diff --git a/istio-init/Chart.yaml b/istio-init/Chart.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ab4ce1fa5e0c0bcee19b7990284b860f725e4611 --- /dev/null +++ b/istio-init/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-init +version: 1.1.0 +appVersion: 1.1.0 +tillerVersion: ">=2.7.2-0" +description: Helm chart to initialize Istio CRDs +keywords: + - istio + - crd +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-init/README.md b/istio-init/README.md new file mode 100644 index 0000000000000000000000000000000000000000..9a1330bf05d54dbf1a3165283af987a4d29c5272 --- /dev/null +++ b/istio-init/README.md @@ -0,0 +1,77 @@ +# Istio + +[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. + +## Introduction + +This chart bootstraps Istio's [CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) +which are an internal implementation detail of Istio. CRDs define data structures for storing runtime configuration +specified by a human operator. + +This chart must be run to completion prior to running other Istio charts, or other Istio charts will fail to initialize. + +## Prerequisites + +- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required +- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required + +## Resources Required + +The chart deploys pods that consume minimal resources. + +## Installing the Chart + +1. If a service account has not already been installed for Tiller, install one: + ``` + $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml + ``` + +1. If Tiller has not already been installed in your cluster, Install Tiller on your cluster with the service account: + ``` + $ helm init --service-account tiller + ``` + +1. Install the Istio initializer chart: + ``` + $ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system + ``` + + > Although you can install the `istio-init` chart to any namespace, it is recommended to install `istio-init` in the same namespace(`istio-system`) as other Istio charts. + +## Configuration + +The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. +To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. + +Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: + +| Parameter | Description | Values | Default | +| --- | --- | --- | --- | +| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` | +| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | +| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | + + +## Uninstalling the Chart + +> Uninstalling this chart does not delete Istio's registered CRDs. Istio by design expects +> CRDs to leak into the Kubernetes environment. As CRDs contain all runtime configuration +> data in CustomResources the Istio designers feel it is better to explicitly delete this +> configuration rather then unexpectedly lose it. + +To uninstall/delete the `istio-init` release but continue to track the release: + ``` + $ helm delete istio-init + ``` + +To uninstall/delete the `istio-init` release completely and make its name free for later use: + ``` + $ helm delete istio-init --purge + ``` + +> Warning: Deleting CRDs will delete any configuration that you have made to Istio. + +To delete all CRDs, run the following command + ``` + $ for i in istio-init/files/*crd*yaml; do kubectl delete -f $i; done + ``` diff --git a/istio-init/files/crd-10.yaml b/istio-init/files/crd-10.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f3ac8f7b5915c37badb905d63ef7c9e07d9d685a --- /dev/null +++ b/istio-init/files/crd-10.yaml @@ -0,0 +1,594 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/hook": crd-install +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + shortNames: + - vs + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + shortNames: + - dr + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + shortNames: + - se + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + shortNames: + - gw + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: clusterrbacconfigs.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: policies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- diff --git a/istio-init/files/crd-11.yaml b/istio-init/files/crd-11.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f3711ec0773927d921ff9145c8205b632a77dc6c --- /dev/null +++ b/istio-init/files/crd-11.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- diff --git a/istio-init/files/crd-12.yaml b/istio-init/files/crd-12.yaml new file mode 100644 index 0000000000000000000000000000000000000000..36e0c8a26a80c22b928f632c055c562643c1e0a9 --- /dev/null +++ b/istio-init/files/crd-12.yaml @@ -0,0 +1,21 @@ +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizationpolicies.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio +spec: + group: rbac.istio.io + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- diff --git a/istio-init/files/crd-certmanager-10.yaml b/istio-init/files/crd-certmanager-10.yaml new file mode 100644 index 0000000000000000000000000000000000000000..594b659d5f9a97eeaa0d696401eb5f06ffaa2b07 --- /dev/null +++ b/istio-init/files/crd-certmanager-10.yaml @@ -0,0 +1,81 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/hook": crd-install +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/hook": crd-install +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/hook": crd-install +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs diff --git a/istio-init/files/crd-certmanager-11.yaml b/istio-init/files/crd-certmanager-11.yaml new file mode 100644 index 0000000000000000000000000000000000000000..963f2719494098cd6d4fd060a1e349c8d368bf2b --- /dev/null +++ b/istio-init/files/crd-certmanager-11.yaml @@ -0,0 +1,73 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.reason + name: Reason + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Order + plural: orders + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: challenges.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Challenge + plural: challenges + scope: Namespaced diff --git a/istio-init/templates/clusterrole.yaml b/istio-init/templates/clusterrole.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f7116c81728c47792f13aa42ad19b3ea0e1456e4 --- /dev/null +++ b/istio-init/templates/clusterrole.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-init-{{ .Release.Namespace }} + labels: + app: istio-init + istio: init +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "create", "watch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "list", "watch", "patch"] diff --git a/istio-init/templates/clusterrolebinding.yaml b/istio-init/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..481674c0e59b333b1da798d86916ef2274de7980 --- /dev/null +++ b/istio-init/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-init-admin-role-binding-{{ .Release.Namespace }} + labels: + app: istio-init + istio: init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-init-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-init-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-init/templates/configmap-crd-10.yaml b/istio-init/templates/configmap-crd-10.yaml new file mode 100644 index 0000000000000000000000000000000000000000..69e37fa14c43bde3998f1eb47ee973a30276c914 --- /dev/null +++ b/istio-init/templates/configmap-crd-10.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-10 +data: + crd-10.yaml: |- +{{.Files.Get "files/crd-10.yaml" | printf "%s" | indent 4}} diff --git a/istio-init/templates/configmap-crd-11.yaml b/istio-init/templates/configmap-crd-11.yaml new file mode 100644 index 0000000000000000000000000000000000000000..952640d60b36233063e10e80f96fa456943843d2 --- /dev/null +++ b/istio-init/templates/configmap-crd-11.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-11 +data: + crd-11.yaml: |- +{{.Files.Get "files/crd-11.yaml" | printf "%s" | indent 4}} diff --git a/istio-init/templates/configmap-crd-12.yaml b/istio-init/templates/configmap-crd-12.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a49736534457a95c92cff3568bc506774cc70fcd --- /dev/null +++ b/istio-init/templates/configmap-crd-12.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-12 +data: + crd-12.yaml: |- +{{.Files.Get "files/crd-12.yaml" | printf "%s" | indent 4}} diff --git a/istio-init/templates/configmap-crd-certmanager-10.yaml b/istio-init/templates/configmap-crd-certmanager-10.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8ab3e835680ffba380a6eee54acc64bbeb1c9010 --- /dev/null +++ b/istio-init/templates/configmap-crd-certmanager-10.yaml @@ -0,0 +1,10 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-certmanager-10 +data: + crd-certmanager-10.yaml: |- +{{.Files.Get "files/crd-certmanager-10.yaml" | printf "%s" | indent 4}} +{{- end }} diff --git a/istio-init/templates/configmap-crd-certmanager-11.yaml b/istio-init/templates/configmap-crd-certmanager-11.yaml new file mode 100644 index 0000000000000000000000000000000000000000..beef3043d0db558c6cff96f208a4e3165ad5d8ff --- /dev/null +++ b/istio-init/templates/configmap-crd-certmanager-11.yaml @@ -0,0 +1,10 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-certmanager-11 +data: + crd-certmanager-11.yaml: |- +{{.Files.Get "files/crd-certmanager-11.yaml" | printf "%s" | indent 4}} +{{- end }} diff --git a/istio-init/templates/job-crd-10.yaml b/istio-init/templates/job-crd-10.yaml new file mode 100644 index 0000000000000000000000000000000000000000..87d646915752905800f572ffe758fa4d98d6e2f4 --- /dev/null +++ b/istio-init/templates/job-crd-10.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-10 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-10 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-10 + mountPath: /etc/istio/crd-10 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-10/crd-10.yaml"] + volumes: + - name: crd-10 + configMap: + name: istio-crd-10 + restartPolicy: OnFailure diff --git a/istio-init/templates/job-crd-11.yaml b/istio-init/templates/job-crd-11.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0f3a4b895da6282716472e0967c7335f21b50946 --- /dev/null +++ b/istio-init/templates/job-crd-11.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-11 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-11 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-11 + mountPath: /etc/istio/crd-11 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-11/crd-11.yaml"] + volumes: + - name: crd-11 + configMap: + name: istio-crd-11 + restartPolicy: OnFailure diff --git a/istio-init/templates/job-crd-12.yaml b/istio-init/templates/job-crd-12.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a8d483cf3eb8ec3f53139e1729f0ca4f590e490f --- /dev/null +++ b/istio-init/templates/job-crd-12.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-12 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-12 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-12 + mountPath: /etc/istio/crd-12 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-12/crd-12.yaml"] + volumes: + - name: crd-12 + configMap: + name: istio-crd-12 + restartPolicy: OnFailure diff --git a/istio-init/templates/job-crd-certmanager-10.yaml b/istio-init/templates/job-crd-certmanager-10.yaml new file mode 100644 index 0000000000000000000000000000000000000000..028df6e6c9d9144fb50f0151f9376c83e5c1bf90 --- /dev/null +++ b/istio-init/templates/job-crd-certmanager-10.yaml @@ -0,0 +1,28 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-certmanager-10 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-certmanager-10 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-certmanager-10 + mountPath: /etc/istio/crd-certmanager-10 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-10/crd-certmanager-10.yaml"] + volumes: + - name: crd-certmanager-10 + configMap: + name: istio-crd-certmanager-10 + restartPolicy: OnFailure +{{- end }} diff --git a/istio-init/templates/job-crd-certmanager-11.yaml b/istio-init/templates/job-crd-certmanager-11.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1b6cb4e3548ff05290aa1173d49ce8c1691c4723 --- /dev/null +++ b/istio-init/templates/job-crd-certmanager-11.yaml @@ -0,0 +1,28 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-certmanager-11 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-certmanager-11 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-certmanager-11 + mountPath: /etc/istio/crd-certmanager-11 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-11/crd-certmanager-11.yaml"] + volumes: + - name: crd-certmanager-11 + configMap: + name: istio-crd-certmanager-11 + restartPolicy: OnFailure +{{- end }} diff --git a/istio-init/templates/serviceaccount.yaml b/istio-init/templates/serviceaccount.yaml new file mode 100644 index 0000000000000000000000000000000000000000..dce901750e316d7770c7e1f88d3fbf436cc085e7 --- /dev/null +++ b/istio-init/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-init-service-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-init + istio: init + diff --git a/istio-init/values.yaml b/istio-init/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..25f9ef186ed2e5ba4eb03f22b909939a514ba6ee --- /dev/null +++ b/istio-init/values.yaml @@ -0,0 +1,16 @@ +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: master-latest-daily + + # imagePullPolicy is applied to istio control plane components. + # local tests require IfNotPresent, to avoid uploading to dockerhub. + # TODO: Switch to Always as default, and override in the local tests. + imagePullPolicy: IfNotPresent + +certmanager: + enabled: false diff --git a/istio/.helmignore b/istio/.helmignore new file mode 100644 index 0000000000000000000000000000000000000000..f0c13194444163d1cba5c67d9e79231a62bc8f44 --- /dev/null +++ b/istio/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/istio/Chart.yaml b/istio/Chart.yaml index 592e39f211a97a1456c3ce80eb74c4df725c2a0b..9132dfd9287236a67b117c1c57e3735cb551183b 100644 --- a/istio/Chart.yaml +++ b/istio/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: istio -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.2 +appVersion: 1.1.2 tillerVersion: ">=2.7.2-0" description: Helm chart for all istio components keywords: diff --git a/istio/README.md b/istio/README.md index 466864e273aed2777252932ef8d463db23ff5fd5..a1cf37d705fb2672f279eae75f1da2c2589f8922 100644 --- a/istio/README.md +++ b/istio/README.md @@ -2,14 +2,17 @@ [Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. + + +The documentation here is for developers only, please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/install/helm/) for all other uses. + ## Introduction -This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. ## Chart Details -This chart can install multiple istio components as subcharts: -- ingress +This chart can install multiple Istio components as subcharts: - ingressgateway - egressgateway - sidecarInjectorWebhook @@ -30,6 +33,7 @@ To enable or disable each component, change the corresponding `enabled` flag. - Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required - Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required - If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order. +- The `istio-init` chart must be run to completion prior to install the `istio` chart. ## Resources Required @@ -38,33 +42,83 @@ The chart deploys pods that consume minimum resources as specified in the resour ## Installing the Chart 1. If a service account has not already been installed for Tiller, install one: -``` -$ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml -``` - -2. Install Tiller on your cluster with the service account: -``` -$ helm init --service-account tiller -``` - -3. Install Istio’s [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the kube-apiserver: - ``` - $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml - ``` - **Note**: If you are enabling `certmanager`, you also need to install its CRDs and wait a few seconds for the CRDs to be committed in the kube-apiserver: - ``` - $ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml - ``` - -4. To install the chart with the release name `istio` in namespace `istio-system`: + ``` + $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml + ``` + +1. Install Tiller on your cluster with the service account: + ``` + $ helm init --service-account tiller + ``` + +1. Set and create the namespace where Istio was installed: + ``` + $ NAMESPACE=istio-system + $ kubectl create ns $NAMESPACE + ``` + +1. If you are enabling `kiali`, you need to create the secret that contains the username and passphrase for `kiali` dashboard: + ``` + $ echo -n 'admin' | base64 + YWRtaW4= + $ echo -n '1f2d1e2e67df' | base64 + MWYyZDFlMmU2N2Rm + $ cat <=1.9.0): ``` - $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system + $ helm install istio --name istio --namespace $NAMESPACE ``` - Without the sidecar injection webhook: ``` - $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false + $ helm install istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false ``` ## Configuration @@ -72,46 +126,16 @@ $ helm init --service-account tiller The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. -Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: - -| Parameter | Description | Values | Default | -| --- | --- | --- | --- | -| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` | -| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | -| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` | -| `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` | -| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | -| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` | -| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` | -| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` | -| `global.refreshInterval` | Specifies the mesh discovery refresh interval | integer followed by s | `10s` | -| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | -| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | -| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | -| `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` | -| `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` | -| `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` | -| `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | `true` | -| `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` | -| `mixer.enabled` | Specifies whether Mixer should be installed | true/false | `true` | -| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` | -| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` | -| `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` | -| `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" | -| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` | -| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` | -| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` | -| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` | +Helm charts expose configuration options which are currently in alpha. The currently exposed options can be found [here](https://istio.io/docs/reference/config/installation-options/). ## Uninstalling the Chart -To uninstall/delete the `istio` release: -``` -$ helm delete istio -``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +To uninstall/delete the `istio` release but continue to track the release: + ``` + $ helm delete istio + ``` To uninstall/delete the `istio` release completely and make its name free for later use: -``` -$ helm delete istio --purge -``` + ``` + $ helm delete istio --purge + ``` diff --git a/istio/charts/certmanager/Chart.yaml b/istio/charts/certmanager/Chart.yaml index fd2e2069f4b9184f134c4f3081232f9d92109b97..b83f4d1e3f8a4d947c699ad325d1e07b1284283a 100644 --- a/istio/charts/certmanager/Chart.yaml +++ b/istio/charts/certmanager/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: certmanager -version: 1.0.1 -appVersion: 0.3.1 +version: 1.1.0 +appVersion: 0.6.2 tillerVersion: ">=2.7.2" diff --git a/istio/charts/certmanager/templates/NOTES.txt b/istio/charts/certmanager/templates/NOTES.txt new file mode 100644 index 0000000000000000000000000000000000000000..0307ede4ca95c010000b5443b1642d1169a853da --- /dev/null +++ b/istio/charts/certmanager/templates/NOTES.txt @@ -0,0 +1,6 @@ +certmanager has been deployed successfully! + +More information on the different types of issuers and how to configure them +can be found in our documentation: + +https://cert-manager.readthedocs.io/en/latest/reference/issuers.html \ No newline at end of file diff --git a/istio/charts/certmanager/templates/_helpers.tpl b/istio/charts/certmanager/templates/_helpers.tpl index 8cb480b484deb825ebf5712613fc62170196dd4c..331a91d433006f70d6097a65af37febc500ccc03 100644 --- a/istio/charts/certmanager/templates/_helpers.tpl +++ b/istio/charts/certmanager/templates/_helpers.tpl @@ -9,16 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "certmanager.