-
-
#/*Copyright 2019 Intel Corporation, Inc
# *
# * Licensed under the Apache License, Version 2.0 (the "License");
# * See the License for the specific language governing permissions and
# * limitations under the License.
# */
+apiVersion: v1
name: istio-operator
-version: 0.0.15
+version: 0.0.22
description: istio-operator manages Istio deployments on Kubernetes
-appVersion: 0.2.1
+appVersion: 0.3.3
* limitations under the License.
*/
+# Istio-operator chart
+
## Prerequisites
- Kubernetes 1.10.0+
## Installing the chart
-To install the chart from local directory:
+To install the chart:
-```
-helm install --name=istio-operator --namespace=istio-system istio-operator
+```bash
+❯ helm install --name=istio-operator --namespace=istio-system istio-operator
```
## Uninstalling the Chart
To uninstall/delete the `istio-operator` release:
-```
-$ helm del --purge istio-operator
+```bash
+❯ helm del --purge istio-operator
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
-The following table lists the configurable parameters of the Banzaicloud Istio Operator chart and their default values.
-
Parameter | Description | Default
--------- | ----------- | -------
`operator.image.repository` | Operator container image repository | `banzaicloud/istio-operator`
-`operator.image.tag` | Operator container image tag | `0.2.1`
+`operator.image.tag` | Operator container image tag | `0.3.3`
`operator.image.pullPolicy` | Operator container image pull policy | `IfNotPresent`
`operator.resources` | CPU/Memory resource requests/limits (YAML) | Memory: `128Mi/256Mi`, CPU: `100m/200m`
-`istioVersion` | Supported Istio version | `1.2`
+`istioVersion` | Supported Istio version | `1.3`
`prometheusMetrics.enabled` | If true, use direct access for Prometheus metrics | `false`
`prometheusMetrics.authProxy.enabled` | If true, use auth proxy for Prometheus metrics | `true`
`prometheusMetrics.authProxy.image.repository` | Auth proxy container image repository | `gcr.io/kubebuilder/kube-rbac-proxy`
`prometheusMetrics.authProxy.image.tag` | Auth proxy container image tag | `v0.4.0`
`prometheusMetrics.authProxy.image.pullPolicy` | Auth proxy container image pull policy | `IfNotPresent`
`rbac.enabled` | Create rbac service account and roles | `true`
+`rbac.psp.enabled` | Create pod security policy and binding | `false`
kind: ServiceAccount
metadata:
name: {{ include "istio-operator.fullname" . }}-authproxy
+ namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "istio-operator.name" . }}
helm.sh/chart: {{ include "istio-operator.chart" . }}
kind: Service
metadata:
name: {{ include "istio-operator.fullname" . }}-authproxy
+ namespace: {{ .Release.Namespace }}
annotations:
prometheus.io/port: "8443"
prometheus.io/scheme: https
ports:
- name: https
port: 8443
+ protocol: TCP
targetPort: https
selector:
control-plane: controller-manager
--- /dev/null
+{{- if .Values.useNamespaceResource }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ app: {{ include "istio-operator.name" . }}
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/version: "{{ .Chart.AppVersion | replace "+" "_" }}"
+ app.kubernetes.io/part-of: {{ include "istio-operator.name" . }}
+ name: {{ .Release.Namespace }}
+{{- end }}
--- /dev/null
+{{ if eq .Values.istioVersion "1.1" }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: istios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: Istio
+ plural: istios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ controlPlaneSecurityEnabled:
+ description: ControlPlaneSecurityEnabled control plane services are
+ communicating through mTLS
+ type: boolean
+ defaultConfigVisibility:
+ description: Set the default set of namespaces to which services, service
+ entries, virtual services, destination rules should be exported to
+ type: string
+ defaultPodDisruptionBudget:
+ description: Enable pod disruption budget for the control plane, which
+ is used to ensure Istio control plane components are gradually upgraded
+ or recovered
+ properties:
+ enabled:
+ type: boolean
+ type: object
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ galley:
+ description: Galley configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ gateways:
+ description: Gateways configuration options
+ properties:
+ egress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ enabled:
+ type: boolean
+ ingress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ type: object
+ imagePullPolicy:
+ description: ImagePullPolicy describes a policy for if/when to pull
+ a container image
+ enum:
+ - Always
+ - Never
+ - IfNotPresent
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ istioCoreDNS:
+ description: Istio CoreDNS provides DNS resolution for services in multi
+ mesh setups
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ pluginImage:
+ type: string
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ meshExpansion:
+ description: If set to true, the pilot and citadel mtls will be exposed
+ on the ingress gateway also the remote istios will be connected through
+ gateways
+ type: boolean
+ mixer:
+ description: Mixer configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ mtls:
+ description: MTLS enables or disables global mTLS
+ type: boolean
+ multiMesh:
+ description: Set to true to connect two or more meshes via their respective
+ ingressgateway services when workloads in each cluster cannot directly
+ talk to one another. All meshes should be using Istio mTLS and must
+ have a shared root CA for this model to work.
