin/envoy"
+ # The pseudo service name used for Envoy.
+ serviceCluster: istio-proxy
+ # These settings that determine how long an old Envoy
+ # process should be kept alive after an occasional reload.
+ drainDuration: 45s
+ parentShutdownDuration: 1m0s
+ #
+ # The mode used to redirect inbound connections to Envoy. This setting
+ # has no effect on outbound traffic: iptables REDIRECT is always used for
+ # outbound connections.
+ # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
+ # The "REDIRECT" mode loses source addresses during redirection.
+ # If "TPROXY", use iptables TPROXY to redirect to Envoy.
+ # The "TPROXY" mode preserves both the source and destination IP
+ # addresses and ports, so that they can be used for advanced filtering
+ # and manipulation.
+ # The "TPROXY" mode also configures the sidecar to run with the
+ # CAP_NET_ADMIN capability, which is required to use TPROXY.
+ #interceptionMode: REDIRECT
+ #
+ # Port where Envoy listens (on local host) for admin commands
+ # You can exec into the istio-proxy container in a pod and
+ # curl the admin port (curl http://localhost:15000/) to obtain
+ # diagnostic information from Envoy. See
+ # https://lyft.github.io/envoy/docs/operations/admin.html
+ # for more details
+ proxyAdminPort: 15000
+ #
+ # Set concurrency to a specific number to control the number of Proxy worker threads.
+ # If set to 0 (default), then start worker thread for each CPU thread/core.
+ concurrency: {{ .Values.global.proxy.concurrency }}
+ #
+ {{- if eq .Values.global.proxy.tracer "lightstep" }}
+ tracing:
+ lightstep:
+ # Address of the LightStep Satellite pool
+ address: {{ .Values.global.tracer.lightstep.address }}
+ # Access Token used to communicate with the Satellite pool
+ accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+ # Whether communication with the Satellite pool should be secure
+ secure: {{ .Values.global.tracer.lightstep.secure }}
+ # Path to the file containing the cacert to use when verifying TLS
+ cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }}
+ {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+ tracing:
+ zipkin:
+ # Address of the Zipkin collector
+ {{- if .Values.global.tracer.zipkin.address }}
+ address: {{ .Values.global.tracer.zipkin.address }}
+ {{- else if .Values.global.remoteZipkinAddress }}
+ address: {{ .Values.global.remoteZipkinAddress }}:9411
+ {{- else }}
+ address: zipkin.{{ .Release.Namespace }}:9411
+ {{- end }}
+ {{- else if eq .Values.global.proxy.tracer "datadog" }}
+ tracing:
+ datadog:
+ # Address of the Datadog Agent
+ address: {{ .Values.global.tracer.datadog.address }}
+ {{- end }}
+
+ {{- if .Values.global.proxy.envoyStatsd.enabled }}
+ #
+ # Statsd metrics collector converts statsd metrics into Prometheus metrics.
+ statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }}
+ {{- end }}
+
+ {{- if .Values.global.proxy.envoyMetricsService.enabled }}
+ #
+ # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API.
+ envoyMetricsServiceAddress: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }}
+ {{- end}}
+
+ {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }}
+ {{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }}
+ {{- if .Values.global.controlPlaneSecurityEnabled }}
+ #
+ # Mutual TLS authentication between sidecars and istio control plane.
+ controlPlaneAuthPolicy: MUTUAL_TLS
+ #
+ # Address where istio Pilot service is running
+ {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+ discoveryAddress: {{ $defPilotHostname }}:15011
+ {{- else }}
+ discoveryAddress: {{ $pilotAddress }}:15011
+ {{- end }}
+ {{- else }}
+ #
+ # Mutual TLS authentication between sidecars and istio control plane.