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} -{{- $fullname := printf "%s-%s" $name .Release.Name -}} -{{- default $fullname .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} {{- end -}} {{/* Create chart name and version as used by the chart label. */}} {{- define "certmanager.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/istio/charts/certmanager/templates/crds.yaml b/istio/charts/certmanager/templates/crds.yaml deleted file mode 100644 index f5fb4aaeb5fa529effabfe775012c471f03c3d33..0000000000000000000000000000000000000000 --- a/istio/charts/certmanager/templates/crds.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: clusterissuers.certmanager.k8s.io - annotations: - "helm.sh/hook": crd-install - labels: - app: certmanager -spec: - group: certmanager.k8s.io - version: v1alpha1 - names: - kind: ClusterIssuer - plural: clusterissuers - scope: Cluster ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: issuers.certmanager.k8s.io - annotations: - "helm.sh/hook": crd-install - labels: - app: certmanager -spec: - group: certmanager.k8s.io - version: v1alpha1 - names: - kind: Issuer - plural: issuers - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: certificates.certmanager.k8s.io - annotations: - "helm.sh/hook": crd-install - labels: - app: certmanager -spec: - group: certmanager.k8s.io - version: v1alpha1 - scope: Namespaced - names: - kind: Certificate - plural: certificates - shortNames: - - cert - - certs diff --git a/istio/charts/certmanager/templates/deployment.yaml b/istio/charts/certmanager/templates/deployment.yaml index f113d7b7b8371a4eac57b1dcc3ee674ddaa71a3c..83a1e8bab9e3a7dd10e0394ca3014a991ebf2cf3 100644 --- a/istio/charts/certmanager/templates/deployment.yaml +++ b/istio/charts/certmanager/templates/deployment.yaml @@ -1,10 +1,13 @@ -apiVersion: apps/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: certmanager namespace: {{ .Release.Namespace }} labels: - app: {{ template "certmanager.name" . }} + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: 1 selector: @@ -14,53 +17,47 @@ spec: metadata: labels: app: certmanager -{{- if .Values.podLabels }} + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + {{- if .Values.podLabels }} {{ toYaml .Values.podLabels | indent 8 }} -{{- end }} + {{- end }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - {{- if .Values.podAnnotations }} + {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} + {{- end }} spec: serviceAccountName: certmanager {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} containers: - - name: certmanager - image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - args: - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=$(POD_NAMESPACE) - {{- if .Values.extraArgs }} -{{ toYaml .Values.extraArgs | indent 10 }} - {{- end }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- if .Values.podDnsPolicy }} + - name: certmanager + image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=$(POD_NAMESPACE) + {{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 8 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: +{{ toYaml .Values.resources | indent 10 }} + + {{- if .Values.podDnsPolicy }} dnsPolicy: {{ .Values.podDnsPolicy }} -{{- end }} -{{- if .Values.podDnsConfig }} + {{- end }} + {{- if .Values.podDnsConfig }} dnsConfig: -{{ toYaml .Values.podDnsConfig | indent 8 }} -{{- end }} + {{ toYaml .Values.podDnsConfig | indent 8 }} + {{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/certmanager/templates/issuer.yaml b/istio/charts/certmanager/templates/issuer.yaml index 15dfc068b353bed3d1827c884abad0bc7493bbee..59402daea20fbac3efedb3d90f496734b41fc171 100644 --- a/istio/charts/certmanager/templates/issuer.yaml +++ b/istio/charts/certmanager/templates/issuer.yaml @@ -4,6 +4,11 @@ kind: ClusterIssuer metadata: name: letsencrypt-staging namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory @@ -18,6 +23,11 @@ kind: ClusterIssuer metadata: name: letsencrypt namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: acme: server: https://acme-v02.api.letsencrypt.org/directory diff --git a/istio/charts/certmanager/templates/poddisruptionbudget.yaml b/istio/charts/certmanager/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b251e3653f54e19c473b32a083a53fa013f070d2 --- /dev/null +++ b/istio/charts/certmanager/templates/poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: certmanager + namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + version: {{ .Chart.Version }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 4 }} + {{- end }} +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: certmanager + release: {{ .Release.Name }} +{{- end }} diff --git a/istio/charts/certmanager/templates/rbac.yaml b/istio/charts/certmanager/templates/rbac.yaml index c9738dee971a49c58712d280242c1efac8ac1a48..b3a4ef3401f6cf61d610679bceb48cc33157a5bc 100644 --- a/istio/charts/certmanager/templates/rbac.yaml +++ b/istio/charts/certmanager/templates/rbac.yaml @@ -1,31 +1,32 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: certmanager labels: app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} rules: - apiGroups: ["certmanager.k8s.io"] - resources: ["certificates", "issuers", "clusterissuers"] + resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"] verbs: ["*"] - apiGroups: [""] - # TODO: remove endpoints once 0.4 is released. We include it here in case - # users use the 'master' version of the Helm chart with a 0.2.x release of - # certManager that still performs leader election with Endpoint resources. - # We advise users don't do this, but some will anyway and this will reduce - # friction. - resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"] + resources: ["configmaps", "secrets", "events", "services", "pods"] verbs: ["*"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["*"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: certmanager labels: app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/istio/charts/certmanager/templates/serviceaccount.yaml b/istio/charts/certmanager/templates/serviceaccount.yaml index 0bfb517a7d87b3a93fb4a0a95fc9c360ac5629ce..f875435088aaf81fbd2ac5547092e52cff7fad82 100644 --- a/istio/charts/certmanager/templates/serviceaccount.yaml +++ b/istio/charts/certmanager/templates/serviceaccount.yaml @@ -11,3 +11,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio/charts/certmanager/values.yaml b/istio/charts/certmanager/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..33c2857c7ff431e69966dee0d48d38e229925ca4 --- /dev/null +++ b/istio/charts/certmanager/values.yaml @@ -0,0 +1,31 @@ +# Certmanager uses ACME to sign certificates. Since Istio gateways are +# mounting the TLS secrets the Certificate CRDs must be created in the +# istio-system namespace. Once the certificate has been created, the +# gateway must be updated by adding 'secretVolumes'. After the gateway +# restart, DestinationRules can be created using the ACME-signed certificates. +enabled: false +hub: quay.io/jetstack +tag: v0.6.2 +resources: {} +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/galley/Chart.yaml b/istio/charts/galley/Chart.yaml index 99625e1d7da1e835c5a5a62c5a67f8ad2d056e11..5933bde12f66c12ff8fae570e6fbe5735d015c95 100644 --- a/istio/charts/galley/Chart.yaml +++ b/istio/charts/galley/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: galley -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for galley deployment keywords: diff --git a/istio/charts/galley/OWNERS b/istio/charts/galley/OWNERS new file mode 100644 index 0000000000000000000000000000000000000000..d6a0e1b9752fcdbf623be4779d270b369ddce8a5 --- /dev/null +++ b/istio/charts/galley/OWNERS @@ -0,0 +1,5 @@ +approvers: + - cmluciano + - geeknoid + - ozevren + - ayj diff --git a/istio/charts/galley/templates/_helpers.tpl b/istio/charts/galley/templates/_helpers.tpl index 3df13cc21824bbe6da916b89a03464e11e979724..5d42f4a03368e71f4159fee511f5228c8218f07e 100644 --- a/istio/charts/galley/templates/_helpers.tpl +++ b/istio/charts/galley/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "galley.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "galley.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/galley/templates/clusterrole.yaml b/istio/charts/galley/templates/clusterrole.yaml index a10cc3df2b3601f1db94a3a67f9953f51b31175b..6385c888298b65bed08db9489f1c99c43b26174d 100644 --- a/istio/charts/galley/templates/clusterrole.yaml +++ b/istio/charts/galley/templates/clusterrole.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-galley-{{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: @@ -14,11 +14,26 @@ rules: - apiGroups: ["config.istio.io"] # istio mixer CRD watcher resources: ["*"] verbs: ["get", "list", "watch"] -- apiGroups: ["*"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions","apps"] resources: ["deployments"] resourceNames: ["istio-galley"] verbs: ["get"] -- apiGroups: ["*"] - resources: ["endpoints"] +- apiGroups: [""] + resources: ["pods", "nodes", "services", "endpoints"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["deployments/finalizers"] resourceNames: ["istio-galley"] - verbs: ["get"] + verbs: ["update"] diff --git a/istio/charts/galley/templates/clusterrolebinding.yaml b/istio/charts/galley/templates/clusterrolebinding.yaml index 11c51ddd493308b34fe81fa0c3e4ece60cfa8947..88cde2554b1757381ff45726f7e9720062674040 100644 --- a/istio/charts/galley/templates/clusterrolebinding.yaml +++ b/istio/charts/galley/templates/clusterrolebinding.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-galley-admin-role-binding-{{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: diff --git a/istio/charts/galley/templates/configmap.yaml b/istio/charts/galley/templates/configmap.yaml index 2d1ed2cbcf514a688438dd57f1a285d9c6e94d70..b138f2ef865624e24a9c8f4564e517ddc7d6c58c 100644 --- a/istio/charts/galley/templates/configmap.yaml +++ b/istio/charts/galley/templates/configmap.yaml @@ -4,12 +4,11 @@ metadata: name: istio-galley-configuration namespace: {{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} - istio: mixer + release: {{ .Release.Name }} + istio: galley data: validatingwebhookconfiguration.yaml: |- - {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} - + {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} \ No newline at end of file diff --git a/istio/charts/galley/templates/deployment.yaml b/istio/charts/galley/templates/deployment.yaml index aed8f3b39aafc94f5629ae3b26c1d2783becfc99..0ef8ded63c428fb91d573f068c4831f785ab04ea 100644 --- a/istio/charts/galley/templates/deployment.yaml +++ b/istio/charts/galley/templates/deployment.yaml @@ -1,16 +1,19 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: istio-galley namespace: {{ .Release.Namespace }} labels: app: {{ template "galley.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: galley spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: galley strategy: rollingUpdate: maxSurge: 1 @@ -18,46 +21,68 @@ spec: template: metadata: labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: galley annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-galley-service-account {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} containers: - - name: validator + - name: galley +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - containerPort: 443 - - containerPort: 9093 + - containerPort: {{ .Values.global.monitoringPort }} + - containerPort: 9901 command: - /usr/local/bin/galley - - validator - - --deployment-namespace={{ .Release.Namespace }} - - --caCertFile=/etc/istio/certs/root-cert.pem - - --tlsCertFile=/etc/istio/certs/cert-chain.pem - - --tlsKeyFile=/etc/istio/certs/key.pem - - --healthCheckInterval=1s - - --healthCheckFile=/health - - --webhook-config-file - - /etc/istio/config/validatingwebhookconfiguration.yaml + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/healthliveness + - --readinessProbePath=/healthready + - --readinessProbeInterval=1s +{{- if $.Values.global.controlPlaneSecurityEnabled}} + - --insecure=false +{{- else }} + - --insecure=true +{{- end }} +{{- if not $.Values.global.useMCP }} + - --enable-server=false +{{- end }} + - --validation-webhook-config-file + - /etc/config/validatingwebhookconfiguration.yaml + - --monitoringPort={{ .Values.global.monitoringPort }} +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} volumeMounts: - name: certs - mountPath: /etc/istio/certs + mountPath: /etc/certs readOnly: true - name: config - mountPath: /etc/istio/config + mountPath: /etc/config + readOnly: true + - name: mesh-config + mountPath: /etc/mesh-config readOnly: true livenessProbe: exec: command: - /usr/local/bin/galley - probe - - --probe-path=/health + - --probe-path=/healthliveness - --interval=10s initialDelaySeconds: 5 periodSeconds: 5 @@ -66,7 +91,7 @@ spec: command: - /usr/local/bin/galley - probe - - --probe-path=/health + - --probe-path=/healthready - --interval=10s initialDelaySeconds: 5 periodSeconds: 5 @@ -83,5 +108,9 @@ spec: - name: config configMap: name: istio-galley-configuration + - name: mesh-config + configMap: + name: istio affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/galley/templates/poddisruptionbudget.yaml b/istio/charts/galley/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000000000000000000000000000000000..75bf77834a7cdf5839a3e2ac0a57a7d32a3c103d --- /dev/null +++ b/istio/charts/galley/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-galley + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ template "galley.name" . }} + release: {{ .Release.Name }} + istio: galley +{{- end }} diff --git a/istio/charts/galley/templates/service.yaml b/istio/charts/galley/templates/service.yaml index 4519e80c5698204b386314eee6603229dcebe5e5..cd21fd19254418926f76b16c8462a1a3095d14b9 100644 --- a/istio/charts/galley/templates/service.yaml +++ b/istio/charts/galley/templates/service.yaml @@ -4,12 +4,18 @@ metadata: name: istio-galley namespace: {{ .Release.Namespace }} labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: galley spec: ports: - port: 443 name: https-validation - - port: 9093 + - port: {{ .Values.global.monitoringPort }} name: http-monitoring + - port: 9901 + name: grpc-mcp selector: istio: galley diff --git a/istio/charts/galley/templates/serviceaccount.yaml b/istio/charts/galley/templates/serviceaccount.yaml index f13858da0c5e364e0baca92db532f3978e616dfb..1ff54c49e7efcd20dacd2021ff14f8f5c1fa9a45 100644 --- a/istio/charts/galley/templates/serviceaccount.yaml +++ b/istio/charts/galley/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ metadata: name: istio-galley-service-account namespace: {{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl b/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl similarity index 87% rename from istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl rename to istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl index 45f78c774bb75e12abcacfdfe656769660fb6411..7847d2433c0df97d110c9776b316f1c0e73c0e41 100644 --- a/istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl +++ b/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl @@ -3,12 +3,12 @@ apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: istio-galley - namespace: {{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley webhooks: {{- if .Values.global.configValidation }} - name: pilot.validation.istio.io @@ -60,10 +60,11 @@ webhooks: - destinationrules - envoyfilters - gateways - # disabled per @costinm's request - # - serviceentries + - serviceentries + - sidecars - virtualservices failurePolicy: Fail + sideEffects: None - name: mixer.validation.istio.io clientConfig: service: @@ -92,9 +93,10 @@ webhooks: - opas - prometheuses - rbacs - - servicecontrols - solarwindses - stackdrivers + - cloudwatches + - dogstatsds - statsds - stdios - apikeys @@ -106,8 +108,13 @@ webhooks: - metrics - quotas - reportnothings - - servicecontrolreports - tracespans + - adapters + - handlers + - instances + - templates + - zipkins failurePolicy: Fail + sideEffects: None {{- end }} {{- end }} diff --git a/istio/charts/galley/values.yaml b/istio/charts/galley/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5911982a1c0e4ffcc0d84fdcf0f2e52bfe84833b --- /dev/null +++ b/istio/charts/galley/values.yaml @@ -0,0 +1,28 @@ +# +# galley configuration +# +enabled: true +replicaCount: 1 +image: galley +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/gateways/Chart.yaml b/istio/charts/gateways/Chart.yaml index 6c962e6fa191e434d7d8665451e4c8452bb5f328..1bc2806f6f99d59919f8a4f72b00f17e64136dc9 100644 --- a/istio/charts/gateways/Chart.yaml +++ b/istio/charts/gateways/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: gateways -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/istio/charts/gateways/templates/_affinity.tpl b/istio/charts/gateways/templates/_affinity.tpl new file mode 100644 index 0000000000000000000000000000000000000000..6720123a3bdc76b2e1295ab69de2227dcd56042e --- /dev/null +++ b/istio/charts/gateways/templates/_affinity.tpl @@ -0,0 +1,93 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "gatewaynodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewayNodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewayNodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "gatewayNodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .root.Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .root.Values.global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val }} + {{- end }} +{{- end }} + +{{- define "gatewayNodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .root.Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewaypodAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewaypodAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.value }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/istio/charts/gateways/templates/_helpers.tpl b/istio/charts/gateways/templates/_helpers.tpl new file mode 100644 index 0000000000000000000000000000000000000000..bfc8bc40048eaeead7767877405d426694867d0c --- /dev/null +++ b/istio/charts/gateways/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "gateway.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gateway.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/gateways/templates/autoscale.yaml b/istio/charts/gateways/templates/autoscale.yaml index 1976d89bb8b98da97a8dedb231c143d04a215900..2455ac3450b3079c7d2a7fde832dd3f6cc711877 100644 --- a/istio/charts/gateways/templates/autoscale.yaml +++ b/istio/charts/gateways/templates/autoscale.yaml @@ -1,19 +1,26 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} -{{- if and $spec.enabled $spec.autoscaleMin }} +{{- if ne $key "enabled" }} +{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ $key }} - namespace: {{ $spec.namespace | default $.Release.Namespace }} + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} spec: - maxReplicas: {{ $spec.autoscaleMax }} - minReplicas: {{ $spec.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1beta1 - kind: Deployment - name: {{ $key }} - metrics: + maxReplicas: {{ $spec.autoscaleMax }} + minReplicas: {{ $spec.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $key }} + metrics: - type: Resource resource: name: cpu diff --git a/istio/charts/gateways/templates/clusterrole.yaml b/istio/charts/gateways/templates/clusterrole.yaml index e8987d82af8735dd1aeadac1f37dbc896119a0f5..9c8862ae9e37e0ebfd4bef59a6e458f1a46d17a6 100644 --- a/istio/charts/gateways/templates/clusterrole.yaml +++ b/istio/charts/gateways/templates/clusterrole.yaml @@ -1,18 +1,20 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: {{ $key }}-{{ $.Release.Namespace }} labels: - app: {{ template "istio.name" $ }} - chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} + chart: {{ template "gateway.chart" $ }} heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} - name: {{ $key }}-{{ $.Release.Namespace }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} rules: -- apiGroups: ["extensions"] - resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] verbs: ["get", "watch", "list", "update"] --- {{- end }} diff --git a/istio/charts/gateways/templates/clusterrolebindings.yaml b/istio/charts/gateways/templates/clusterrolebindings.yaml index 1665a087f87150d6b8573af5f5ac763c182dda26..bbcc55185db6178153e328521c10da5f15f1b153 100644 --- a/istio/charts/gateways/templates/clusterrolebindings.yaml +++ b/istio/charts/gateways/templates/clusterrolebindings.yaml @@ -1,18 +1,25 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ $key }}-{{ $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ $key }}-{{ $.Release.Namespace }} subjects: - - kind: ServiceAccount - name: {{ $key }}-service-account - namespace: {{ $.Release.Namespace }} +- kind: ServiceAccount + name: {{ $key }}-service-account + namespace: {{ $.Release.Namespace }} --- {{- end }} {{- end }} diff --git a/istio/charts/gateways/templates/deployment.yaml b/istio/charts/gateways/templates/deployment.yaml index ce38f79f78e3d580098dabea976653fe1c7d58d0..9b702ead4f28282f348a22de7174958fb906cdee 100644 --- a/istio/charts/gateways/templates/deployment.yaml +++ b/istio/charts/gateways/templates/deployment.yaml @@ -1,49 +1,117 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: {{ $key }} namespace: {{ $spec.namespace | default $.Release.Namespace }} labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} - release: {{ $.Release.Name }} + chart: {{ template "gateway.chart" $ }} heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} {{- range $key, $val := $spec.labels }} {{ $key }}: {{ $val }} {{- end }} spec: +{{- if not $spec.autoscaleEnabled }} +{{- if $spec.replicaCount }} replicas: {{ $spec.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + selector: + matchLabels: + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} template: metadata: labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} {{- range $key, $val := $spec.labels }} {{ $key }}: {{ $val }} {{- end }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" +{{- if $spec.podAnnotations }} +{{ toYaml $spec.podAnnotations | indent 8 }} +{{ end }} spec: serviceAccountName: {{ $key }}-service-account {{- if $.Values.global.priorityClassName }} priorityClassName: "{{ $.Values.global.priorityClassName }}" +{{- end }} +{{- if $.Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" $.Values.global.proxy_init.image }} + image: "{{ $.Values.global.proxy_init.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy_init.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + securityContext: + privileged: true {{- end }} containers: +{{- if $spec.sds }} +{{- if $spec.sds.enabled }} + - name: ingress-sds +{{- if contains "/" $spec.sds.image }} + image: "{{ $spec.sds.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $spec.sds.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + env: + - name: "ENABLE_WORKLOAD_SDS" + value: "false" + - name: "ENABLE_INGRESS_GATEWAY_SDS" + value: "true" + - name: "INGRESS_GATEWAY_NAMESPACE" + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + volumeMounts: + - name: ingressgatewaysdsudspath + mountPath: /var/run/ingress_gateway +{{- end }} +{{- end }} - name: istio-proxy - image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}" +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: {{- range $key, $val := $spec.ports }} - containerPort: {{ $val.port }} {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom args: - proxy - router - - -v - - "2" - - --discoveryRefreshDelay - - '1s' #discoveryRefreshDelay + - --domain + - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }} + {{- if $.Values.global.proxy.logLevel }} + - --proxyLogLevel={{ $.Values.global.proxy.logLevel }} + {{- end}} + {{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} + {{- end}} - --drainDuration - '45s' #drainDuration - --parentShutdownDuration @@ -53,7 +121,9 @@ spec: - --serviceCluster - {{ $key }} - --zipkinAddress - {{- if $.Values.global.istioNamespace }} + {{- if $.Values.global.tracer.zipkin.address }} + - {{ $.Values.global.tracer.zipkin.address }} + {{- else if $.Values.global.istioNamespace }} - zipkin.{{ $.Values.global.istioNamespace }}:9411 {{- else }} - zipkin:9411 @@ -61,28 +131,47 @@ spec: {{- if $.Values.global.proxy.envoyStatsd.enabled }} - --statsdUdpAddress - {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }} + {{- end }} + {{- if $.Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - {{ $.Values.global.proxy.envoyMetricsService.host }}:{{ $.Values.global.proxy.envoyMetricsService.port }} {{- end }} - --proxyAdminPort - "15000" + - --statusPort + - "15020" {{- if $.Values.global.controlPlaneSecurityEnabled }} - --controlPlaneAuthPolicy - MUTUAL_TLS - --discoveryAddress {{- if $.Values.global.istioNamespace }} - - istio-pilot.{{ $.Values.global.istioNamespace }}:15005 + - istio-pilot.{{ $.Values.global.istioNamespace }}:15011 {{- else }} - - istio-pilot:15005 + - istio-pilot:15011 {{- end }} {{- else }} - --controlPlaneAuthPolicy - NONE - --discoveryAddress {{- if $.Values.global.istioNamespace }} - - istio-pilot.{{ $.Values.global.istioNamespace }}:8080 + - istio-pilot.{{ $.Values.global.istioNamespace }}:15010 {{- else }} - - istio-pilot:8080 + - istio-pilot:15010 {{- end }} {{- end }} + {{- if $.Values.global.trustDomain }} + - --trust-domain={{ $.Values.global.trustDomain }} + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 resources: {{- if $spec.resources }} {{ toYaml $spec.resources | indent 12 }} @@ -90,6 +179,11 @@ spec: {{ toYaml $.Values.global.defaultResources | indent 12 }} {{- end }} env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: @@ -105,11 +199,48 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: + apiVersion: v1 fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ISTIO_META_USER_SDS + value: "true" + {{- end }} + {{- end }} + {{- if $spec.env }} + {{- range $key, $val := $spec.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + {{- end }} volumeMounts: + {{- if $.Values.global.sds.enabled }} + - name: sdsudspath + mountPath: /var/run/sds/uds_path + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ingressgatewaysdsudspath + mountPath: /var/run/ingress_gateway + {{- end }} + {{- end }} - name: istio-certs mountPath: /etc/certs readOnly: true @@ -122,6 +253,27 @@ spec: {{ toYaml $spec.additionalContainers | indent 8 }} {{- end }} volumes: + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ingressgatewaysdsudspath + emptyDir: {} + {{- end }} + {{- end }} + {{- if $.Values.global.sds.enabled }} + - name: sdsudspath + hostPath: + path: /var/run/sds/uds_path + type: Socket + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ $.Values.global.trustDomain }} + {{- end }} + {{- end }} - name: istio-certs secret: secretName: istio.{{ $key }}-service-account @@ -139,7 +291,8 @@ spec: optional: true {{- end }} affinity: - {{- include "nodeaffinity" $ | indent 6 }} + {{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }} + {{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }} --- {{- end }} {{- end }} diff --git a/istio/charts/gateways/templates/poddisruptionbudget.yaml b/istio/charts/gateways/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000000000000000000000000000000000..36a2d5a9cb57a27bba0effeb893bb9858ac6301e --- /dev/null +++ b/istio/charts/gateways/templates/poddisruptionbudget.yaml @@ -0,0 +1,31 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "enabled") }} +{{- if $spec.enabled }} +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +spec: +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/istio/charts/gateways/templates/preconfigured.yaml b/istio/charts/gateways/templates/preconfigured.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8d3dee930e976299983053714f99161ac48a0bd1 --- /dev/null +++ b/istio/charts/gateways/templates/preconfigured.yaml @@ -0,0 +1,239 @@ +{{- if .Values.global.k8sIngress.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-autogenerated-k8s-ingress + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + istio: {{ .Values.global.k8sIngress.gatewayName }} + servers: + - port: + number: 80 + protocol: HTTP2 + name: http + hosts: + - "*" +{{ if .Values.global.k8sIngress.enableHttps }} + - port: + number: 443 + protocol: HTTPS + name: https-default + tls: + mode: SIMPLE + serverCertificate: /etc/istio/ingress-certs/tls.crt + privateKey: /etc/istio/ingress-certs/tls.key + hosts: + - "*" +{{ end }} +--- +{{ end }} + +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-ilb-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + istio: ilbgateway + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 8060 + protocol: TCP + name: tcp-citadel + hosts: + - "*" + - port: + number: 15004 + name: tls-mixer + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*" +--- +{{- else }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 8060 + protocol: TCP + name: tcp-citadel + hosts: + - "*" + - port: + number: 15004 + name: tls-mixer + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*" +--- +{{- end }} +{{- end }} + +{{- if .Values.global.multiCluster.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-egressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-egressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - hosts: + - "*.global" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - hosts: + - "*.global" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + workloadLabels: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + filters: + - listenerMatch: + portNumber: 15443 + listenerType: GATEWAY + insertPosition: + index: AFTER + relativeTo: envoy.filters.network.sni_cluster + filterName: envoy.filters.network.tcp_cluster_rewrite + filterType: NETWORK + filterConfig: + cluster_pattern: "\\.global$" + cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" +--- +## To ensure all traffic to *.global is using mTLS +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-multicluster-destinationrule + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: "*.global" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +{{- end }} diff --git a/istio/charts/gateways/templates/role.yaml b/istio/charts/gateways/templates/role.yaml new file mode 100644 index 0000000000000000000000000000000000000000..de46604421eebdc15b34ce4cdc7e063c84f29edd --- /dev/null +++ b/istio/charts/gateways/templates/role.yaml @@ -0,0 +1,18 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $key }}-sds + namespace: {{ $.Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/istio/charts/gateways/templates/rolebindings.yaml b/istio/charts/gateways/templates/rolebindings.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4bb30150d7b05b9503128f2d8df9e8974897726d --- /dev/null +++ b/istio/charts/gateways/templates/rolebindings.yaml @@ -0,0 +1,21 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $key }}-sds + namespace: {{ $.Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $key }}-sds +subjects: +- kind: ServiceAccount + name: {{ $key }}-service-account +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/istio/charts/gateways/templates/service.yaml b/istio/charts/gateways/templates/service.yaml index 0d594cc9efc960c4845a6bb3545b12baa1f06a06..9474f047692cbebb35f5083cb1be15aee71cdfc5 100644 --- a/istio/charts/gateways/templates/service.yaml +++ b/istio/charts/gateways/templates/service.yaml @@ -1,5 +1,5 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} apiVersion: v1 kind: Service @@ -8,12 +8,12 @@ metadata: namespace: {{ $spec.namespace | default $.Release.Namespace }} annotations: {{- range $key, $val := $spec.serviceAnnotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} - release: {{ $.Release.Name }} + chart: {{ template "gateway.chart" $ }} heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} {{- range $key, $val := $spec.labels }} {{ $key }}: {{ $val }} {{- end }} @@ -23,12 +23,18 @@ spec: {{- end }} {{- if $spec.loadBalancerSourceRanges }} loadBalancerSourceRanges: -{{- range $spec.loadBalancerSourceRanges }} - - {{ . }} +{{ toYaml $spec.loadBalancerSourceRanges | indent 4 }} {{- end }} +{{- if $spec.externalTrafficPolicy }} + externalTrafficPolicy: {{$spec.externalTrafficPolicy }} +{{- end }} +{{- if $spec.externalIPs }} + externalIPs: +{{ toYaml $spec.externalIPs | indent 4 }} {{- end }} type: {{ .type }} selector: + release: {{ $.Release.Name }} {{- range $key, $val := $spec.labels }} {{ $key }}: {{ $val }} {{- end }} @@ -39,6 +45,14 @@ spec: {{ $pkey}}: {{ $pval }} {{- end }} {{- end }} + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $spec.meshExpansionPorts }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} --- {{- end }} {{- end }} diff --git a/istio/charts/gateways/templates/serviceaccount.yaml b/istio/charts/gateways/templates/serviceaccount.yaml index 37a252cd886a6b1ccc25ecb696301ea3ff97305f..d4f6938c10c0862aa5c1f83031920e089299a44d 100644 --- a/istio/charts/gateways/templates/serviceaccount.yaml +++ b/istio/charts/gateways/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} apiVersion: v1 kind: ServiceAccount @@ -13,11 +13,12 @@ metadata: name: {{ $key }}-service-account namespace: {{ $spec.namespace | default $.Release.Namespace }} labels: - app: {{ $spec.labels.istio }} - chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} + app: {{ $spec.labels.app }} + chart: {{ template "gateway.chart" $ }} heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} --- {{- end }} {{- end }} {{- end }} + diff --git a/istio/charts/gateways/values.yaml b/istio/charts/gateways/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0ef14a31c730eb83828a2bbe4560d67116aed41a --- /dev/null +++ b/istio/charts/gateways/values.yaml @@ -0,0 +1,258 @@ +# +# Gateways Configuration +# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. +# You can add more gateways in addition