+ type: boolean
+ nodeAgent:
+ description: NodeAgent configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ outboundTrafficPolicy:
+ description: Set the default behavior of the sidecar for handling outbound
+ traffic from the application (ALLOW_ANY or REGISTRY_ONLY)
+ properties:
+ mode:
+ enum:
+ - ALLOW_ANY
+ - REGISTRY_ONLY
+ type: string
+ type: object
+ pilot:
+ description: Pilot configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ sidecar:
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ traceSampling:
+ format: float
+ type: number
+ type: object
+ proxy:
+ description: Proxy configuration options
+ properties:
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ image:
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sds:
+ description: If SDS is configured, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead of
+ using K8S secrets to mount the certificates
+ properties:
+ enabled:
+ description: If set to true, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead
+ of using K8S secrets to mount the certificates.
+ type: boolean
+ udsPath:
+ description: Unix Domain Socket through which envoy communicates
+ with NodeAgent SDS to get key/cert for mTLS. Use secret-mount
+ files instead of SDS if set to empty.
+ type: string
+ useNormalJwt:
+ description: If set to true, envoy will fetch normal k8s service
+ account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
+ (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
+ and pass to sds server, which will be used to request key/cert
+ eventually this flag is ignored if UseTrustworthyJwt is set
+ type: boolean
+ useTrustworthyJwt:
+ description: 'If set to true, Istio will inject volumes mount for
+ k8s service account JWT, so that K8s API server mounts k8s service
+ account JWT to envoy container, which will be used to generate
+ key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)'
+ type: boolean
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ tracing:
+ description: Configuration for each of the supported tracers
+ properties:
+ datadog:
+ properties:
+ address:
+ description: Host:Port for submitting traces to the Datadog
+ agent.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ enabled:
+ type: boolean
+ lightstep:
+ properties:
+ accessToken:
+ description: required for sending data to the pool
+ type: string
+ address:
+ description: the <host>:<port> of the satellite pool
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ cacertPath:
+ description: the path to the file containing the cacert to use
+ when verifying TLS. If secure is true, this is required. If
+ a value is specified then a secret called "lightstep.cacert"
+ must be created in the destination namespace with the key
+ matching the base of the provided cacertPath and the value
+ being the cacert itself.
+ type: string
+ secure:
+ description: specifies whether data should be sent with TLS
+ type: boolean
+ type: object
+ tracer:
+ enum:
+ - zipkin
+ - lightstep
+ - datadog
+ type: string
+ zipkin:
+ properties:
+ address:
+ description: Host:Port for reporting trace data in zipkin format.
+ If not specified, will default to zipkin service (port 9411)
+ in the same namespace as the other istio components.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ type: object
+ useMCP:
+ description: Use the Mesh Control Protocol (MCP) for configuring Mixer
+ and Pilot. Requires galley.