+ controlPlaneAuthPolicy: NONE
+ #
+ # Address where istio Pilot service is running
+ {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+ discoveryAddress: {{ $defPilotHostname }}:15010
+ {{- else }}
+ discoveryAddress: {{ $pilotAddress }}:15010
+ {{- end }}
+ {{- end }}
+
+ # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+ meshNetworks: |-
+ {{- if .Values.global.meshNetworks }}
+ networks:
+{{ toYaml .Values.global.meshNetworks | indent 6 }}
+ {{- else }}
+ networks: {}
+ {{- end }}
+{{- end }}
--- /dev/null
+{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+apiVersion: v1
+kind: Endpoints
+metadata:
+ name: istio-pilot
+ namespace: {{ .Release.Namespace }}
+subsets:
+- addresses:
+ - ip: {{ .Values.global.remotePilotAddress }}
+ ports:
+ - port: 15003
+ name: http-old-discovery # mTLS or non-mTLS depending on auth setting
+ - port: 15005
+ name: https-discovery # always mTLS
+ - port: 15007
+ name: http-discovery # always plain-text
+ - port: 15010
+ name: grpc-xds # direct
+ - port: 15011
+ name: https-xds # mTLS or non-mTLS depending on auth setting
+ - port: 8080
+ name: http-legacy-discovery # direct
+ - port: 15014
+ name: http-monitoring
+{{- end }}
+{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }}
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+ name: istio-policy
+ namespace: {{ .Release.Namespace }}
+subsets:
+- addresses:
+ - ip: {{ .Values.global.remotePolicyAddress }}
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: 15014
+{{- end }}
+{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }}
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+ name: istio-telemetry
+ namespace: istio-system
+subsets:
+- addresses:
+ - ip: {{ .Values.global.remoteTelemetryAddress }}
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: 15014
+ - name: prometheus
+ port: 42422
+{{- end }}
--- /dev/null
+{{ define "install-custom-resources.sh.tpl" }}
+#!/bin/sh
+
+set -x
+
+if [ "$#" -ne "1" ]; then
+ echo "first argument should be path to custom resource yaml"
+ exit 1
+fi
+
+pathToResourceYAML=${1}
+
+kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
+if [ "$?" -eq 0 ]; then
+ echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
+ while true; do
+ kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null
+ if [ "$?" -eq 0 ]; then
+ break
+ fi
+ sleep 1
+ done
+ kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley
+ if [ "$?" -ne 0 ]; then
+ echo "istio-galley deployment rollout status check failed"
+ exit 1
+ fi
+ echo "istio-galley deployment ready for configuration validation"
+fi
+sleep 5
+kubectl apply -f ${pathToResourceYAML}
+{{ end }}
--- /dev/null
+{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-pilot
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - port: 15003
+ name: http-old-discovery # mTLS or non-mTLS depending on auth setting
+ - port: 15005
+ name: https-discovery # always mTLS
+ - port: 15007
+ name: http-discovery # always plain-text
+ - port: 15010
+ name: grpc-xds # direct
+ - port: 15011
+ name: https-xds # mTLS or non-mTLS depending on auth setting
+ - port: 8080
+ name: http-legacy-discovery # direct
+ - port: 15014
+ name: http-monitoring
+ clusterIP: None
+{{- end }}
+{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-policy
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: 15014
+ clusterIP: None
+{{- end }}
+{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: istio-telemetry
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - name: grpc-mixer
+ port: 9091
+ - name: grpc-mixer-mtls
+ port: 15004
+ - name: http-monitoring
+ port: 15014
+ - name: prometheus
+ port: 42422
+ clusterIP: None
+{{- end }}
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: istio-multi
+ namespace: {{ .Release.Namespace }}
--- /dev/null
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-sidecar-injector
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "istio.name" . }}
+ chart: {{ template "istio.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ istio: sidecar-injector
+data:
+ config: |-
+ policy: {{ .Values.global.proxy.autoInject }}
+ template: |-
+ rewriteAppHTTPProbe: {{ .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe }}
+{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }}
+ initContainers:
+ {{ "[[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"NONE\" ]]" }}
+{{- if not .Values.istio_cni.enabled }}
+ - name: istio-init
+{{- if contains "/" .Values.global.proxy_init.image }}
+ image: "{{ .Values.global.proxy_init.image }}"
+{{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
+{{- end }}
+ args:
+ - "-p"
+ - {{ "[[ .MeshConfig.ProxyListenPort ]]" }}
+ - "-u"
+ - 1337
+ - "-m"
+ - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }}
+ - "-i"
+ - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }}
+ - "-x"
+ - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }}
+ - "-b"
+ - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }}
+ - "-d"
+ - {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }}
+ {{ "[[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]" }}