to the defaults but make sure those are uniquely named +# and that NodePorts are not conflicting. +# Disable specifc gateway by setting the `enabled` to false. +# +enabled: true + +istio-ingressgateway: + enabled: true + # + # Secret Discovery Service (SDS) configuration for ingress gateway. + # + sds: + # If true, ingress gateway fetches credentials from SDS server to handle TLS connections. + enabled: false + # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway. + # This server runs in the same pod as ingress gateway. + image: node-agent-k8s + labels: + app: istio-ingressgateway + istio: ingressgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 256Mi + cpu: + targetAverageUtilization: 80 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalIPs: [] + serviceAnnotations: {} + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out + ports: + ## You can add custom gateway ports + - port: 80 + targetPort: 80 + name: http2 + nodePort: 31380 + - port: 443 + name: https + nodePort: 31390 + # Example of a port to add. Remove if not needed + - port: 31400 + name: tcp + nodePort: 31400 + ### PORTS FOR UI/metrics ##### + ## Disable if not needed + - port: 15029 + targetPort: 15029 + name: https-kiali + - port: 15030 + targetPort: 15030 + name: https-prometheus + - port: 15031 + targetPort: 15031 + name: https-grafana + - port: 15032 + targetPort: 15032 + name: https-tracing + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + - port: 15020 + targetPort: 15020 + name: status-port + #### MESH EXPANSION PORTS ######## + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + # Delete these ports if mesh expansion is not enabled, to avoid + # exposing unnecessary ports on the web. + # You can remove these ports if you are not using mesh expansion + meshExpansionPorts: + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 15004 + targetPort: 15004 + name: tcp-mixer-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + - port: 853 + targetPort: 853 + name: tcp-dns-tls + ####### end MESH EXPANSION PORTS ###### + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + ### Advanced options ############ + env: + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + nodeSelector: {} + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote “hard” vs. “soft” requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # “security” and value “S1”. + podAntiAffinityLabelSelector: {} + podAntiAffinityTermLabelSelector: {} + +istio-egressgateway: + enabled: false + labels: + app: istio-egressgateway + istio: egressgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 256Mi + cpu: + targetAverageUtilization: 80 + serviceAnnotations: {} + podAnnotations: {} + type: ClusterIP #change to NodePort or LoadBalancer if need be + ports: + - port: 80 + name: http2 + - port: 443 + name: https + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + #### Advanced options ######## + env: + # Set this to "external" if and only if you want the egress gateway to + # act as a transparent SNI gateway that routes mTLS/TLS traffic to + # external services defined using service entries, where the service + # entry has resolution set to DNS, has one or more endpoints with + # network field set to "external". By default its set to "" so that + # the egress gateway sees the same set of endpoints as the sidecars + # preserving backward compatibility + # ISTIO_META_REQUESTED_NETWORK_VIEW: "" + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + nodeSelector: {} + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote “hard” vs. “soft” requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # “security” and value “S1”. + podAntiAffinityLabelSelector: {} + podAntiAffinityTermLabelSelector: {} + +# Mesh ILB gateway creates a gateway of type InternalLoadBalancer, +# for mesh expansion. It exposes the mtls ports for Pilot,CA as well +# as non-mtls ports to support upgrades and gradual transition. +istio-ilbgateway: + enabled: false + labels: + app: istio-ilbgateway + istio: ilbgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + cpu: + targetAverageUtilization: 80 + resources: + requests: + cpu: 800m + memory: 512Mi + #limits: + # cpu: 1800m + # memory: 256Mi + loadBalancerIP: "" + serviceAnnotations: + cloud.google.com/load-balancer-type: "internal" + podAnnotations: {} + type: LoadBalancer + ports: + ## You can add custom gateway ports - google ILB default quota is 5 ports, + - port: 15011 + name: grpc-pilot-mtls + # Insecure port - only for migration from 0.8. Will be removed in 1.1 + - port: 15010 + name: grpc-pilot + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + # Port 5353 is forwarded to kube-dns + - port: 5353 + name: tcp-dns + secretVolumes: + - name: ilbgateway-certs + secretName: istio-ilbgateway-certs + mountPath: /etc/istio/ilbgateway-certs + - name: ilbgateway-ca-certs + secretName: istio-ilbgateway-ca-certs + mountPath: /etc/istio/ilbgateway-ca-certs + nodeSelector: {} diff --git a/istio/charts/grafana/Chart.yaml b/istio/charts/grafana/Chart.yaml index d64a0739b0d314fb8f10f3f5258de33cf2f6d4f5..8ed3469965b031f4961f44fec1a156a389c9df63 100644 --- a/istio/charts/grafana/Chart.yaml +++ b/istio/charts/grafana/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: grafana -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" diff --git a/istio/charts/grafana/dashboards/galley-dashboard.json b/istio/charts/grafana/dashboards/galley-dashboard.json new file mode 100644 index 0000000000000000000000000000000000000000..5487cf854bfee5fb6e48703940e24d20282b0b00 --- /dev/null +++ b/istio/charts/grafana/dashboards/galley-dashboard.json @@ -0,0 +1,1819 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 46, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"galley\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Galley Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 40, + "panels": [], + "title": "Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 36, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "A" + }, + { + "expr": "process_resident_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "B" + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "C" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F" + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "G" + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "H" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Total (kis)", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 38, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "galley (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 12, + "y": 6 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Open FDs (galley)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} ", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 6 + }, + "id": 44, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "goroutines_total", + "refId": "A" + }, + { + "expr": "galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "clients_total", + "refId": "B" + }, + { + "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "avg_goroutines_per_client", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 14 + }, + "id": 10, + "panels": [], + "title": "Runtime", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 15 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Strategy Change Events", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Processed Events", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Snapshot Published", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Event Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 15 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Max Time Reached", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Quiesce Reached", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Timer Resets", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Timer Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 15 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 3, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P95", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Events Per Snapshot", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ typeURL }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "State Type Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Count", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 34, + "panels": [], + "title": "Validation", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 28 + }, + "id": 28, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 28 + }, + "id": 30, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 28 + }, + "id": 32, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 34 + }, + "id": 12, + "panels": [], + "title": "Kubernetes Source", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_event_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Success", + "refId": "A" + }, + { + "expr": "rate(galley_source_kube_event_error_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Source Event Rate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 16, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Successes", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Conversions/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 24, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Failures/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 41 + }, + "id": 18, + "panels": [], + "title": "Mesh Configuration Protocol", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 20, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_mcp_source_clients_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Clients", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Connected Clients", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 42 + }, + "id": 22, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request ACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "ACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 42 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request NACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "NACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "TSEY6jLmk", + "version": 1 +} diff --git a/istio/charts/grafana/dashboards/istio-mesh-dashboard.json b/istio/charts/grafana/dashboards/istio-mesh-dashboard.json new file mode 100644 index 0000000000000000000000000000000000000000..99c911f4d2048b542c7cfadf01f68f15f39f425b --- /dev/null +++ b/istio/charts/grafana/dashboards/istio-mesh-dashboard.json @@ -0,0 +1,953 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "content": "
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
\n Need help? Join the Istio community.\n
\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 45 + }, + "id": 111, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "version": 4 +} diff --git a/istio/charts/grafana/dashboards/istio-performance-dashboard.json b/istio/charts/grafana/dashboards/istio-performance-dashboard.json new file mode 100644 index 0000000000000000000000000000000000000000..621709f24f026dba7c198ab551d038a31ee61ebb --- /dev/null +++ b/istio/charts/grafana/dashboards/istio-performance-dashboard.json @@ -0,0 +1,618 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 1, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-proxy", + "refId": "B" + }, + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "D" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only. \n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance. \n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.", + "gridPos": { + "h": 4, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 11, + "links": [], + "mode": "markdown", + "title": "Istio Performance Dashboard Readme", + "type": "text" + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "version": 4 +} diff --git a/istio/charts/grafana/dashboards/istio-service-dashboard.json b/istio/charts/grafana/dashboards/istio-service-dashboard.json new file mode 100644 index 0000000000000000000000000000000000000000..dad423c79b39f01a2ada787f96be577d3d547bf5 --- /dev/null +++ b/istio/charts/grafana/dashboards/istio-service-dashboard.json @@ -0,0 +1,2601 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "iteration": 1536442501501, + "links": [], + "panels": [ + { + "content": "
\nSERVICE: $service\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Received Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Sent Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nCLIENT WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "
\nSERVICE WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 1 +} diff --git a/istio/charts/grafana/dashboards/istio-workload-dashboard.json b/istio/charts/grafana/dashboards/istio-workload-dashboard.json new file mode 100644 index 0000000000000000000000000000000000000000..4d6f7a4c3cd2d9d1c7316da8238b3a50254a544b --- /dev/null +++ b/istio/charts/grafana/dashboards/istio-workload-dashboard.json @@ -0,0 +1,2303 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
\nWORKLOAD: $workload.$namespace\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nINBOUND WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
\nOUTBOUND SERVICES\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} diff --git a/istio/charts/grafana/dashboards/mixer-dashboard.json b/istio/charts/grafana/dashboards/mixer-dashboard.json new file mode 100644 index 0000000000000000000000000000000000000000..151c862dbe12e0f905c5eedb6c7ec1153b0815d2 --- /dev/null +++ b/istio/charts/grafana/dashboards/mixer-dashboard.json @@ -0,0 +1,1808 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1543881232533, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 62, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 64, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"mixer\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Mixer Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Mixer Overview

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 21 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_server_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 21 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 21 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 21 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Adapters and Config

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 30 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 30 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 37 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 37 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 37 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 37 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Individual Adapters

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 44 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 47 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 48 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 48 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Mixer Dashboard", + "version": 4 +} diff --git a/istio/charts/grafana/dashboards/pilot-dashboard.json b/istio/charts/grafana/dashboards/pilot-dashboard.json new file mode 100644 index 0000000000000000000000000000000000000000..1d39ce3d9f00ec8be0faed32e9a91fe009837217 --- /dev/null +++ b/istio/charts/grafana/dashboards/pilot-dashboard.json @@ -0,0 +1,1595 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 58, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"pilot\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Pilot Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

xDS