+ type: boolean
+ version:
+ description: Contains the intended Istio version
+ pattern: ^1.1
+ type: string
+ watchAdapterCRDs:
+ description: Whether or not to establish watches for adapter-specific
+ CRDs
+ type: boolean
+ watchOneNamespace:
+ description: Whether to restrict the applications namespace the controller
+ manages
+ type: boolean
+ required:
+ - version
+ - mtls
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
-{{ if eq .Values.istioVersion 1.2 }}
+{{ if eq .Values.istioVersion "1.2" }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
--- /dev/null
+{{ if eq .Values.istioVersion "1.3" }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: istios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: Istio
+ plural: istios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enableNamespacesByDefault:
+ description: 'Determines Citadel default behavior if the ca.istio.io/env
+ or ca.istio.io/override labels are not found on a given namespace. For
+ example: consider a namespace called "target", which has neither
+ the "ca.istio.io/env" nor the "ca.istio.io/override" namespace
+ labels. To decide whether or not to generate secrets for service
+ accounts created in this "target" namespace, Citadel will defer
+ to this option. If the value of this option is "true" in this
+ case, secrets will be generated for the "target" namespace. If
+ the value of this option is "false" Citadel will not generate
+ secrets upon service account creation.'
+ type: boolean
+ enabled:
+ type: boolean
+ healthCheck:
+ description: Enable health checking on the Citadel CSR signing API.
+ https://istio.io/docs/tasks/security/health-check/
+ type: boolean
+ image:
+ type: string
+ maxWorkloadCertTTL:
+ description: Citadel uses a flag max-workload-cert-ttl to control
+ the maximum lifetime for Istio certificates issued to workloads.
+ The default value is 90 days. If workload-cert-ttl on Citadel
+ or node agent is greater than max-workload-cert-ttl, Citadel will
+ fail issuing the certificate.
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ workloadCertTTL:
+ description: For the workloads running in Kubernetes, the lifetime
+ of their Istio certificates is controlled by the workload-cert-ttl
+ flag on Citadel. The default value is 90 days. This value should
+ be no greater than max-workload-cert-ttl of Citadel.
+ type: string
+ type: object
+ clusterName:
+ description: Should be set to the name of the cluster this installation
+ will run in. This is required for sidecar injection to properly label
+ proxies
+ type: string
+ controlPlaneSecurityEnabled:
+ description: ControlPlaneSecurityEnabled control plane services are
+ communicating through mTLS
+ type: boolean
+ defaultConfigVisibility:
+ description: Set the default set of namespaces to which services, service
+ entries, virtual services, destination rules should be exported to
+ type: string
+ defaultPodDisruptionBudget:
+ description: Enable pod disruption budget for the control plane, which
+ is used to ensure Istio control plane components are gradually upgraded
+ or recovered
+ properties:
+ enabled:
+ type: boolean
+ type: object
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ galley:
+ description: Galley configuration options
+ properties:
+ affinity:
+ type: object
+ configValidation:
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ gateways:
+ description: Gateways configuration options
+ properties:
+ egress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ enabled:
+ type: boolean
+ ingress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ type: object
+ imagePullPolicy:
+ description: ImagePullPolicy describes a policy for if/when to pull
+ a container image
+ enum:
+ - Always
+ - Never
+ - IfNotPresent
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ istioCoreDNS:
+ description: Istio CoreDNS provides DNS resolution for services in multi
+ mesh setups
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ pluginImage:
+ type: string
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ localityLB:
+ description: Locality based load balancing distribution or failover
+ settings.
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute or failover can be
+ set. Explicitly specify loadbalancing weight across different
+ zones and geographical locations. Refer to [Locality weighted
+ load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight)
+ If empty, the locality weight is set according to the endpoints
+ number within it.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated, e.g. 'region/zone'.
+ type: string
+ to:
+ description: Map of upstream localities to traffic distribution
+ weights. The sum of all weights should be == 100. Any locality
+ not assigned a weight will receive no traffic.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: If set to true, locality based load balancing will
+ be enabled
+ type: boolean
+ failover:
+ description: 'Optional: only failover or distribute can be set.