+ - "-k"
+ {{ "- \"[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]\"" }}
+ {{ "[[ end -]]" }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ resources:
+ requests:
+ cpu: 10m
+ memory: 10Mi
+ limits:
+ cpu: 100m
+ memory: 50Mi
+ securityContext:
+ runAsUser: 0
+ runAsNonRoot: false
+ capabilities:
+ add:
+ - NET_ADMIN
+ {{- if .Values.global.proxy.privileged }}
+ privileged: true
+ {{- end }}
+ restartPolicy: Always
+{{- end }}
+ {{ "[[ end -]]" }}
+ {{- if eq .Values.global.proxy.enableCoreDump true }}
+ - name: enable-core-dump
+ args:
+ - -c
+ - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
+ command:
+ - /bin/sh
+ {{- if contains "/" .Values.global.proxy_init.image }}
+ image: "{{ .Values.global.proxy_init.image }}"
+ {{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
+ {{- end }}
+ imagePullPolicy: IfNotPresent
+ resources: {}
+ securityContext:
+ runAsUser: 0
+ runAsNonRoot: false
+ privileged: true
+ {{ end }}
+{{- end }}
+ containers:
+ - name: istio-proxy
+{{- if contains "/" .Values.global.proxy.image }}
+ image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.proxy.image }}" {{ " ]]" }}
+{{- else }}
+ image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{ " ]]" }}
+{{- end }}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --configPath
+ - {{ "[[ .ProxyConfig.ConfigPath ]]" }}
+ - --binaryPath
+ - {{ "[[ .ProxyConfig.BinaryPath ]]" }}
+ - --serviceCluster
+ {{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }}
+ - {{ "[[ index .ObjectMeta.Labels \"app\" ]]." }}$(POD_NAMESPACE)
+ {{ "[[ else -]]" }}
+ - {{ "[[ valueOrDefault .DeploymentMeta.Name \"istio-proxy\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]" }}
+ {{ "[[ end -]]" }}
+ - --drainDuration
+ - {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }}
+ - --parentShutdownDuration
+ - {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }}
+ - --discoveryAddress
+ - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]" }}
+ {{- if eq .Values.global.proxy.tracer "lightstep" }}
+ - --lightstepAddress
+ - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAddress ]]" }}
+ - --lightstepAccessToken
+ - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken ]]" }}
+ - --lightstepSecure={{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetSecure ]]" }}
+ - --lightstepCacertPath
+ - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }}
+ {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+ - --zipkinAddress
+ - {{ "[[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]" }}
+ {{- else if eq .Values.global.proxy.tracer "datadog" }}
+ - --datadogAgentAddress
+ - {{ "[[ .ProxyConfig.GetTracing.GetDatadog.GetAddress ]]" }}
+ {{- end }}
+ {{- if $.Values.global.proxy.logLevel }}
+ - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
+ {{- end}}
+ - --connectTimeout
+ - {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }}
+ {{- if .Values.global.proxy.envoyStatsd.enabled }}
+ - --statsdUdpAddress
+ - {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }}
+ {{- end }}
+ {{- if .Values.global.proxy.envoyMetricsService.enabled }}
+ - --envoyMetricsServiceAddress
+ - {{ "[[ .ProxyConfig.EnvoyMetricsServiceAddress ]]" }}
+ {{- end }}
+ - --proxyAdminPort
+ - {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }}
+ {{ "[[ if gt .ProxyConfig.Concurrency 0 -]]" }}
+ - --concurrency
+ - {{ "[[ .ProxyConfig.Concurrency ]]" }}
+ {{ "[[ end -]]" }}
+ - --controlPlaneAuthPolicy
+ - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }}
+ {{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }}
+ - --statusPort
+ - {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }}
+ - --applicationPorts
+ - {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }}
+ {{ "[[- end ]]" }}
+ {{- if .Values.global.trustDomain }}
+ - --trust-domain={{ .Values.global.trustDomain }}
+ {{- end }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ {{ if eq .Values.global.proxy.tracer "datadog" }}
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ {{ end }}
+ - name: ISTIO_META_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: ISTIO_META_CONFIG_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }}
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{ "[[ if .ObjectMeta.Annotations ]]" }}
+ - name: ISTIO_METAJSON_ANNOTATIONS
+ value: |
+ {{ "[[ toJSON .ObjectMeta.Annotations ]]" }}
+ {{ "[[ end ]]" }}
+ {{ "[[ if .ObjectMeta.Labels ]]" }}
+ - name: ISTIO_METAJSON_LABELS
+ value: |
+ {{ "[[ toJSON .ObjectMeta.Labels ]]" }}
+ {{ "[[ end ]]" }}
+ {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
+ - name: ISTIO_BOOTSTRAP_OVERRIDE
+ value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+ {{ "[[- end ]]" }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ {{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }}
+ initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }}
+ periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }}
+ failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }}
+ {{ "[[ end -]]" -}}
+ securityContext:
+ {{- if .Values.global.proxy.privileged }}
+ privileged: true
+ {{- end }}
+ {{- if ne .Values.global.proxy.enableCoreDump true }}
+ readOnlyRootFilesystem: true
+ {{- end }}
+ {{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }}
+ capabilities:
+ add:
+ - NET_ADMIN
+ runAsGroup: 1337
+ {{ "[[ else -]]" }}
+ {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
+ runAsGroup: 1337
+ {{- end }}
+ runAsUser: 1337
+ {{ "[[- end ]]" }}
+ resources:
+ {{ "[[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }}
+ requests:
+ {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }}
+ cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }}
+ {{ "[[ end ]]" }}
+ {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }}
+ memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }}
+ {{ "[[ end ]]" }}
+ {{ "[[ else -]]" }}
+{{- if .Values.global.proxy.resources }}
+{{ toYaml .Values.global.proxy.resources | indent 10 }}
+{{- end }}
+ {{ "[[ end -]]" }}
+ volumeMounts:
+ {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
+ - mountPath: /etc/istio/custom-bootstrap
+ name: custom-bootstrap-volume
+ {{ "[[- end ]]" }}
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if .Values.global.sds.enabled }}
+ - mountPath: /var/run/sds/uds_path
+ name: sds-uds-path
+ readOnly: true
+ {{- if .Values.global.sds.useTrustworthyJwt }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- else }}
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
+ - mountPath: {{ "[[ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }}
+ name: lightstep-certs
+ readOnly: true
+ {{- end }}
+ {{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]]" }}
+ {{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]]" }}
+ - name: {{ "\"[[ $index ]]\"" }}
+ {{ "[[ toYaml $value | indent 4 ]]" }}
+ {{ "[[ end ]]" }}
+ {{ "[[- end ]]" }}
+ volumes:
+ {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }}
+ - name: custom-bootstrap-volume
+ configMap:
+ name: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]]" }}
+ {{ "[[- end ]]" }}
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ {{- if .Values.global.sds.enabled }}
+ - name: sds-uds-path
+ hostPath:
+ path: /var/run/sds/uds_path
+ type: Socket
+ {{- if .Values.global.sds.useTrustworthyJwt }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.trustDomain }}
+ {{- end }}
+ {{- else }}
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ "[[ if eq .Spec.ServiceAccountName \"\" -]]" }}
+ secretName: istio.default
+ {{ "[[ else -]]" }}
+ secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }}
+ {{ "[[ end -]]" }}
+ {{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]]" }}
+ {{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]]" }}
+ - name: {{ "\"[[ $index ]]\"" }}
+ {{ "[[ toYaml $value | indent 2 ]]" }}
+ {{ "[[ end ]]" }}
+ {{ "[[ end ]]" }}
+ {{- end }}
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
+ - name: lightstep-certs
+ secret:
+ optional: true
+ secretName: lightstep.cacert
+ {{- end }}
+{{- end }}
+{{- if .Values.global.podDNSSearchNamespaces }}
+ dnsConfig:
+ searches:
+ {{- range .Values.global.podDNSSearchNamespaces }}
+ - {{ . }}
+ {{- end }}
+{{- end }}
--- /dev/null
+# This is used to generate minimal demo mode. It is included from demo and demo-auth values.
+# It is shipped with the release, used for bookinfo or quick installation of istio.
+# Includes components used in the demo, defaults to alpha3 rules.
+# Note: please only put common configuration for the demo profiles here.
+global:
+ proxy:
+ accessLogFile: "/dev/stdout"
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+ disablePolicyChecks: false
+
+ sidecarInjectorWebhook:
+ enabled: true
+ # If true, webhook or istioctl injector will rewrite PodSpec for liveness
+ # health check to redirect request to sidecar. This makes liveness check work
+ # even when mTLS is enabled.
+ rewriteAppHTTPProbe: false
+
+pilot:
+ traceSampling: 100.0
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ limits:
+ cpu: 100m
+ memory: 200Mi
+
+mixer:
+ policy:
+ enabled: true
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ limits:
+ cpu: 100m
+ memory: 100Mi
+
+ telemetry:
+ enabled: true
+ resources:
+ requests:
+ cpu: 50m
+ memory: 100Mi
+ limits:
+ cpu: 100m
+ memory: 100Mi
+
+ adapters:
+ stdio:
+ enabled: true
+
+grafana:
+ enabled: true
+
+tracing:
+ enabled: true
+
+kiali:
+ enabled: true
+ createDemoSecret: true
+
+gateways:
+ istio-ingressgateway:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
+
+ istio-egressgateway:
+ enabled: true
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
+# This is used to generate istio-auth.yaml for minimal, demo mode with MTLS enabled.
+# It is shipped with the release, used for bookinfo or quick installation of istio.
+# Includes components used in the demo, defaults to alpha3 rules.
+
+# @include <values-istio-demo-common.yaml>
+global:
+ controlPlaneSecurityEnabled: true
+
+ mtls:
+ # Default setting for service-to-service mtls. Can be set explicitly using
+ # destination rules or service annotations.