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 21 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 21 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 27 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 27 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 27 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Pilot Dashboard", + "version": 4 +} diff --git a/istio/charts/grafana/fix_datasources.sh b/istio/charts/grafana/fix_datasources.sh new file mode 100644 index 0000000000000000000000000000000000000000..33d68691ad1f087c167e27c214231198edf1f5bb --- /dev/null +++ b/istio/charts/grafana/fix_datasources.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +UX=$(uname) + +for db in "${THIS_DIR}"/dashboards/*.json; do + if [[ ${UX} == "Darwin" ]]; then + # shellcheck disable=SC2016 + sed -i '' 's/${DS_PROMETHEUS}/Prometheus/g' "$db" + else + # shellcheck disable=SC2016 + sed -i 's/${DS_PROMETHEUS}/Prometheus/g' "$db" + fi +done diff --git a/istio/charts/grafana/templates/_helpers.tpl b/istio/charts/grafana/templates/_helpers.tpl index dae241dc816593ecf4566a9d605f4c24b3dc62bd..9d4c59205c725f167a488dbe13c770f613628edc 100644 --- a/istio/charts/grafana/templates/_helpers.tpl +++ b/istio/charts/grafana/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "grafana.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "grafana.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/grafana/templates/configmap-custom-resources.yaml b/istio/charts/grafana/templates/configmap-custom-resources.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b89bc07654b5d9f9ec919633b5d05b27f6b634a7 --- /dev/null +++ b/istio/charts/grafana/templates/configmap-custom-resources.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: grafana +data: + custom-resources.yaml: |- + {{- include "grafana-default.yaml.tpl" . | indent 4}} + run.sh: |- + {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/istio/charts/grafana/templates/configmap-dashboards.yaml b/istio/charts/grafana/templates/configmap-dashboards.yaml new file mode 100644 index 0000000000000000000000000000000000000000..dd1ab0d75ad646d0bbdc73774824669efc972a63 --- /dev/null +++ b/istio/charts/grafana/templates/configmap-dashboards.yaml @@ -0,0 +1,18 @@ +{{- $files := .Files }} +{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} +{{- $filename := trimSuffix (ext $path) (base $path) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-{{ $filename }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ template "grafana.name" $ }} + chart: {{ template "grafana.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + istio: grafana +data: + {{ base $path }}: '{{ $files.Get $path }}' +--- +{{- end }} diff --git a/istio/charts/grafana/templates/configmap.yaml b/istio/charts/grafana/templates/configmap.yaml index 17730f2ed8a6d80d99c697f63732303a4d8b0f41..c86efe1f4cbb0f5f324203a2fad8baedd1c398a8 100644 --- a/istio/charts/grafana/templates/configmap.yaml +++ b/istio/charts/grafana/templates/configmap.yaml @@ -1,16 +1,25 @@ apiVersion: v1 kind: ConfigMap metadata: - name: istio-grafana-custom-resources + name: istio-grafana namespace: {{ .Release.Namespace }} labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: grafana data: - custom-resources.yaml: |- - {{- include "grafana-default.yaml.tpl" . | indent 4}} - run.sh: |- - {{- include "install-custom-resources.sh.tpl" . | indent 4}} +{{- if .Values.datasources }} + {{- range $key, $value := .Values.datasources }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio/charts/grafana/templates/create-custom-resources-job.yaml b/istio/charts/grafana/templates/create-custom-resources-job.yaml index 6d8b93de56899badbf5be7211d434e5bc900951b..2fe2c96118adecc0fade1f2d6713ef2473647ec9 100644 --- a/istio/charts/grafana/templates/create-custom-resources-job.yaml +++ b/istio/charts/grafana/templates/create-custom-resources-job.yaml @@ -1,21 +1,33 @@ apiVersion: v1 kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} metadata: name: istio-grafana-post-install-account namespace: {{ .Release.Namespace }} labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-grafana-post-install-{{ .Release.Namespace }} labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: @@ -23,13 +35,13 @@ rules: resources: ["*"] verbs: ["*"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-grafana-post-install-role-binding-{{ .Release.Namespace }} labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: @@ -44,28 +56,30 @@ subjects: apiVersion: batch/v1 kind: Job metadata: - name: istio-grafana-post-install + name: istio-grafana-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": post-install "helm.sh/hook-delete-policy": hook-succeeded labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: template: metadata: name: istio-grafana-post-install labels: app: istio-grafana + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: serviceAccountName: istio-grafana-post-install-account containers: - - name: hyperkube - image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] volumeMounts: - mountPath: "/tmp/grafana" @@ -75,3 +89,6 @@ spec: configMap: name: istio-grafana-custom-resources restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/grafana/templates/deployment.yaml b/istio/charts/grafana/templates/deployment.yaml index cd6541a5341276d3ae2c5fa5e46763c92d9eac2c..93484947b40eabc5250c8d79fbfd194c17ab223c 100644 --- a/istio/charts/grafana/templates/deployment.yaml +++ b/istio/charts/grafana/templates/deployment.yaml @@ -1,54 +1,64 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: grafana namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: grafana template: metadata: labels: app: grafana + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: + securityContext: + runAsUser: 472 + fsGroup: 472 {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} {{- end }} containers: - name: {{ .Chart.Name }} -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" -{{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - - containerPort: {{ .Values.service.internalPort }} + - containerPort: 3000 readinessProbe: httpGet: path: /login - port: {{ .Values.service.internalPort }} + port: 3000 env: - name: GRAFANA_PORT - value: {{ .Values.service.internalPort | quote }} + value: "3000" {{- if .Values.security.enabled }} - name: GF_SECURITY_ADMIN_USER valueFrom: secretKeyRef: - name: grafana - key: username + name: {{ .Values.security.secretName }} + key: {{ .Values.security.usernameKey }} - name: GF_SECURITY_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: grafana - key: password + name: {{ .Values.security.secretName }} + key: {{ .Values.security.passphraseKey }} - name: GF_AUTH_BASIC_ENABLED value: "true" - name: GF_AUTH_ANONYMOUS_ENABLED @@ -74,9 +84,26 @@ spec: volumeMounts: - name: data mountPath: /data/grafana + {{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} + {{- $filename := trimSuffix (ext $path) (base $path) }} + - name: dashboards-istio-{{ $filename }} + mountPath: "/var/lib/grafana/dashboards/istio/{{ base $path }}" + subPath: {{ base $path }} + readOnly: true + {{- end }} + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} volumes: + - name: config + configMap: + name: istio-grafana - name: data {{- if .Values.persist }} persistentVolumeClaim: @@ -84,3 +111,9 @@ spec: {{- else }} emptyDir: {} {{- end }} +{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} +{{- $filename := trimSuffix (ext $path) (base $path) }} + - name: dashboards-istio-{{ $filename }} + configMap: + name: istio-grafana-configuration-dashboards-{{ $filename }} +{{- end }} diff --git a/istio/charts/grafana/templates/grafana-ports-mtls.yaml b/istio/charts/grafana/templates/grafana-ports-mtls.yaml index 8f2258d4bd1b509a172b17e617fc9bf0c3e2168c..b9a392651895bd9bac4f837ca7fd640d152550fb 100644 --- a/istio/charts/grafana/templates/grafana-ports-mtls.yaml +++ b/istio/charts/grafana/templates/grafana-ports-mtls.yaml @@ -4,6 +4,11 @@ kind: Policy metadata: name: grafana-ports-mtls-disabled namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: targets: - name: grafana diff --git a/istio/charts/grafana/templates/ingress.yaml b/istio/charts/grafana/templates/ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0ebe71f61d457d05e815adbacc1bd702af78eb1b --- /dev/null +++ b/istio/charts/grafana/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: grafana + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: grafana + servicePort: 3000 + {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: grafana + servicePort: 3000 +{{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio/charts/grafana/templates/pvc.yaml b/istio/charts/grafana/templates/pvc.yaml index d95b94bef5d61c86395144140fcf0cb63d9b5924..e376a13a521100a9241bc06ad61b0aac3c2805cf 100644 --- a/istio/charts/grafana/templates/pvc.yaml +++ b/istio/charts/grafana/templates/pvc.yaml @@ -3,15 +3,16 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: istio-grafana-pvc + namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: storageClassName: {{ .Values.storageClassName }} accessModes: - - ReadWriteOnce + - {{ .Values.accessMode }} resources: requests: storage: 5Gi diff --git a/istio/charts/grafana/templates/secret.yaml b/istio/charts/grafana/templates/secret.yaml deleted file mode 100644 index ec0e2ad255d49c989fdc3d14a5c2106daf0cd6d2..0000000000000000000000000000000000000000 --- a/istio/charts/grafana/templates/secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ - -{{- if .Values.security.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: grafana - namespace: {{ .Release.Namespace }} - labels: - app: grafana -type: Opaque -data: - username: {{ .Values.security.adminUser | b64enc | quote }} - password: {{ .Values.security.adminPassword | b64enc | quote }} -{{- end -}} diff --git a/istio/charts/grafana/templates/service.yaml b/istio/charts/grafana/templates/service.yaml index 555a3f1eaa12e78e2cec0e8dce3f77f40b747e83..1dfd82c336957e95b3d8366d766b502d81ed95ef 100644 --- a/istio/charts/grafana/templates/service.yaml +++ b/istio/charts/grafana/templates/service.yaml @@ -5,19 +5,28 @@ metadata: namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} + targetPort: 3000 protocol: TCP name: {{ .Values.service.name }} selector: app: grafana +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} + {{if .Values.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{range $rangeList := .Values.service.loadBalancerSourceRanges}} + - {{ $rangeList }} + {{end}} + {{end}} \ No newline at end of file diff --git a/istio/charts/grafana/templates/tests/test-grafana-connection.yaml b/istio/charts/grafana/templates/tests/test-grafana-connection.yaml new file mode 100644 index 0000000000000000000000000000000000000000..036391bc36f96abf18b46f0303db80de747d110f --- /dev/null +++ b/istio/charts/grafana/templates/tests/test-grafana-connection.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "grafana.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: grafana-test + chart: {{ template "grafana.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: grafana + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "grafana.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + args: ['http://grafana:{{ .Values.grafana.service.externalPort }}'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/grafana/values.yaml b/istio/charts/grafana/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d5ab7bf8d024957eb8b226a89ab834974072eda5 --- /dev/null +++ b/istio/charts/grafana/values.yaml @@ -0,0 +1,86 @@ +# +# addon grafana configuration +# +enabled: false +replicaCount: 1 +image: + repository: grafana/grafana + tag: 6.0.0 +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - grafana.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: grafana-tls + # hosts: + # - grafana.local +persist: false +storageClassName: "" +accessMode: ReadWriteMany +security: + enabled: false + secretName: grafana + usernameKey: username + passphraseKey: passphrase +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +contextPath: /grafana +service: + annotations: {} + name: http + type: ClusterIP + externalPort: 3000 + loadBalancerIP: + loadBalancerSourceRanges: + +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + orgId: 1 + url: http://prometheus:9090 + access: proxy + isDefault: true + jsonData: + timeInterval: 5s + editable: true + +dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'istio' + orgId: 1 + folder: 'istio' + type: file + disableDeletion: false + options: + path: /var/lib/grafana/dashboards/istio diff --git a/istio/charts/ingress/templates/autoscale.yaml b/istio/charts/ingress/templates/autoscale.yaml deleted file mode 100644 index d9628408743f59a3e292f43a9ff2d0aa7d572ef9..0000000000000000000000000000000000000000 --- a/istio/charts/ingress/templates/autoscale.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.autoscaleMin }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istio-ingress - namespace: {{ .Release.Namespace }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1beta1 - kind: Deployment - name: istio-ingress - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 -{{ end }} diff --git a/istio/charts/ingress/templates/clusterrole.yaml b/istio/charts/ingress/templates/clusterrole.yaml deleted file mode 100644 index f65c0d692af27017f7f12209602d101fb51dc515..0000000000000000000000000000000000000000 --- a/istio/charts/ingress/templates/clusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - labels: - app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: istio-ingress-{{ .Release.Namespace }} -rules: -- apiGroups: ["extensions"] - resources: ["thirdpartyresources", "ingresses"] - verbs: ["get", "watch", "list", "update"] -- apiGroups: [""] - resources: ["configmaps", "pods", "endpoints", "services"] - verbs: ["get", "watch", "list"] diff --git a/istio/charts/ingress/templates/clusterrolebinding.yaml b/istio/charts/ingress/templates/clusterrolebinding.yaml deleted file mode 100644 index d07e89324bebf59bcb837d35b6de8f20954e9f90..0000000000000000000000000000000000000000 --- a/istio/charts/ingress/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: istio-ingress-{{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-pilot-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-ingress-service-account - namespace: {{ .Release.Namespace }} diff --git a/istio/charts/ingress/templates/deployment.yaml b/istio/charts/ingress/templates/deployment.yaml deleted file mode 100644 index 83fb6631aef2920c1e8eeb36675da7a1d775480a..0000000000000000000000000000000000000000 --- a/istio/charts/ingress/templates/deployment.yaml +++ /dev/null @@ -1,106 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: istio-ingress - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: ingress -spec: - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - istio: ingress - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: - serviceAccountName: istio-ingress-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "istio.name" . }} - image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 80 - - containerPort: 443 - args: - - proxy - - ingress - - -v - - "2" - - --discoveryRefreshDelay - - '1s' #discoveryRefreshDelay - - --drainDuration - - '45s' #drainDuration - - --parentShutdownDuration - - '1m0s' #parentShutdownDuration - - --connectTimeout - - '10s' #connectTimeout - - --serviceCluster - - istio-ingress - - --zipkinAddress - - zipkin:9411 - {{- if .Values.global.proxy.envoyStatsd.enabled }} - - --statsdUdpAddress - - {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} - {{- end }} - - --proxyAdminPort - - "15000" - {{- if .Values.global.controlPlaneSecurityEnabled }} - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --discoveryAddress - - istio-pilot:15005 - {{- else }} - - --controlPlaneAuthPolicy - - NONE - - --discoveryAddress - - istio-pilot:8080 - {{- end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - volumeMounts: - - name: istio-certs - mountPath: /etc/certs - readOnly: true - - name: ingress-certs - mountPath: /etc/istio/ingress-certs - readOnly: true - volumes: - - name: istio-certs - secret: - secretName: istio.istio-ingress-service-account - optional: true - - name: ingress-certs - secret: - secretName: istio-ingress-certs - optional: true - affinity: - {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio/charts/ingress/templates/service.yaml b/istio/charts/ingress/templates/service.yaml deleted file mode 100644 index 41bf2720ec61abf5d15702dcab1568faa04cfa72..0000000000000000000000000000000000000000 --- a/istio/charts/ingress/templates/service.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istio-ingress - namespace: {{ .Release.Namespace }} - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: ingress - annotations: - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} - {{- end }} -spec: -{{- if .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" -{{- end }} - type: {{ .Values.service.type }} - selector: - istio: ingress - ports: - {{- range $key, $val := .Values.service.ports }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} ---- diff --git a/istio/charts/istiocoredns/Chart.yaml b/istio/charts/istiocoredns/Chart.yaml new file mode 100644 index 0000000000000000000000000000000000000000..fa0481467f743f4bc17cd5ec7546445da7717517 --- /dev/null +++ b/istio/charts/istiocoredns/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Istio CoreDNS provides DNS resolution for services in multicluster setups. +name: istiocoredns +version: 1.1.0 +appVersion: 0.1 +tillerVersion: ">=2.7.2" diff --git a/istio/charts/istiocoredns/templates/_helpers.tpl b/istio/charts/istiocoredns/templates/_helpers.tpl new file mode 100644 index 0000000000000000000000000000000000000000..e7add11bb3fa8d3c52eb91cb31f7687f0d46dabc --- /dev/null +++ b/istio/charts/istiocoredns/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istiocoredns.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istiocoredns.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istiocoredns.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/istiocoredns/templates/clusterrole.yaml b/istio/charts/istiocoredns/templates/clusterrole.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4242a327ffb30267cc6d8a0d6c35d21c4c944497 --- /dev/null +++ b/istio/charts/istiocoredns/templates/clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiocoredns + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] diff --git a/istio/charts/istiocoredns/templates/clusterrolebinding.yaml b/istio/charts/istiocoredns/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bafd0ca3bcc8f9b814fc4033e08244b51a588416 --- /dev/null +++ b/istio/charts/istiocoredns/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-istiocoredns-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiocoredns +subjects: +- kind: ServiceAccount + name: istiocoredns-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio/charts/istiocoredns/templates/configmap.yaml b/istio/charts/istiocoredns/templates/configmap.yaml new file mode 100644 index 0000000000000000000000000000000000000000..50d166fe5ea1b46cda7bed43d9ade2c8cc3daf4e --- /dev/null +++ b/istio/charts/istiocoredns/templates/configmap.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + Corefile: | + .:53 { + errors + health + proxy global 127.0.0.1:8053 { + protocol grpc insecure + } + prometheus :9153 + proxy . /etc/resolv.conf + cache 30 + reload + } +--- diff --git a/istio/charts/istiocoredns/templates/deployment.yaml b/istio/charts/istiocoredns/templates/deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..aa67ea0fdacb7985218b464533c4082971b041d3 --- /dev/null +++ b/istio/charts/istiocoredns/templates/deployment.