+ Explicitly specify the region traffic will land on when endpoints
+ in local region becomes unhealthy. Should be used together with
+ OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection
+ specified, this will not take effect.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will fail over
+ to when endpoints in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ type: object
+ meshExpansion:
+ description: If set to true, the pilot and citadel mtls will be exposed
+ on the ingress gateway also the remote istios will be connected through
+ gateways
+ type: boolean
+ meshID:
+ description: Mesh ID means Mesh Identifier. It should be unique within
+ the scope where meshes will interact with each other, but it is not
+ required to be globally/universally unique.
+ type: string
+ trustDomain:
+ description: The domain serves to identify the system with SPIFFE. (default "cluster.local")
+ type: string
+ mixer:
+ description: Mixer configuration options
+ properties:
+ affinity:
+ type: object
+ checksEnabled:
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ multiClusterSupport:
+ description: Turn it on if you use mixer that supports multi cluster
+ telemetry
+ type: boolean
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ reportBatchMaxEntries:
+ description: Set reportBatchMaxEntries to 0 to use the default batching
+ behavior (i.e., every 100 requests). A positive value indicates
+ the number of requests that are batched before telemetry data
+ is sent to the mixer server
+ format: int32
+ type: integer
+ reportBatchMaxTime:
+ description: Set reportBatchMaxTime to 0 to use the default batching
+ behavior (i.e., every 1 second). A positive time value indicates
+ the maximum wait time since the last request will telemetry data
+ be batched before being sent to the mixer server
+ type: string
+ resources:
+ type: object
+ sessionAffinityEnabled:
+ description: Set whether to create a STRICT_DNS type cluster for
+ istio-telemetry.
+ type: boolean
+ stdioAdapterEnabled:
+ description: stdio is a debug adapter in Istio telemetry, it is
+ not recommended for production use
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ mixerlessTelemetry:
+ description: Mixerless telemetry configuration
+ properties:
+ enabled:
+ description: If set to true, experimental Mixerless http telemetry
+ will be enabled
+ type: boolean
+ type: object
+ mtls:
+ description: MTLS enables or disables global mTLS
+ type: boolean
+ multiMesh:
+ description: Set to true to connect two or more meshes via their respective
+ ingressgateway services when workloads in each cluster cannot directly
+ talk to one another. All meshes should be using Istio mTLS and must
+ have a shared root CA for this model to work.
+ type: boolean
+ nodeAgent:
+ description: NodeAgent configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ outboundTrafficPolicy:
+ description: Set the default behavior of the sidecar for handling outbound
+ traffic from the application (ALLOW_ANY or REGISTRY_ONLY)
+ properties:
+ mode:
+ enum:
+ - ALLOW_ANY
+ - REGISTRY_ONLY
+ type: string
+ type: object
+ pilot:
+ description: Pilot configuration options
+ properties:
+ affinity:
+ type: object
+ enableProtocolSniffing:
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ sidecar:
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ traceSampling:
+ format: float
+ type: number
+ type: object
+ policy:
+ description: Policy configuration options
+ properties:
+ affinity:
+ type: object
+ checksEnabled:
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ sessionAffinityEnabled:
+ description: Set whether to create a STRICT_DNS type cluster for
+ istio-telemetry.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ proxy:
+ description: Proxy configuration options
+ properties:
+ accessLogEncoding:
+ description: Configure the access log for sidecar to JSON or TEXT.