+ enabled: true
--- /dev/null
+# This is used to generate minimal demo mode. It is included from demo and demo-auth values.
+# It is shipped with the release, used for bookinfo or quick installation of istio.
+# Includes components used in the demo, defaults to alpha3 rules.
+# Note: please only put common configuration for the demo profiles here.
+global:
+ proxy:
+ accessLogFile: "/dev/stdout"
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+ disablePolicyChecks: false
+
+ sidecarInjectorWebhook:
+ enabled: true
+ # If true, webhook or istioctl injector will rewrite PodSpec for liveness
+ # health check to redirect request to sidecar. This makes liveness check work
+ # even when mTLS is enabled.
+ rewriteAppHTTPProbe: false
+
+pilot:
+ traceSampling: 100.0
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ limits:
+ cpu: 100m
+ memory: 200Mi
+
+mixer:
+ policy:
+ enabled: true
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ limits:
+ cpu: 100m
+ memory: 100Mi
+
+ telemetry:
+ enabled: true
+ resources:
+ requests:
+ cpu: 50m
+ memory: 100Mi
+ limits:
+ cpu: 100m
+ memory: 100Mi
+
+ adapters:
+ stdio:
+ enabled: true
+
+grafana:
+ enabled: true
+
+tracing:
+ enabled: true
+
+kiali:
+ enabled: true
+ createDemoSecret: true
+
+gateways:
+ istio-ingressgateway:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
+
+ istio-egressgateway:
+ enabled: true
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
+# This is used to generate istio.yaml for minimal, demo mode.
+# It is shipped with the release, used for bookinfo or quick installation of istio.
+# Includes components used in the demo, defaults to alpha3 rules.
+
+# @include <values-istio-demo-common.yaml>
+#
+global:
+ controlPlaneSecurityEnabled: false
+
+ mtls:
+ # Default setting for service-to-service mtls. Can be set explicitly using
+ # destination rules or service annotations.
+ enabled: false
--- /dev/null
+#
+# Minimal Istio Configuration: https://istio.io/docs/setup/kubernetes/minimal-install/
+#
+pilot:
+ enabled: true
+ sidecar: false
+
+gateways:
+ enabled: false
+
+security:
+ enabled: false
+
+sidecarInjectorWebhook:
+ enabled: false
+
+galley:
+ enabled: false
+
+mixer:
+ policy:
+ enabled: false
+ telemetry:
+ enabled: false
+
+prometheus:
+ enabled: false
+
+
+# Common settings.
+global:
+
+ proxy:
+ # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
+ # would be <host>:<port>).
+ # Disabled by default.
+ # The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
+ envoyStatsd:
+ # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
+ enabled: false
+ host: # example: statsd-svc.istio-system
+ port: # example: 9125
+
+ useMCP: false
+
+
--- /dev/null
+gateways:
+ enabled: false
+
+galley:
+ enabled: false
+
+mixer:
+ policy:
+ enabled: false
+ telemetry:
+ enabled: false
+
+pilot:
+ enabled: false
+
+security:
+ enabled: true
+ createMeshPolicy: false
+
+prometheus:
+ enabled: false
+
+global:
+ istioRemote: true
+
+ defaultPodDisruptionBudget: {}
+
+ enableTracing: false
+
+ # Sets an identifier for the remote network to be used for Split Horizon EDS. The network will be sent
+ # to the Pilot when connected by the sidecar and will affect the results returned in EDS requests.
+ # Based on the network identifier Pilot will return all local endpoints + endpoints of gateways to
+ # other networks.
+ #
+ # Must match the names in the meshNetworks section in the Istio local.
+ network: ""
--- /dev/null
+global:
+ controlPlaneSecurityEnabled: false
+
+ mtls:
+ # Default setting for service-to-service mtls. Can be set explicitly using
+ # destination rules or service annotations.
+ enabled: true
+
+ sds:
+ enabled: true
+ udsPath: "unix:/var/run/sds/uds_path"
+ useNormalJwt: true
+
+nodeagent:
+ enabled: true
+ image: node-agent-k8s
+ env:
+ CA_PROVIDER: "Citadel"
+ CA_ADDR: "istio-citadel:8060"
+ VALID_TOKEN: true
\ No newline at end of file
--- /dev/null
+# Top level istio values file has the following sections.
+#
+# global: This file is the authoritative and exhaustive source for the global section.
+#
+# chart sections: Every subdirectory inside the charts/ directory has a top level
+# configuration key in this file. This file overrides the values specified
+# by the charts/${chartname}/values.yaml.
+# Check the chart level values file for exhaustive list of configuration options.