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiocoredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: istiocoredns + template: + metadata: + name: istiocoredns + labels: + app: istiocoredns + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istiocoredns-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: coredns + image: {{ .Values.coreDNSImage }} + imagePullPolicy: IfNotPresent + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + - name: istio-coredns-plugin + command: + - /usr/local/bin/plugin + image: {{ .Values.coreDNSPluginImage }} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8053 + name: dns-grpc + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/istiocoredns/templates/service.yaml b/istio/charts/istiocoredns/templates/service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a6311017cc79f215660156aa9241169df769023e --- /dev/null +++ b/istio/charts/istiocoredns/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiocoredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + app: istiocoredns + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP diff --git a/istio/charts/ingress/templates/serviceaccount.yaml b/istio/charts/istiocoredns/templates/serviceaccount.yaml similarity index 70% rename from istio/charts/ingress/templates/serviceaccount.yaml rename to istio/charts/istiocoredns/templates/serviceaccount.yaml index dfcfe255d7a934bde06e387656ae3895759992da..e2627cf45e977c1e339f481da2cda9038143d938 100644 --- a/istio/charts/ingress/templates/serviceaccount.yaml +++ b/istio/charts/istiocoredns/templates/serviceaccount.yaml @@ -7,10 +7,10 @@ imagePullSecrets: {{- end }} {{- end }} metadata: - name: istio-ingress-service-account + name: istiocoredns-service-account namespace: {{ .Release.Namespace }} labels: - app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/istiocoredns/values.yaml b/istio/charts/istiocoredns/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..161361ef48a3e49cfcb07b6f68f811f62303e05d --- /dev/null +++ b/istio/charts/istiocoredns/values.yaml @@ -0,0 +1,32 @@ +# +# addon istiocoredns tracing configuration +# +enabled: false +replicaCount: 1 +coreDNSImage: coredns/coredns:1.1.2 +# Source code for the plugin can be found at +# https://github.com/istio-ecosystem/istio-coredns-plugin +# The plugin listens for DNS requests from coredns server at 127.0.0.1:8053 +coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/kiali/Chart.yaml b/istio/charts/kiali/Chart.yaml index bb7ed268cfb3d8d9bfd271a023b20443a52d239d..ff936e000992e6b87bb9c6054780e410f26d2d14 100644 --- a/istio/charts/kiali/Chart.yaml +++ b/istio/charts/kiali/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 -description: Kiali is an open source project for service mesh observability, refer to https://github.com/kiali/kiali for detail. +description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details. name: kiali -version: 1.0.1 -appVersion: 0.6.0 +version: 1.1.0 +appVersion: 0.16 tillerVersion: ">=2.7.2" diff --git a/istio/charts/kiali/templates/_helpers.tpl b/istio/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000000000000000000000000000000000000..6b0095769792a779361da5a9d550c9dfa8071454 --- /dev/null +++ b/istio/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kiali.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kiali.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/kiali/templates/clusterrole.yaml b/istio/charts/kiali/templates/clusterrole.yaml index 05259fad2c0381b658a15f141f823140776d56eb..cd43b7bb3518b2917780cd642e3267a0e032b75a 100644 --- a/istio/charts/kiali/templates/clusterrole.yaml +++ b/istio/charts/kiali/templates/clusterrole.yaml @@ -3,64 +3,237 @@ kind: ClusterRole metadata: name: kiali labels: - app: kiali - version: master + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} rules: -- apiGroups: ["","apps", "autoscaling"] +- apiGroups: [""] resources: - configmaps + - endpoints - namespaces - nodes - pods - - projects - services - - endpoints + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: - horizontalpodautoscalers verbs: - get - list - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch - apiGroups: ["config.istio.io"] resources: - - rules + - apikeys + - authorizations + - checknothings - circonuses - deniers - fluentds + - handlers - kubernetesenvs + - kuberneteses - listcheckers + - listentries + - logentries - memquotas + - metrics - opas - prometheuses + - quotas + - quotaspecbindings + - quotaspecs - rbacs - - servicecontrols + - reportnothings + - rules - solarwindses - stackdrivers - statsds - stdios + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - services + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: - apikeys - authorizations - checknothings + - circonuses + - deniers + - fluentds + - handlers + - kubernetesenvs - kuberneteses + - listcheckers - listentries - logentries + - memquotas - metrics + - opas + - prometheuses - quotas + - quotaspecbindings + - quotaspecs + - rbacs - reportnothings + - rules - servicecontrolreports - - quotaspecs - - quotaspecbindings + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios verbs: - get - list - watch - apiGroups: ["networking.istio.io"] resources: - - virtualservices - destinationrules - - serviceentries - gateways + - serviceentries + - virtualservices + verbs: + - get + - list + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies verbs: - get - list - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - get + - list + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get diff --git a/istio/charts/kiali/templates/clusterrolebinding.yaml b/istio/charts/kiali/templates/clusterrolebinding.yaml index 82cfd7f218f92a3624afe4ae625de2457a95933f..2fa14d6c1c8210815a61b57ac08fce1c35c27772 100644 --- a/istio/charts/kiali/templates/clusterrolebinding.yaml +++ b/istio/charts/kiali/templates/clusterrolebinding.yaml @@ -3,8 +3,8 @@ kind: ClusterRoleBinding metadata: name: istio-kiali-admin-role-binding-{{ .Release.Namespace }} labels: - app: kiali - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: diff --git a/istio/charts/kiali/templates/configmap.yaml b/istio/charts/kiali/templates/configmap.yaml index 529d204cabbd31cd0d4e13c59cfe45962d6a186e..ec83a9ed883751666d67ea599f2a79a99450fa85 100644 --- a/istio/charts/kiali/templates/configmap.yaml +++ b/istio/charts/kiali/templates/configmap.yaml @@ -4,9 +4,19 @@ metadata: name: kiali namespace: {{ .Release.Namespace }} labels: - app: kiali + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} data: config.yaml: | + istio_namespace: {{ .Release.Namespace }} server: port: 20001 - static_content_root_directory: /opt/kiali/console + external_services: + istio: + url_service_version: http://istio-pilot:8080/version + jaeger: + url: {{ .Values.dashboard.jaegerURL }} + grafana: + url: {{ .Values.dashboard.grafanaURL }} diff --git a/istio/charts/kiali/templates/demosecret.yaml b/istio/charts/kiali/templates/demosecret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ad44298c3f4683944df9a3a25a130d843f95f612 --- /dev/null +++ b/istio/charts/kiali/templates/demosecret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.createDemoSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.dashboard.secretName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +data: + username: YWRtaW4= # admin + passphrase: YWRtaW4= # admin +{{- end }} diff --git a/istio/charts/kiali/templates/deployment.yaml b/istio/charts/kiali/templates/deployment.yaml index 35d11c5b2c03cad57269e16549dbc9fc41e5c9e4..f0f9e5b61517eccc853d1827e82a910db28575fb 100644 --- a/istio/charts/kiali/templates/deployment.yaml +++ b/istio/charts/kiali/templates/deployment.yaml @@ -1,13 +1,13 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: kiali namespace: {{ .Release.Namespace }} labels: - app: kiali - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} selector: @@ -18,9 +18,14 @@ spec: name: kiali labels: app: kiali + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/scrape: "true" + prometheus.io/port: "9090" spec: serviceAccountName: kiali-service-account {{- if .Values.global.priorityClassName }} @@ -40,35 +45,17 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: SERVER_CREDENTIALS_USERNAME - valueFrom: - secretKeyRef: - name: kiali - key: username - - name: SERVER_CREDENTIALS_PASSWORD - valueFrom: - secretKeyRef: - name: kiali - key: passphrase - name: PROMETHEUS_SERVICE_URL - value: http://prometheus:9090 -{{- if .Values.dashboard.grafanaURL }} - - name: GRAFANA_URL - value: {{ .Values.dashboard.grafanaURL }} -{{- end }} - - name: GRAFANA_DASHBOARD - value: istio-service-dashboard - - name: GRAFANA_VAR_SERVICE_SOURCE - value: var-service - - name: GRAFANA_VAR_SERVICE_DEST - value: var-service -{{- if .Values.dashboard.jaegerURL }} - - name: JAEGER_URL - value: {{ .Values.dashboard.jaegerURL }} + value: {{ .Values.prometheusAddr }} +{{- if .Values.contextPath }} + - name: SERVER_WEB_ROOT + value: {{ .Values.contextPath }} {{- end }} volumeMounts: - name: kiali-configuration mountPath: "/kiali-configuration" + - name: kiali-secret + mountPath: "/kiali-secret" resources: {{- if .Values.resources }} {{ toYaml .Values.resources | indent 10 }} @@ -79,3 +66,10 @@ spec: - name: kiali-configuration configMap: name: kiali + - name: kiali-secret + secret: + secretName: {{ .Values.dashboard.secretName }} + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/kiali/templates/ingress.yaml b/istio/charts/kiali/templates/ingress.yaml index 834f88584404e09d7c7552f1152d0b2fb30d2ae9..2e2a0de3af5b1d2c31798f9d40f0bb2df6412dd8 100644 --- a/istio/charts/kiali/templates/ingress.yaml +++ b/istio/charts/kiali/templates/ingress.yaml @@ -5,22 +5,34 @@ metadata: name: kiali namespace: {{ .Release.Namespace }} labels: - app: kiali + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: {{- range $key, $value := .Values.ingress.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: rules: +{{- if .Values.ingress.hosts }} {{- range $host := .Values.ingress.hosts }} - host: {{ $host }} http: paths: - - path: / + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} backend: serviceName: kiali servicePort: 20001 {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: kiali + servicePort: 20001 +{{- end }} {{- if .Values.ingress.tls }} tls: {{ toYaml .Values.ingress.tls | indent 4 }} diff --git a/istio/charts/kiali/templates/secrets.yaml b/istio/charts/kiali/templates/secrets.yaml deleted file mode 100644 index 6cbfe398e317b33cca34e39f5f4896267b8748da..0000000000000000000000000000000000000000 --- a/istio/charts/kiali/templates/secrets.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: kiali - namespace: {{ .Release.Namespace }} - labels: - app: kiali - -type: Opaque -data: - username: {{ .Values.dashboard.username | b64enc | quote }} - passphrase: {{ .Values.dashboard.passphrase | b64enc | quote }} diff --git a/istio/charts/kiali/templates/service.yaml b/istio/charts/kiali/templates/service.yaml index ef396afd1f6ba0c1c63f20e2eda74c6b8a265e22..1aa79bfdbbf9402cb347c6fd658e9dec95ec7d48 100644 --- a/istio/charts/kiali/templates/service.yaml +++ b/istio/charts/kiali/templates/service.yaml @@ -4,12 +4,14 @@ metadata: name: kiali namespace: {{ .Release.Namespace }} labels: - app: kiali + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - - name: tcp + - name: http-kiali protocol: TCP port: 20001 - name: http-kiali selector: app: kiali diff --git a/istio/charts/kiali/templates/serviceaccount.yaml b/istio/charts/kiali/templates/serviceaccount.yaml index 7adc385fc15b616d330903510173d8559727aaaf..2ae38a1ab00bf4b1005d96aef2ee5d002153ad27 100644 --- a/istio/charts/kiali/templates/serviceaccount.yaml +++ b/istio/charts/kiali/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ metadata: name: kiali-service-account namespace: {{ .Release.Namespace }} labels: - app: kiali - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/kiali/templates/tests/test-kiali-connection.yaml b/istio/charts/kiali/templates/tests/test-kiali-connection.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3e458d76eae32b32f83eaa57a44a933959b723f1 --- /dev/null +++ b/istio/charts/kiali/templates/tests/test-kiali-connection.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kiali.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: kiali-test + chart: {{ template "kiali.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: kiali + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "kiali.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + args: ['http://kiali:20001'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/kiali/values.yaml b/istio/charts/kiali/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..793cbc241b634336900bf57c12bf0091b04611c0 --- /dev/null +++ b/istio/charts/kiali/values.yaml @@ -0,0 +1,55 @@ +# +# addon kiali +# +enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`. +replicaCount: 1 +hub: docker.io/kiali +tag: v0.16 +contextPath: /kiali # The root context path to access the Kiali UI. +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - kiali.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: kiali-tls + # hosts: + # - kiali.local + +dashboard: + secretName: kiali # You must create a secret with this name - one is not provided out-of-box. + usernameKey: username # This is the key name within the secret whose value is the actual username. + passphraseKey: passphrase # This is the key name within the secret whose value is the actual passphrase. + grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown. + jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown. +prometheusAddr: http://prometheus:9090 + +# When true, a secret will be created with a default username and password. Useful for demos. +createDemoSecret: false diff --git a/istio/charts/mixer/Chart.yaml b/istio/charts/mixer/Chart.yaml index b28eafa40be82251b4d09b64e769b03425f45bc3..89c54c0a42a0f26f6a0081fcacd1df0ae933643e 100644 --- a/istio/charts/mixer/Chart.yaml +++ b/istio/charts/mixer/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: mixer -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for mixer deployment keywords: diff --git a/istio/charts/mixer/templates/_helpers.tpl b/istio/charts/mixer/templates/_helpers.tpl index ebd724c2f4b14ab10b490a07e33f8444f8915c1a..dac6da0366a9dd3f441194cfa48ef583f99045fe 100644 --- a/istio/charts/mixer/templates/_helpers.tpl +++ b/istio/charts/mixer/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "mixer.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "mixer.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/mixer/templates/autoscale.yaml b/istio/charts/mixer/templates/autoscale.yaml index 8a800304ef4280d11be2096f53f179ac9a3abdfe..377b47d033ece5df9004bf1de85492b7c4f0e412 100644 --- a/istio/charts/mixer/templates/autoscale.yaml +++ b/istio/charts/mixer/templates/autoscale.yaml @@ -1,18 +1,23 @@ {{- range $key, $spec := .Values }} -{{- if or (eq $key "istio-policy") (eq $key "istio-telemetry") }} -{{- if and $spec.autoscaleEnabled $spec.autoscaleMin }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ $key }} - namespace: {{ $.Release.Namespace }} + name: istio-{{ $key }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ template "mixer.name" $ }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} spec: maxReplicas: {{ $spec.autoscaleMax }} minReplicas: {{ $spec.autoscaleMin }} scaleTargetRef: - apiVersion: apps/v1beta1 + apiVersion: apps/v1 kind: Deployment - name: {{ $key }} + name: istio-{{ $key }} metrics: - type: Resource resource: diff --git a/istio/charts/mixer/templates/clusterrole.yaml b/istio/charts/mixer/templates/clusterrole.yaml index 65eed2ebf0fd2e194ebe22e3d172e915536d7895..3d7438f2d3ada2e4a5a15ff9584a8925bedc3af9 100644 --- a/istio/charts/mixer/templates/clusterrole.yaml +++ b/istio/charts/mixer/templates/clusterrole.yaml @@ -1,28 +1,24 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-mixer-{{ .Release.Namespace }} labels: app: {{ template "mixer.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "mixer.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["rbac.istio.io"] # istio RBAC watcher - resources: ["*"] - verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions"] - resources: ["replicasets"] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] verbs: ["get", "list", "watch"] -- apiGroups: ["apps"] +- apiGroups: ["extensions", "apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] +{{- end }} diff --git a/istio/charts/mixer/templates/clusterrolebinding.yaml b/istio/charts/mixer/templates/clusterrolebinding.yaml index 5304a3729b73633828f17a33999a0cb35a0da5bb..773e68b343198c2f3bfab585bb7708703bff84c0 100644 --- a/istio/charts/mixer/templates/clusterrolebinding.yaml +++ b/istio/charts/mixer/templates/clusterrolebinding.yaml @@ -1,10 +1,11 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-mixer-admin-role-binding-{{ .Release.Namespace }} labels: app: {{ template "mixer.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "mixer.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: @@ -15,3 +16,4 @@ subjects: - kind: ServiceAccount name: istio-mixer-service-account namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/istio/charts/mixer/templates/config.yaml b/istio/charts/mixer/templates/config.yaml index e8826d1817e7db02f8b4e8d58a934c3e2945a0ac..31b1139e0243de5bdd8bd0d69ac4b05dd333f098 100644 --- a/istio/charts/mixer/templates/config.yaml +++ b/istio/charts/mixer/templates/config.yaml @@ -1,8 +1,14 @@ +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} apiVersion: "config.istio.io/v1alpha2" kind: attributemanifest metadata: name: istioproxy namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: attributes: origin.ip: @@ -21,6 +27,10 @@ spec: valueType: STRING request.path: valueType: STRING + request.url_path: + valueType: STRING + request.query_params: + valueType: STRING_MAP request.reason: valueType: STRING request.referer: @@ -28,7 +38,7 @@ spec: request.scheme: valueType: STRING request.total_size: - valueType: INT64 + valueType: INT64 request.size: valueType: INT64 request.time: @@ -42,11 +52,15 @@ spec: response.headers: valueType: STRING_MAP response.total_size: - valueType: INT64 + valueType: INT64 response.size: valueType: INT64 response.time: valueType: TIMESTAMP + response.grpc_status: + valueType: STRING + response.grpc_message: + valueType: STRING source.uid: valueType: STRING source.user: # DEPRECATED @@ -79,6 +93,8 @@ spec: valueType: STRING context.protocol: valueType: STRING + context.proxy_error_code: + valueType: STRING context.timestamp: valueType: TIMESTAMP context.time: @@ -110,6 +126,18 @@ spec: valueType: STRING request.api_key: valueType: STRING + rbac.permissive.response_code: + valueType: STRING + rbac.permissive.effective_policy_id: + valueType: STRING + check.error_code: + valueType: INT64 + check.error_message: + valueType: STRING + check.cache_hit: + valueType: BOOL + quota.cache_hit: + valueType: BOOL --- apiVersion: "config.istio.io/v1alpha2" @@ -117,6 +145,11 @@ kind: attributemanifest metadata: name: kubernetes namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: attributes: source.ip: @@ -131,8 +164,6 @@ spec: valueType: STRING source.owner: valueType: STRING - source.service: # DEPRECATED - valueType: STRING source.serviceAccount: valueType: STRING source.services: @@ -157,8 +188,6 @@ spec: valueType: STRING destination.namespace: valueType: STRING - destination.service: # DEPRECATED - valueType: STRING destination.service.uid: valueType: STRING destination.service.name: @@ -176,463 +205,720 @@ spec: destination.workload.namespace: valueType: STRING --- +{{- if and .Values.adapters.stdio.enabled .Values.telemetry.enabled }} apiVersion: "config.istio.io/v1alpha2" -kind: stdio +kind: handler metadata: - name: handler + name: stdio namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - outputAsJson: true + compiledAdapter: stdio + params: + outputAsJson: {{ .Values.adapters.stdio.outputAsJson }} --- apiVersion: "config.istio.io/v1alpha2" -kind: logentry +kind: instance metadata: name: accesslog namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - severity: '"Info"' - timestamp: request.time - variables: - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - apiClaims: request.auth.raw_claims | "" - apiKey: request.api_key | request.headers["x-api-key"] | "" - protocol: request.scheme | context.protocol | "http" - method: request.method | "" - url: request.path | "" - responseCode: response.code | 0 - responseSize: response.size | 0 - requestSize: request.size | 0 - requestId: request.headers["x-request-id"] | "" - clientTraceId: request.headers["x-client-trace-id"] | "" - latency: response.