+ enum:
+ - JSON
+ - TEXT
+ type: string
+ accessLogFile:
+ description: 'Configures the access log for each sidecar. Options: ""
+ - disables access log "/dev/stdout" - enables access log'
+ enum:
+ - ""
+ - /dev/stdout
+ type: string
+ accessLogFormat:
+ description: 'Configure how and what fields are displayed in sidecar
+ access log. Setting to empty string will result in default log
+ format. If accessLogEncoding is TEXT, value will be used directly
+ as the log format example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%
+ %PROTOCOL%\n" If AccessLogEncoding is JSON, value will be parsed
+ as map[string]string example: ''{"start_time": "%START_TIME%",
+ "req_method": "%REQ(:METHOD)%"}'''
+ type: string
+ componentLogLevel:
+ description: Per Component log level for proxy, applies to gateways
+ and sidecars. If a component level is not set, then the "LogLevel"
+ will be used. If left empty, "misc:error" is used.
+ type: string
+ coreDumpImage:
+ description: Image used to enable core dumps. This is only used,
+ when "EnableCoreDump" is set to true.
+ type: string
+ dnsRefreshRate:
+ description: Configure the DNS refresh rate for Envoy cluster of
+ type STRICT_DNS This must be given it terms of seconds. For example,
+ 300s is valid but 5m is invalid.
+ pattern: ^[0-9]{1,5}s$
+ type: string
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ envoyAccessLogService:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ tcpKeepalive:
+ properties:
+ interval:
+ type: string
+ probes:
+ format: int32
+ type: integer
+ time:
+ type: string
+ type: object
+ tlsSettings:
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ type: string
+ mode:
+ type: string
+ privateKey:
+ type: string
+ sni:
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ envoyMetricsService:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ envoyStatsD:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ image:
+ type: string
+ logLevel:
+ description: 'Log level for proxy, applies to gateways and sidecars.
+ If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
+ enum:
+ - trace
+ - debug
+ - info
+ - warning
+ - error
+ - critical
+ - "off"
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ protocolDetectionTimeout:
+ type: string
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sds:
+ description: If SDS is configured, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead of
+ using K8S secrets to mount the certificates
+ properties:
+ customTokenDirectory:
+ type: string
+ enabled:
+ description: If set to true, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead
+ of using K8S secrets to mount the certificates.
+ type: boolean
+ tokenAudience:
+ description: "The JWT token for SDS and the aud field of such JWT.
+ See RFC 7519, section 4.1.3. When a CSR is sent from Citadel Agent
+ to the CA (e.g. Citadel), this aud is to make sure the \tJWT is
+ intended for the CA."
+ type: string
+ udsPath:
+ description: Unix Domain Socket through which envoy communicates
+ with NodeAgent SDS to get key/cert for mTLS. Use secret-mount
+ files instead of SDS if set to empty.
+ type: string
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ alwaysInjectSelector:
+ description: 'AlwaysInjectSelector: Forces the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match'
+ items:
+ type: object
+ type: array
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enableNamespacesByDefault:
+ description: This controls whether the webhook looks for namespaces
+ for injection enabled or disabled
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ neverInjectSelector:
+ description: 'NeverInjectSelector: Refuses the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match Takes precedence over AlwaysInjectSelector.'
+ items:
+ type: object
+ type: array
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ telemetry:
+ description: Telemetry configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ reportBatchMaxEntries:
+ description: Set reportBatchMaxEntries to 0 to use the default batching
+ behavior (i.e., every 100 requests). A positive value indicates
+ the number of requests that are batched before telemetry data
+ is sent to the mixer server
+ format: int32
+ type: integer
+ reportBatchMaxTime:
+ description: Set reportBatchMaxTime to 0 to use the default batching
+ behavior (i.e., every 1 second). A positive time value indicates
+ the maximum wait time since the last request will telemetry data
+ be batched before being sent to the mixer server
+ type: string
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ tracing:
+ description: Configuration for each of the supported tracers
+ properties:
+ datadog:
+ properties:
+ address:
+ description: Host:Port for submitting traces to the Datadog
+ agent.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ enabled:
+ type: boolean
+ lightstep:
+ properties:
+ accessToken:
+ description: required for sending data to the pool
+ type: string
+ address:
+ description: the <host>:<port> of the satellite pool
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ cacertPath:
+ description: the path to the file containing the cacert to use
+ when verifying TLS. If secure is true, this is required. If
+ a value is specified then a secret called "lightstep.cacert"
+ must be created in the destination namespace with the key
+ matching the base of the provided cacertPath and the value
+ being the cacert itself.