+
+#
+# Gateways Configuration, refer to the charts/gateways/values.yaml
+# for detailed configuration
+#
+gateways:
+ enabled: true
+
+#
+# sidecar-injector webhook configuration, refer to the
+# charts/sidecarInjectorWebhook/values.yaml for detailed configuration
+#
+sidecarInjectorWebhook:
+ enabled: true
+
+#
+# galley configuration, refer to charts/galley/values.yaml
+# for detailed configuration
+#
+galley:
+ enabled: true
+
+#
+# mixer configuration
+#
+# @see charts/mixer/values.yaml, it takes precedence
+mixer:
+ enabled: true
+ policy:
+ # if policy is enabled the global.disablePolicyChecks has affect.
+ enabled: true
+
+ telemetry:
+ enabled: true
+#
+# pilot configuration
+#
+# @see charts/pilot/values.yaml
+pilot:
+ enabled: true
+
+#
+# security configuration
+#
+security:
+ enabled: true
+
+#
+# nodeagent configuration
+#
+nodeagent:
+ enabled: false
+
+#
+# addon grafana configuration
+#
+grafana:
+ enabled: false
+
+#
+# addon prometheus configuration
+#
+prometheus:
+ enabled: true
+
+#
+# addon servicegraph configuration
+#
+servicegraph:
+ enabled: false
+
+#
+# addon jaeger tracing configuration
+#
+tracing:
+ enabled: false
+
+#
+# addon kiali tracing configuration
+#
+kiali:
+ enabled: false
+
+#
+# Istio CNI plugin enabled
+# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately.
+# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect
+# settings for the istio-proxy.
+#
+istio_cni:
+ enabled: false
+
+# addon Istio CoreDNS configuration
+#
+istiocoredns:
+ enabled: false
+
+# Common settings used among istio subcharts.
+global:
+ # Default hub for Istio images.
+ # Releases are published to docker hub under 'istio' project.
+ # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
+ hub: docker.io/istio
+
+ # Default tag for Istio images.
+ tag: 1.1.6
+
+ # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+ # The control plane has different scopes depending on component, but can configure default log level across all components
+ # If empty, default scope and level will be used as configured in code
+ logging:
+ level: "default:info"
+
+ # monitoring port used by mixer, pilot, galley
+ monitoringPort: 15014
+
+ k8sIngress:
+ enabled: false
+ # Gateway used for k8s Ingress resources. By default it is
+ # using 'istio:ingressgateway' that will be installed by setting
+ # 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'
+ # flags to true.
+ gatewayName: ingressgateway
+ # enableHttps will add port 443 on the ingress.
+ # It REQUIRES that the certificates are installed in the
+ # expected secrets - enabling this option without certificates
+ # will result in LDS rejection and the ingress will not work.
+ enableHttps: false
+
+ proxy:
+ image: proxyv2
+
+ # cluster domain. Default value is "cluster.local".
+ clusterDomain: "cluster.local"
+
+ # Resources for the sidecar.
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 2000m
+ memory: 128Mi
+
+ # Controls number of Proxy worker threads.
+ # If set to 0 (default), then start worker thread for each CPU thread/core.
+ concurrency: 2
+
+ # Configures the access log for each sidecar.
+ # Options:
+ # "" - disables access log
+ # "/dev/stdout" - enables access log
+ accessLogFile: ""
+
+ # Configure how and what fields are displayed in sidecar access log. Setting to
+ # empty string will result in default log format
+ accessLogFormat: ""
+
+ # Configure the access log for sidecar to JSON or TEXT.
+ accessLogEncoding: TEXT
+
+ # Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used.
+ # Expected values are: trace|debug|info|warning|error|critical|off
+ logLevel: ""
+
+ # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS
+ # 5 seconds is the default refresh rate used by Envoy
+ dnsRefreshRate: 5s
+
+ #If set to true, istio-proxy container will have privileged securityContext
+ privileged: false
+
+ # If set, newly injected sidecars will have core dumps enabled.
+ enableCoreDump: false
+
+ # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+ statusPort: 15020
+
+ # The initial delay for readiness probes in seconds.
+ readinessInitialDelaySeconds: 1
+
+ # The period between readiness probes.
+ readinessPeriodSeconds: 2
+
+ # The number of successive failed probes before indicating readiness failure.