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - requestedServerName: connection.requested_server_name | "" - userAgent: request.useragent | "" - responseTimestamp: response.time - receivedBytes: request.total_size | 0 - sentBytes: response.total_size | 0 - referer: request.referer | "" - httpAuthority: request.headers[":authority"] | request.host | "" - xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - monitored_resource_type: '"global"' + compiledTemplate: logentry + params: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseFlags: context.proxy_error_code | "" + responseSize: response.size | 0 + permissiveResponseCode: rbac.permissive.response_code | "none" + permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + grpcStatus: response.grpc_status | "" + grpcMessage: response.grpc_message | "" + monitored_resource_type: '"global"' --- apiVersion: "config.istio.io/v1alpha2" -kind: logentry +kind: instance metadata: name: tcpaccesslog namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - severity: '"Info"' - timestamp: context.time | timestamp("2017-01-01T00:00:00Z") - variables: - connectionEvent: connection.event | "" - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - protocol: context.protocol | "tcp" - connectionDuration: connection.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - requestedServerName: connection.requested_server_name | "" - receivedBytes: connection.received.bytes | 0 - sentBytes: connection.sent.bytes | 0 - totalReceivedBytes: connection.received.bytes_total | 0 - totalSentBytes: connection.sent.bytes_total | 0 - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - monitored_resource_type: '"global"' + compiledTemplate: logentry + params: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + responseFlags: context.proxy_error_code | "" + monitored_resource_type: '"global"' --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: stdio namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: match: context.protocol == "http" || context.protocol == "grpc" actions: - - handler: handler.stdio + - handler: stdio instances: - - accesslog.logentry + - accesslog --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: stdiotcp namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: match: context.protocol == "tcp" actions: - - handler: handler.stdio + - handler: stdio instances: - - tcpaccesslog.logentry + - tcpaccesslog +{{- end }} --- +{{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }} apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: requestcount namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: requestduration namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: response.duration | "0ms" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: requestsize namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: request.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: responsesize namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: response.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: tcpbytesent namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: connection.sent.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: tcpbytereceived namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: connection.received.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: prometheus +kind: instance metadata: - name: handler + name: tcpconnectionsopened namespace: {{ .Release.Namespace }} spec: - metrics: - - name: requests_total - instance_name: requestcount.metric.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - - name: request_duration_seconds - instance_name: requestduration.metric.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - explicit_buckets: - bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - - name: request_bytes - instance_name: requestsize.metric.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: response_bytes - instance_name: responsesize.metric.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: tcp_sent_bytes_total - instance_name: tcpbytesent.metric.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - name: tcp_received_bytes_total - instance_name: tcpbytereceived.metric.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: tcpconnectionsclosed + namespace: {{ .Release.Namespace }} +spec: + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledAdapter: prometheus + params: + metricsExpirationPolicy: + metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}" + metrics: + - name: requests_total + instance_name: requestcount.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_opened_total + instance_name: tcpconnectionsopened.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_closed_total + instance_name: tcpconnectionsclosed.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promhttp namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - match: context.protocol == "http" || context.protocol == "grpc" + match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) actions: - - handler: handler.prometheus + - handler: prometheus instances: - - requestcount.metric - - requestduration.metric - - requestsize.metric - - responsesize.metric + - requestcount + - requestduration + - requestsize + - responsesize --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promtcp namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: match: context.protocol == "tcp" actions: - - handler: handler.prometheus + - handler: prometheus instances: - - tcpbytesent.metric - - tcpbytereceived.metric + - tcpbytesent + - tcpbytereceived +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionopen + namespace: {{ .Release.Namespace }} +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "open") + actions: + - handler: prometheus + instances: + - tcpconnectionsopened --- - apiVersion: "config.istio.io/v1alpha2" -kind: kubernetesenv +kind: rule metadata: - name: handler + name: promtcpconnectionclosed namespace: {{ .Release.Namespace }} spec: - # when running from mixer root, use the following config after adding a - # symbolic link to a kubernetes config file via: - # - # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig - # - # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + match: context.protocol == "tcp" && ((connection.event | "na") == "close") + actions: + - handler: prometheus + instances: + - tcpconnectionsclosed +{{- end }} +--- +{{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }} +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: kubernetesenv + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledAdapter: kubernetesenv + params: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" --- apiVersion: "config.istio.io/v1alpha2" @@ -640,36 +926,53 @@ kind: rule metadata: name: kubeattrgenrulerule namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: actions: - - handler: handler.kubernetesenv + - handler: kubernetesenv instances: - - attributes.kubernetes + - attributes --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: tcpkubeattrgenrulerule namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: match: context.protocol == "tcp" actions: - - handler: handler.kubernetesenv + - handler: kubernetesenv instances: - - attributes.kubernetes + - attributes --- apiVersion: "config.istio.io/v1alpha2" -kind: kubernetes +kind: instance metadata: name: attributes namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - # Pass the required attribute data to the adapter - source_uid: source.uid | "" - source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr - destination_uid: destination.uid | "" - destination_port: destination.port | 0 - attribute_bindings: + compiledTemplate: kubernetes + params: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attributeBindings: # Fill the new attributes from the adapter produced output. # $out refers to an instance of OutputTemplate message source.ip: $out.source_pod_ip | ip("0.0.0.0") @@ -693,8 +996,9 @@ spec: destination.workload.uid: $out.destination_workload_uid | "unknown" destination.workload.name: $out.destination_workload_name | "unknown" destination.workload.namespace: $out.destination_workload_namespace | "unknown" - +{{- end }} --- +{{- if .Values.policy.enabled }} # Configuration needed by Mixer. # Mixer cluster is delivered via CDS # Specify mixer cluster settings @@ -703,8 +1007,17 @@ kind: DestinationRule metadata: name: istio-policy namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - host: istio-policy.{{ .Release.Namespace }}.svc.cluster.local + host: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} trafficPolicy: {{- if .Values.global.controlPlaneSecurityEnabled }} portLevelSettings: @@ -717,14 +1030,25 @@ spec: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 +{{- end }} --- +{{- if .Values.telemetry.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: istio-telemetry namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - host: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local + host: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} trafficPolicy: {{- if .Values.global.controlPlaneSecurityEnabled }} portLevelSettings: @@ -737,4 +1061,6 @@ spec: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 +{{- end }} --- +{{- end }} diff --git a/istio/charts/mixer/templates/configmap.yaml b/istio/charts/mixer/templates/configmap.yaml deleted file mode 100644 index ba13dcd01dd94084aef3904717530a07b63ca45a..0000000000000000000000000000000000000000 --- a/istio/charts/mixer/templates/configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-statsd-prom-bridge - namespace: {{ .Release.Namespace }} - labels: - app: istio-statsd-prom-bridge - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: mixer -data: - mapping.conf: |- diff --git a/istio/charts/mixer/templates/deployment.yaml b/istio/charts/mixer/templates/deployment.yaml index eb055f31419c86a14cb6060c6b2798290b543019..cb48b03dfaf643a5224757942cb4e9e72be68efd 100644 --- a/istio/charts/mixer/templates/deployment.yaml +++ b/istio/charts/mixer/templates/deployment.yaml @@ -9,10 +9,30 @@ secret: secretName: istio.istio-mixer-service-account optional: true + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds/uds_path + type: Socket + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} - name: uds-socket emptyDir: {} + - name: policy-adapter-secret + secret: + secretName: policy-adapter-secret + optional: true affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} containers: - name: mixer {{- if contains "/" .Values.image }} @@ -22,37 +42,82 @@ {{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: - - containerPort: 9093 + - containerPort: {{ .Values.global.monitoringPort }} - containerPort: 42422 args: + - --monitoringPort={{ .Values.global.monitoringPort }} - --address - unix:///sock/mixer.socket +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} +{{- if $.Values.global.useMCP }} + {{- if $.Values.global.controlPlaneSecurityEnabled}} + - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- else }} + - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- end }} +{{- else }} - --configStoreURL=k8s:// +{{- end }} - --configDefaultNamespace={{ $.Release.Namespace }} - - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + {{- if $.Values.adapters.useAdapterCRDs }} + - --useAdapterCRDs=true + {{- else }} + - --useAdapterCRDs=false + {{- end }} + - --useTemplateCRDs=false + {{- if $.Values.global.tracer.zipkin.address }} + - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans + {{- else }} + - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans + {{- end }} + {{- if .Values.env }} + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} resources: -{{- if .Values.resources }} +{{- if .Values.policy.resources }} +{{ toYaml .Values.policy.resources | indent 10 }} +{{- else if .Values.resources }} {{ toYaml .Values.resources | indent 10 }} {{- else }} {{ toYaml .Values.global.defaultResources | indent 10 }} {{- end }} volumeMounts: +{{- if $.Values.global.useMCP }} + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- end }} - name: uds-socket mountPath: /sock livenessProbe: httpGet: path: /version - port: 9093 + port: {{ .Values.global.monitoringPort }} initialDelaySeconds: 5 periodSeconds: 5 - name: istio-proxy - image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}" +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: - containerPort: 9091 - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom args: - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }} - --serviceCluster - istio-policy - --templateFile @@ -63,6 +128,9 @@ {{- else }} - --controlPlaneAuthPolicy - NONE + {{- end }} + {{- if $.Values.global.trustDomain }} + - --trust-domain={{ $.Values.global.trustDomain }} {{- end }} env: - name: POD_NAME @@ -90,8 +158,20 @@ - name: istio-certs mountPath: /etc/certs readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds/uds_path + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} - name: uds-socket mountPath: /sock + - name: policy-adapter-secret + mountPath: /var/run/secrets/istio.io/policy/adapter + readOnly: true {{- end }} {{- define "telemetry_container" }} @@ -102,12 +182,30 @@ secret: secretName: istio.istio-mixer-service-account optional: true + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds/uds_path + type: Socket + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} - name: uds-socket emptyDir: {} - {{- if $.Values.nodeSelector }} - nodeSelector: -{{ toYaml $.Values.nodeSelector | indent 8 }} - {{- end }} + - name: telemetry-adapter-secret + secret: + secretName: telemetry-adapter-secret + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} containers: - name: mixer {{- if contains "/" .Values.image }} @@ -117,37 +215,91 @@ {{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: - - containerPort: 9093 + - containerPort: {{ .Values.global.monitoringPort }} - containerPort: 42422 args: + - --monitoringPort={{ .Values.global.monitoringPort }} - --address - unix:///sock/mixer.socket +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} +{{- if $.Values.global.useMCP }} + {{- if $.Values.global.controlPlaneSecurityEnabled}} + - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901 + - --certFile=/etc/certs/cert-chain.pem + - --keyFile=/etc/certs/key.pem + - --caCertFile=/etc/certs/root-cert.pem + {{- else }} + - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- end }} +{{- else }} - --configStoreURL=k8s:// +{{- end }} - --configDefaultNamespace={{ $.Release.Namespace }} - - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + {{- if $.Values.adapters.useAdapterCRDs }} + - --useAdapterCRDs=true + {{- else }} + - --useAdapterCRDs=false + {{- end }} + {{- if $.Values.global.tracer.zipkin.address }} + - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans + {{- else }} + - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans + {{- end }} + - --averageLatencyThreshold + - {{ $.Values.telemetry.loadshedding.latencyThreshold }} + - --loadsheddingMode + - {{ $.Values.telemetry.loadshedding.mode }} + {{- if .Values.env }} + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} resources: -{{- if .Values.resources }} +{{- if .Values.telemetry.resources }} +{{ toYaml .Values.telemetry.resources | indent 10 }} +{{- else if .Values.resources }} {{ toYaml .Values.resources | indent 10 }} {{- else }} {{ toYaml .Values.global.defaultResources | indent 10 }} {{- end }} volumeMounts: +{{- if $.Values.global.useMCP }} + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- end }} + - name: telemetry-adapter-secret + mountPath: /var/run/secrets/istio.io/telemetry/adapter + readOnly: true - name: uds-socket mountPath: /sock livenessProbe: httpGet: path: /version - port: 9093 + port: {{ .Values.global.monitoringPort }} initialDelaySeconds: 5 periodSeconds: 5 - name: istio-proxy - image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}" +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: - containerPort: 9091 - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom args: - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - istio-telemetry - --templateFile @@ -185,38 +337,71 @@ - name: istio-certs mountPath: /etc/certs readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds/uds_path + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} - name: uds-socket mountPath: /sock {{- end }} -{{- $mixers := list "policy" "telemetry" }} -{{- range $idx, $mname := $mixers }} -apiVersion: extensions/v1beta1 +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} +apiVersion: apps/v1 kind: Deployment metadata: - name: istio-{{ $mname }} + name: istio-{{ $key }} namespace: {{ $.Release.Namespace }} labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + app: istio-mixer + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} istio: mixer spec: - replicas: {{ $.Values.replicaCount }} +{{- if not $spec.autoscaleEnabled }} +{{- if $spec.replicaCount }} + replicas: {{ $spec.