+ type: string
+ secure:
+ description: specifies whether data should be sent with TLS
+ type: boolean
+ type: object
+ stackdriver:
+ type: object
+ tracer:
+ enum:
+ - zipkin
+ - lightstep
+ - datadog
+ type: string
+ zipkin:
+ properties:
+ address:
+ description: Host:Port for reporting trace data in zipkin format.
+ If not specified, will default to zipkin service (port 9411)
+ in the same namespace as the other istio components.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ type: object
+ useMCP:
+ description: Use the Mesh Control Protocol (MCP) for configuring Mixer
+ and Pilot. Requires galley.
+ type: boolean
+ version:
+ description: Contains the intended Istio version
+ pattern: ^1.3
+ type: string
+ watchAdapterCRDs:
+ description: Whether or not to establish watches for adapter-specific
+ CRDs
+ type: boolean
+ watchOneNamespace:
+ description: Whether to restrict the applications namespace the controller
+ manages
+ type: boolean
+ required:
+ - version
+ - mtls
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
--- /dev/null
+{{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ include "istio-operator.fullname" . }}-basic
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ fsGroup:
+ rule: RunAsAny
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - secret
+ - configMap
+ - emptyDir
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: psp:{{ include "istio-operator.fullname" . }}-basic
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+rules:
+- apiGroups:
+ - policy
+ resourceNames:
+ - {{ include "istio-operator.fullname" . }}-basic
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: psp:{{ include "istio-operator.fullname" . }}-basic
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: psp:{{ include "istio-operator.fullname" . }}-basic
+subjects:
+ - kind: ServiceAccount
+ name: istio-citadel-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-galley-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-egressgateway-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-ingressgateway-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-mixer-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-operator-authproxy
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-pilot-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-sidecar-injector-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istiocoredns-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-nodeagent-service-account
+ namespace: {{ .Release.Namespace }}
+ - kind: ServiceAccount
+ name: istio-operator-operator
+ namespace: {{ .Release.Namespace }}
+{{- end }}
kind: ServiceAccount
metadata:
name: {{ include "istio-operator.fullname" . }}-operator
+ namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "istio-operator.name" . }}
helm.sh/chart: {{ include "istio-operator.chart" . }}
--- /dev/null
+{{ if eq .Values.istioVersion "1.1" }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: remoteistios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: RemoteIstio
+ plural: remoteistios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ enabledServices:
+ description: EnabledServices the Istio component services replicated
+ to remote side
+ items:
+ properties:
+ labelSelector:
+ type: string
+ name:
+ type: string
+ podIPs:
+ items:
+ type: string
+ type: array
+ ports:
+ items:
+ type: object
+ type: array
+ required:
+ - name
+ type: object
+ type: array
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ proxy:
+ description: Proxy configuration options
+ properties:
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ image:
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ required:
+ - enabledServices
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
-{{ if eq .Values.istioVersion 1.2 }}
+{{ if eq .Values.istioVersion "1.2" }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
--- /dev/null
+{{ if eq .Values.istioVersion "1.3" }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: remoteistios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: RemoteIstio
+ plural: remoteistios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enableNamespacesByDefault:
+ description: 'Determines Citadel default behavior if the ca.istio.io/env
+ or ca.istio.io/override labels are not found on a given namespace. For
+ example: consider a namespace called "target", which has neither
+ the "ca.istio.io/env" nor the "ca.istio.io/override" namespace
+ labels. To decide whether or not to generate secrets for service
+ accounts created in this "target" namespace, Citadel will defer
+ to this option. If the value of this option is "true" in this
+ case, secrets will be generated for the "target" namespace. If
+ the value of this option is "false" Citadel will not generate
+ secrets upon service account creation.'