+ readinessFailureThreshold: 30
+
+ # istio egress capture whitelist
+ # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+ # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+ # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+ # be allowed by the sidecar
+ includeIPRanges: "*"
+ excludeIPRanges: ""
+
+ # pod internal interfaces
+ kubevirtInterfaces: ""
+
+ # istio ingress capture whitelist
+ # examples:
+ # Redirect no inbound traffic to Envoy: --includeInboundPorts=""
+ # Redirect all inbound traffic to Envoy: --includeInboundPorts="*"
+ # Redirect only selected ports: --includeInboundPorts="80,8080"
+ includeInboundPorts: "*"
+ excludeInboundPorts: ""
+
+ # This controls the 'policy' in the sidecar injector.
+ autoInject: enabled
+
+ # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
+ # would be <host>:<port>).
+ # Disabled by default.
+ # The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
+ envoyStatsd:
+ # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
+ enabled: false
+ host: # example: statsd-svc.istio-system
+ port: # example: 9125
+
+ # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector
+ # via the Metrics Service gRPC API. This contains detailed stats information emitted directly
+ # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also
+ # available to scrape via the Envoy admin port at either /stats or /stats/prometheus.
+ #
+ # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto
+ # for details about Envoy's Metrics Service API.
+ #
+ # Disabled by default.
+ envoyMetricsService:
+ enabled: false
+ host: # example: metrics-service.istio-system
+ port: # example: 15000
+
+ # Specify which tracer to use. One of: lightstep, zipkin, datadog
+ tracer: "zipkin"
+
+ proxy_init:
+ # Base name for the proxy_init container, used to configure iptables.
+ image: proxy_init
+
+ # imagePullPolicy is applied to istio control plane components.
+ # local tests require IfNotPresent, to avoid uploading to dockerhub.
+ # TODO: Switch to Always as default, and override in the local tests.
+ imagePullPolicy: IfNotPresent
+
+ # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
+ # propagated, not recommended for tests.
+ controlPlaneSecurityEnabled: false
+
+ # disablePolicyChecks disables mixer policy checks.
+ # if mixer.policy.enabled==true then disablePolicyChecks has affect.
+ # Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
+ disablePolicyChecks: true
+
+ # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
+ # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
+ policyCheckFailOpen: false
+
+ # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
+ enableTracing: true
+
+ # Configuration for each of the supported tracers
+ tracer:
+ # Configuration for envoy to send trace data to LightStep.
+ # Disabled by default.
+ # address: the <host>:<port> of the satellite pool
+ # accessToken: required for sending data to the pool
+ # secure: specifies whether data should be sent with TLS
+ # cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is
+ # required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination
+ # namespace with the key matching the base of the provided cacertPath and the value being the cacert itself.
+ #
+ lightstep:
+ address: "" # example: lightstep-satellite:443
+ accessToken: "" # example: abcdefg1234567
+ secure: true # example: true|false
+ cacertPath: "" # example: /etc/lightstep/cacert.pem
+ zipkin:
+ # Host:Port for reporting trace data in zipkin format. If not specified, will default to
+ # zipkin service (port 9411) in the same namespace as the other istio components.
+ address: ""
+ datadog:
+ # Host:Port for submitting traces to the Datadog agent.
+ address: "$(HOST_IP):8126"
+
+ # Default mtls policy. If true, mtls between services will be enabled by default.
+ mtls:
+ # Default setting for service-to-service mtls. Can be set explicitly using
+ # destination rules or service annotations.
+ enabled: false
+
+ # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+ # to use for pulling any images in pods that reference this ServiceAccount.
+ # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+ # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+ # Must be set for any clustser configured with private docker registry.
+ imagePullSecrets:
+ # - private-registry-key
+
+ # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
+ # 0 - Never scheduled
+ # 1 - Least preferred
+ # 2 - No preference
+ # 3 - Most preferred
+ arch:
+ amd64: 2
+ s390x: 2
+ ppc64le: 2
+
+ # Whether to restrict the applications namespace the controller manages;
+ # If not set, controller watches all namespaces
+ oneNamespace: false
+
+ # Default node selector to be applied to all deployments so that all pods can be
+ # constrained to run a particular nodes. Each component can overwrite these default
+ # values by adding its node selector block in the relevant section below and setting
+ # the desired values.
+ defaultNodeSelector: {}
+
+ # Whether to perform server-side validation of configuration.
+ configValidation: true
+
+ # Custom DNS config for the pod to resolve names of services in other
+ # clusters. Use this to add additional search domains, and other settings.
+ # see
+ # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+ # This does not apply to gateway pods as they typically need a different
+ # set of DNS settings than the normal application pods (e.g., in
+ # multicluster scenarios).
+ # NOTE: If using templates, follow the pattern in the commented example below.
+ #podDNSSearchNamespaces:
+ #- global
+ #- "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global"
+
+ # If set to true, the pilot and citadel mtls will be exposed on the
+ # ingress gateway
+ meshExpansion:
+ enabled: false
+ # If set to true, the pilot and citadel mtls and the plain text pilot ports
+ # will be exposed on an internal gateway
+ useILB: false
+
+ multiCluster:
+ # Set to true to connect two kubernetes clusters via their respective
+ # ingressgateway services when pods in each cluster cannot directly
+ # talk to one another. All clusters should be using Istio mTLS and must
+ # have a shared root CA for this model to work.
+ enabled: false
+
+ # A minimal set of requested resources to applied to all deployments so that
+ # Horizontal Pod Autoscaler will be able to function (if set).
+ # Each component can overwrite these default values by adding its own resources
+ # block in the relevant section below and setting the desired resources values.
+ defaultResources:
+ requests:
+ cpu: 10m
+ # memory: 128Mi
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+
+ # enable pod distruption budget for the control plane, which is used to
+ # ensure Istio control plane components are gradually upgraded or recovered.
+ defaultPodDisruptionBudget:
+ enabled: true
+ # The values aren't mutable due to a current PodDisruptionBudget limitation
+ # minAvailable: 1
+
+ # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+ # system-node-critical, it is better to configure this in order to make sure your Istio pods
+ # will not be killed because of low priority class.
+ # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+ # for more detail.
+ priorityClassName: ""
+
+ # Use the Mesh Control Protocol (MCP) for configuring Mixer and
+ # Pilot. Requires galley (`--set galley.enabled=true`).
+ useMCP: true
+
+ # The trust domain corresponds to the trust root of a system
+ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+ # Indicate the domain used in SPIFFE identity URL
+ # The default depends on the environment.
+ # kubernetes: cluster.local
+ # else: default dns domain
+ trustDomain: ""
+
+ # Set the default behavior of the sidecar for handling outbound traffic from the application:
+ # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
+ # services or ServiceEntries for the destination port
+ # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
+ # as those defined through ServiceEntries
+ # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests
+ # to services outside of the mesh without any ServiceEntry.
+ # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY.
+ outboundTrafficPolicy:
+ mode: ALLOW_ANY
+
+ # The namespace where globally shared configurations should be present.
+ # DestinationRules that apply to the entire mesh (e.g., enabling mTLS),
+ # default Sidecar configs, etc. should be added to this namespace.
+ # configRootNamespace: istio-config
+
+ # set the default set of namespaces to which services, service entries, virtual services, destination
+ # rules should be exported to. Currently only one value can be provided in this list. This value
+ # should be one of the following two options:
+ # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
+ # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
+ #defaultConfigVisibilitySettings:
+ #- '*'
+
+ sds:
+ # SDS enabled. IF set to true, mTLS certificates for the sidecars will be
+ # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
+ enabled: false
+ udsPath: ""
+ useTrustworthyJwt: false
+ useNormalJwt: false
+
+ # Configure the mesh networks to be used by the Split Horizon EDS.
+ #
+ # The following example defines two networks with different endpoints association methods.
+ # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+ # mapped to network1. The gateway for this network example is specified by its public IP
+ # address and port.
+ # The second network, `network2`, in this example is defined differently with all endpoints
+ # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+ # gateway is also defined differently with the name of the gateway service on the remote
+ # cluster. The public IP for the gateway will be determined from that remote service (not
+ # supported yet).
+ #
+ # meshNetworks:
+ # network1:
+ # endpoints:
+ # - fromCidr: "192.168.0.1/24"
+ # gateways:
+ # - address: 1.1.1.1
+ # port: 80
+ # network2:
+ # endpoints:
+ # - fromRegistry: reg1
+ # gateways:
+ # - registryServiceName: istio-ingressgateway
+ # port: 443
+ #
+ meshNetworks: {}
+
+ # Specifies the global locality load balancing settings.
+ # Locality-weighted load balancing allows administrators to control the distribution of traffic to
+ # endpoints based on the localities of where the traffic originates and where it will terminate.
+ # Please set either failover or distribute configuration but not both.
+ #
+ # localityLbSetting:
+ # distribute:
+ # - from: "us-central1/*"
+ # to:
+ # "us-central1/*": 80
+ # "us-central2/*": 20
+ #
+ # localityLbSetting:
+ # failover:
+ # - from: us-east
+ # to: eu-west
+ # - from: us-west
+ # to: us-east
+ localityLbSetting: {}
+
+ # Specifies whether helm test is enabled or not.
+ # This field is set to false by default, so 'helm template ...'
+ # will ignore the helm test yaml files when generating the template
+ enableHelmTest: false
Code Review / demo.git / commitdiff