+ type: boolean
+ enabled:
+ type: boolean
+ healthCheck:
+ description: Enable health checking on the Citadel CSR signing API.
+ https://istio.io/docs/tasks/security/health-check/
+ type: boolean
+ image:
+ type: string
+ maxWorkloadCertTTL:
+ description: Citadel uses a flag max-workload-cert-ttl to control
+ the maximum lifetime for Istio certificates issued to workloads.
+ The default value is 90 days. If workload-cert-ttl on Citadel
+ or node agent is greater than max-workload-cert-ttl, Citadel will
+ fail issuing the certificate.
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ workloadCertTTL:
+ description: For the workloads running in Kubernetes, the lifetime
+ of their Istio certificates is controlled by the workload-cert-ttl
+ flag on Citadel. The default value is 90 days. This value should
+ be no greater than max-workload-cert-ttl of Citadel.
+ type: string
+ type: object
+ clusterName:
+ description: Should be set to the name of the cluster, this is required
+ for sidecar injection to properly label proxies
+ type: string
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ enabledServices:
+ description: EnabledServices the Istio component services replicated
+ to remote side
+ items:
+ properties:
+ labelSelector:
+ type: string
+ name:
+ type: string
+ podIPs:
+ items:
+ type: string
+ type: array
+ ports:
+ items:
+ type: object
+ type: array
+ required:
+ - name
+ type: object
+ type: array
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ proxy:
+ description: Proxy configuration options
+ properties:
+ accessLogEncoding:
+ description: Configure the access log for sidecar to JSON or TEXT.
+ enum:
+ - JSON
+ - TEXT
+ type: string
+ accessLogFile:
+ description: 'Configures the access log for each sidecar. Options: ""
+ - disables access log "/dev/stdout" - enables access log'
+ enum:
+ - ""
+ - /dev/stdout
+ type: string
+ accessLogFormat:
+ description: 'Configure how and what fields are displayed in sidecar
+ access log. Setting to empty string will result in default log
+ format. If accessLogEncoding is TEXT, value will be used directly
+ as the log format example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%
+ %PROTOCOL%\n" If AccessLogEncoding is JSON, value will be parsed
+ as map[string]string example: ''{"start_time": "%START_TIME%",
+ "req_method": "%REQ(:METHOD)%"}'''
+ type: string
+ componentLogLevel:
+ description: Per Component log level for proxy, applies to gateways
+ and sidecars. If a component level is not set, then the "LogLevel"
+ will be used. If left empty, "misc:error" is used.
+ type: string
+ coreDumpImage:
+ description: Image used to enable core dumps. This is only used,
+ when "EnableCoreDump" is set to true.
+ type: string
+ dnsRefreshRate:
+ description: Configure the DNS refresh rate for Envoy cluster of
+ type STRICT_DNS This must be given it terms of seconds. For example,
+ 300s is valid but 5m is invalid.
+ pattern: ^[0-9]{1,5}s$
+ type: string
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ envoyAccessLogService:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ tcpKeepalive:
+ properties:
+ interval:
+ type: string
+ probes:
+ format: int32
+ type: integer
+ time:
+ type: string
+ type: object
+ tlsSettings:
+ properties:
+ caCertificates:
+ type: string
+ clientCertificate:
+ type: string
+ mode:
+ type: string
+ privateKey:
+ type: string
+ sni:
+ type: string
+ subjectAltNames:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ envoyMetricsService:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ envoyStatsD:
+ properties:
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ format: int32
+ type: integer
+ type: object
+ image:
+ type: string
+ logLevel:
+ description: 'Log level for proxy, applies to gateways and sidecars.
+ If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
+ enum:
+ - trace
+ - debug
+ - info
+ - warning
+ - error
+ - critical
+ - "off"
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ protocolDetectionTimeout:
+ type: string
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ alwaysInjectSelector:
+ description: 'AlwaysInjectSelector: Forces the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match'
+ items:
+ type: object
+ type: array
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enableNamespacesByDefault:
+ description: This controls whether the webhook looks for namespaces
+ for injection enabled or disabled
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ neverInjectSelector:
+ description: 'NeverInjectSelector: Refuses the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match Takes precedence over AlwaysInjectSelector.'
+ items:
+ type: object
+ type: array
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ required:
+ - enabledServices
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
kind: Service
metadata:
name: "{{ include "istio-operator.fullname" . }}-operator"
+ namespace: {{ .Release.Namespace }}
{{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }}
annotations:
prometheus.io/scrape: "true"
app.kubernetes.io/component: operator
ports:
- name: https
+ protocol: TCP
port: 443
+ targetPort: 443
{{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }}
- name: metrics
+ protocol: TCP
port: 8080
+ targetPort: 8080
{{- end }}
kind: StatefulSet
metadata:
name: "{{ include "istio-operator.fullname" . }}-operator"
+ namespace: {{ .Release.Namespace }}
labels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
-
-
+#/*Copyright 2019 Intel Corporation, Inc
+# *
+# * Licensed under the Apache License, Version 2.0 (the "License");
+# * you may not use this file except in compliance with the License.
+# * You may obtain a copy of the License at
+# *
+# * http://www.apache.org/licenses/LICENSE-2.0
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+# */
+
+# Default values for istio-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
operator:
image:
repository: banzaicloud/istio-operator
- tag: 0.2.1
+ tag: 0.3.3
pullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 128Mi
-istioVersion: 1.2
+istioVersion: "1.3"
-## Prometheus Metrics
+# If you want the operator to expose the /metrics
prometheusMetrics:
enabled: false
-# Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
+ # Enable or disable the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+ # which protects your /metrics endpoint.
authProxy:
- enabled: false
+ enabled: true
+ image:
+ repository: gcr.io/kubebuilder/kube-rbac-proxy
+ tag: v0.4.0
+ pullPolicy: IfNotPresent
## Role Based Access
## Ref: https://kubernetes.io/docs/admin/authorization/rbac/
##
rbac:
enabled: true
+ ## Pod Security Policies
+ ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+ ##
+ psp:
+ enabled: true
nameOverride: ""
fullnameOverride: ""
# Steps for Instaling Istio with Istio- Operator
# Step 1 - Add the helm chart to install Istio in sds configuration
+# NOTE - Edit the namespaces in istio/istio-instance/values.yaml
+# to enable istio-injection
helm install istio-instance --name istio --namespace istio-system
sds:
enabled: {{ .Values.spec.sds.enabled }}
udsPath: {{ .Values.spec.sds.udsPath | quote }}
- useTrustworthyJwt: {{ .Values.spec.sds.useTrustworthyJwt }}
- useNormalJwt: {{ .Values.spec.sds.useNormalJwt }}
+ tokenAudience: {{ .Values.spec.sds.tokenAudience | quote}}
gateways:
enabled: {{ .Values.spec.gateways.enabled }}
ingress:
# * limitations under the License.
# */
#Declare variables to be passed into Istio SDS template file.
+#NOTE : EDit the namespace for which you need Istio injection
metadata:
name: "istio-sample"
spec:
- version: "1.2.2"
+ version: "1.3.3"
mtls: true
autoInjectionNamespaces:
- -
+ - "default"
sds:
enabled: true
udsPath: "unix:/var/run/sds/uds_path"
- useTrustworthyJwt: false
- useNormalJwt: true
+ tokenAudience: "istio-ca"
gateways:
enabled: true
ingress:
enabled: true
sds:
enabled: true
- image: "docker.io/istio/node-agent-k8s:1.2.2"
+ image: "docker.io/istio/node-agent-k8s:1.3.3"
nodeAgent:
enabled: true
- image : "docker.io/istio/node-agent-k8s:1.2.2"
+ image : "docker.io/istio/node-agent-k8s:1.3.3"
Code Review / multicloud / k8s.git / commitdiff