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: {{ $key }} template: metadata: labels: - app: {{ $mname }} + app: {{ $key }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} istio: mixer - istio-mixer-type: {{ $mname }} + istio-mixer-type: {{ $key }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- if eq $mname "policy"}} +{{- with $.Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- if eq $key "policy"}} {{- template "policy_container" $ }} {{- else }} {{- template "telemetry_container" $ }} {{- end }} --- +{{- end }} +{{- end }} {{- end }} {{/* range */}} diff --git a/istio/charts/mixer/templates/poddisruptionbudget.yaml b/istio/charts/mixer/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a6bfe8668a05fe515795bef3c6122204ea8017ce --- /dev/null +++ b/istio/charts/mixer/templates/poddisruptionbudget.yaml @@ -0,0 +1,32 @@ +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-{{ $key }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ $key }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + version: {{ $.Chart.Version }} + istio: mixer + istio-mixer-type: {{ $key }} +spec: +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ $key }} + release: {{ $.Release.Name }} + istio: mixer + istio-mixer-type: {{ $key }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/istio/charts/mixer/templates/service.yaml b/istio/charts/mixer/templates/service.yaml index f633c666ec431654db9824e7dd064b8b65a4c58c..79cc4a5820611e6a1e8e1182dd9b87bca8820171 100644 --- a/istio/charts/mixer/templates/service.yaml +++ b/istio/charts/mixer/templates/service.yaml @@ -1,12 +1,17 @@ -{{ $mixers := list "policy" "telemetry" }} -{{- range $idx, $mname := $mixers }} +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} apiVersion: v1 kind: Service metadata: - name: istio-{{ $mname }} + name: istio-{{ $key }} namespace: {{ $.Release.Namespace }} + annotations: + networking.istio.io/exportTo: "*" labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + app: {{ template "mixer.name" $ }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} istio: mixer spec: @@ -16,13 +21,19 @@ spec: - name: grpc-mixer-mtls port: 15004 - name: http-monitoring - port: 9093 -{{- if eq $mname "telemetry" }} + port: {{ $.Values.global.monitoringPort }} +{{- if eq $key "telemetry" }} - name: prometheus port: 42422 +{{- if $spec.sessionAffinityEnabled }} + sessionAffinity: ClientIP +{{- end }} {{- end }} selector: istio: mixer - istio-mixer-type: {{ $mname }} + istio-mixer-type: {{ $key }} --- {{- end }} +{{- end }} +{{- end }} + diff --git a/istio/charts/mixer/templates/serviceaccount.yaml b/istio/charts/mixer/templates/serviceaccount.yaml index 43a57c3aff03f60cdc84051fee792149be7a5d84..9d3da7dd6372a31f1c9f40011d21fba38cc2e93d 100644 --- a/istio/charts/mixer/templates/serviceaccount.yaml +++ b/istio/charts/mixer/templates/serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} apiVersion: v1 kind: ServiceAccount {{- if .Values.global.imagePullSecrets }} @@ -11,6 +12,7 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "mixer.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "mixer.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- end }} diff --git a/istio/charts/mixer/templates/statsdtoprom.yaml b/istio/charts/mixer/templates/statsdtoprom.yaml deleted file mode 100644 index 7ad3ba36da2aab2c6bedafdfc0bb2f2d61cf7715..0000000000000000000000000000000000000000 --- a/istio/charts/mixer/templates/statsdtoprom.yaml +++ /dev/null @@ -1,69 +0,0 @@ - -{{- $statsdname := "statsd-prom-bridge" }} ---- -apiVersion: v1 -kind: Service -metadata: - name: istio-{{ $statsdname }} - namespace: {{ .Release.Namespace }} - labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} - release: {{ $.Release.Name }} - istio: {{ $statsdname }} -spec: - ports: - - name: statsd-prom - port: 9102 - - name: statsd-udp - port: 9125 - protocol: UDP - selector: - istio: {{ $statsdname }} - ---- - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: istio-{{ $statsdname }} - namespace: {{ .Release.Namespace }} - labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} - release: {{ $.Release.Name }} - istio: mixer -spec: - template: - metadata: - labels: - istio: {{ $statsdname }} - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-mixer-service-account - volumes: - - name: config-volume - configMap: - name: istio-statsd-prom-bridge - {{- if $.Values.nodeSelector }} - nodeSelector: -{{ toYaml $.Values.nodeSelector | indent 8 }} - {{- end }} - containers: - - name: {{ $statsdname }} - image: "{{ $.Values.prometheusStatsdExporter.hub }}/statsd-exporter:{{ $.Values.prometheusStatsdExporter.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 9102 - - containerPort: 9125 - protocol: UDP - args: - - '-statsd.mapping-config=/etc/statsd/mapping.conf' - resources: -{{- if .Values.prometheusStatsdExporter.resources }} -{{ toYaml .Values.prometheusStatsdExporter.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - volumeMounts: - - name: config-volume - mountPath: /etc/statsd diff --git a/istio/charts/mixer/values.yaml b/istio/charts/mixer/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0d538ce391ae516079628324aeb34b6829d2dccd --- /dev/null +++ b/istio/charts/mixer/values.yaml @@ -0,0 +1,84 @@ +# +# mixer configuration +# +image: mixer + +env: + GODEBUG: gctrace=1 + # max procs should be ceil(cpu limit + 1) + GOMAXPROCS: "6" + +policy: + # if policy is enabled, global.disablePolicyChecks has affect. + enabled: false + replicaCount: 1 + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + +telemetry: + enabled: true + replicaCount: 1 + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + sessionAffinityEnabled: false + + # mixer load shedding configuration. + # When mixer detects that it is overloaded, it starts rejecting grpc requests. + loadshedding: + # disabled, logonly or enforce + mode: enforce + # based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async. + latencyThreshold: 100ms + resources: + requests: + cpu: 1000m + memory: 1G + limits: + # It is best to do horizontal scaling of mixer using moderate cpu allocation. + # We have experimentally found that these values work well. + cpu: 4800m + memory: 4G + +podAnnotations: {} +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +adapters: + kubernetesenv: + enabled: true + + # stdio is a debug adapter in istio-telemetry, it is not recommended for production use. + stdio: + enabled: false + outputAsJson: true + prometheus: + enabled: true + metricsExpiryDuration: 10m + # Setting this to false sets the useAdapterCRDs mixer startup argument to false + useAdapterCRDs: false diff --git a/istio/charts/ingress/Chart.yaml b/istio/charts/nodeagent/Chart.yaml similarity index 60% rename from istio/charts/ingress/Chart.yaml rename to istio/charts/nodeagent/Chart.yaml index a2f12b173fe5567abfff8e626fcbf1f5a643e242..9ba4eeb4469fb9280c7da929fc0776e331fd4e0c 100644 --- a/istio/charts/ingress/Chart.yaml +++ b/istio/charts/nodeagent/Chart.yaml @@ -1,12 +1,12 @@ apiVersion: v1 -name: ingress -version: 1.0.1 -appVersion: 1.0.1 +name: nodeagent +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" -description: Helm chart for ingress deployment +description: Helm chart for nodeagent deployment keywords: - istio - - ingress + - nodeagent sources: - http://github.com/istio/istio engine: gotpl diff --git a/istio/charts/nodeagent/templates/_helpers.tpl b/istio/charts/nodeagent/templates/_helpers.tpl new file mode 100644 index 0000000000000000000000000000000000000000..fda6043d0ccc928948aeb2031e75d1c36fff65b9 --- /dev/null +++ b/istio/charts/nodeagent/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nodeagent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nodeagent.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nodeagent.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/nodeagent/templates/clusterrole.yaml b/istio/charts/nodeagent/templates/clusterrole.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9127b05e3341c0cd27ef9036e9f4b84e1bb3d610 --- /dev/null +++ b/istio/charts/nodeagent/templates/clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-nodeagent-{{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] \ No newline at end of file diff --git a/istio/charts/nodeagent/templates/clusterrolebinding.yaml b/istio/charts/nodeagent/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..963757e72e6b976f3c02dd3511eb1c2dff59e36a --- /dev/null +++ b/istio/charts/nodeagent/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-nodeagent-{{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-nodeagent-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-nodeagent-service-account + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/istio/charts/nodeagent/templates/daemonset.yaml b/istio/charts/nodeagent/templates/daemonset.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c955aa3c22f700d13cd5fae2ab895c0b6e2367a5 --- /dev/null +++ b/istio/charts/nodeagent/templates/daemonset.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: istio-nodeagent + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: nodeagent +spec: + selector: + matchLabels: + istio: nodeagent + template: + metadata: + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: nodeagent + spec: + serviceAccountName: istio-nodeagent-service-account + containers: + - name: nodeagent +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + env: + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + - name: "Trust_Domain" + value: "{{ .Values.global.trustDomain }}" + volumes: + - name: sdsudspath + hostPath: + path: /var/run/sds + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/nodeagent/templates/serviceaccount.yaml b/istio/charts/nodeagent/templates/serviceaccount.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b52f852d893dc9534a9a5a166fcdbb891e9c324c --- /dev/null +++ b/istio/charts/nodeagent/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-nodeagent-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/istio/charts/nodeagent/values.yaml b/istio/charts/nodeagent/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..66f1f3846d4e82e89e6f70cbfe0eb6ffe0384fb5 --- /dev/null +++ b/istio/charts/nodeagent/values.yaml @@ -0,0 +1,34 @@ +# +# nodeagent configuration +# +enabled: false +image: node-agent-k8s +env: + # name of authentication provider. + CA_PROVIDER: "" + # CA endpoint. + CA_ADDR: "" + # names of authentication provider's plugins. + Plugins: "" +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/pilot/Chart.yaml b/istio/charts/pilot/Chart.yaml index 54e24d3d50325ef6fd6db210e5a76e98892e0172..4ce44386e0bd2a93a595d8124cc41e6ce5b8852e 100644 --- a/istio/charts/pilot/Chart.yaml +++ b/istio/charts/pilot/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: pilot -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for pilot deployment keywords: diff --git a/istio/charts/pilot/templates/_helpers.tpl b/istio/charts/pilot/templates/_helpers.tpl new file mode 100644 index 0000000000000000000000000000000000000000..c812c37096b5b9413e32e3519e8ffe762c8e991b --- /dev/null +++ b/istio/charts/pilot/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "pilot.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "pilot.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "pilot.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/pilot/templates/autoscale.yaml b/istio/charts/pilot/templates/autoscale.yaml index 23ad0122c0fa8adef0e45db9d80cebc3a7a63063..1a9945136a620888791c0b8268b1315f7c6db254 100644 --- a/istio/charts/pilot/templates/autoscale.yaml +++ b/istio/charts/pilot/templates/autoscale.yaml @@ -1,19 +1,25 @@ -{{- if .Values.autoscaleMin }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: istio-pilot + name: istio-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1beta1 - kind: Deployment - name: istio-pilot - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }} + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }} --- {{- end }} diff --git a/istio/charts/pilot/templates/clusterrole.yaml b/istio/charts/pilot/templates/clusterrole.yaml index f9014405f5ae969d326fae8d4748976f921a02aa..0435c3ebd05f11fc7cb2336521d6aca08c4bd614 100644 --- a/istio/charts/pilot/templates/clusterrole.yaml +++ b/istio/charts/pilot/templates/clusterrole.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-pilot-{{ .Release.Namespace }} labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: @@ -24,14 +24,11 @@ rules: resources: ["customresourcedefinitions"] verbs: ["*"] - apiGroups: ["extensions"] - resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"] + resources: ["ingresses", "ingresses/status"] verbs: ["*"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: [""] - resources: ["endpoints", "pods", "services"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["namespaces", "nodes", "secrets"] + resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] verbs: ["get", "list", "watch"] diff --git a/istio/charts/pilot/templates/clusterrolebinding.yaml b/istio/charts/pilot/templates/clusterrolebinding.yaml index c6a7216d21075a81c265a442b042c4b9a0ca019e..ef9281ca80b6759f07e08e28297c52b10625b753 100644 --- a/istio/charts/pilot/templates/clusterrolebinding.yaml +++ b/istio/charts/pilot/templates/clusterrolebinding.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-pilot-{{ .Release.Namespace }} labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: diff --git a/istio/charts/pilot/templates/deployment.yaml b/istio/charts/pilot/templates/deployment.yaml index 55d8a68db1c1e57d878929cb67491d68667307e7..22352ae4a98d17b96e65d81af62c7fe8a854431d 100644 --- a/istio/charts/pilot/templates/deployment.yaml +++ b/istio/charts/pilot/templates/deployment.yaml @@ -1,27 +1,42 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: istio-pilot namespace: {{ .Release.Namespace }} # TODO: default template doesn't have this, which one is right ? labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: pilot annotations: checksum/config-volume: {{ template "istio.configmap.checksum" . }} spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} replicas: {{ .Values.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: pilot template: metadata: labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: pilot - app: pilot annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-pilot-service-account {{- if .Values.global.priorityClassName }} @@ -37,14 +52,30 @@ spec: imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: - "discovery" + - --monitoringAddr=:{{ .Values.global.monitoringPort }} +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} + - --domain + - {{ .Values.global.proxy.clusterDomain }} {{- if .Values.global.oneNamespace }} - "-a" - {{ .Release.Namespace }} {{- end }} -{{- if not .Values.sidecar }} +{{- if $.Values.global.controlPlaneSecurityEnabled}} + {{- if not .Values.sidecar }} - --secureGrpcAddr - ":15011" + {{- end }} +{{- else }} + - --secureGrpcAddr + - "" {{- end }} +{{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" ports: - containerPort: 8080 - containerPort: 15010 @@ -69,8 +100,6 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: PILOT_CACHE_SQUASH - value: "5" {{- if .Values.env }} {{- range $key, $val := .Values.env }} - name: {{ $key }} @@ -81,6 +110,8 @@ spec: - name: PILOT_TRACE_SAMPLING value: "{{ .Values.traceSampling }}" {{- end }} + - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY + value: "1" resources: {{- if .Values.resources }} {{ toYaml .Values.resources | indent 12 }} @@ -95,7 +126,11 @@ spec: readOnly: true {{- if .Values.sidecar }} - name: istio-proxy - image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}" +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - containerPort: 15003 @@ -104,6 +139,8 @@ spec: - containerPort: 15011 args: - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - istio-pilot - --templateFile @@ -114,6 +151,9 @@ spec: {{- else }} - --controlPlaneAuthPolicy - NONE + {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} {{- end }} env: - name: POD_NAME @@ -141,14 +181,39 @@ spec: - name: istio-certs mountPath: /etc/certs readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds/uds_path + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} {{- end }} volumes: + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds/uds_path + type: Socket + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} - name: config-volume configMap: name: istio - name: istio-certs secret: secretName: istio.istio-pilot-service-account - optional: true + optional: true affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/pilot/templates/gateway.yaml b/istio/charts/pilot/templates/gateway.yaml deleted file mode 100644 index 048b3e7583c661922dbc120544c01fbf65306ea1..0000000000000000000000000000000000000000 --- a/istio/charts/pilot/templates/gateway.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-autogenerated-k8s-ingress - namespace: istio-system -spec: - selector: - istio: {{ .Values.global.k8sIngressSelector }} - servers: - - port: - number: 80 - protocol: HTTP2 - name: http - hosts: - - "*" -{{ if .Values.global.k8sIngressHttps }} - - port: - number: 443 - protocol: HTTPS - name: https-default - tls: - mode: SIMPLE - serverCertificate: /etc/istio/ingress-certs/tls.crt - privateKey: /etc/istio/ingress-certs/tls.key - hosts: - - "*" -{{ end }} ---- -{{- if .Values.global.meshExpansion }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: meshexpansion-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 15011 - protocol: TCP - name: tcp-pilot - hosts: - - "*" - - port: - number: 8060 - protocol: TCP - name: tcp-citadel - hosts: - - "*" ---- -{{- end }} - -{{- if .Values.global.meshExpansionILB }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: meshexpansion-ilb-gateway -spec: - selector: - istio: ilbgateway - servers: - - port: - number: 15011 - protocol: TCP - name: tcp-pilot - hosts: - - "*" - - port: - number: 8060 - protocol: TCP - name: tcp-citadel - hosts: - - "*" -{{- end }} diff --git a/istio/charts/pilot/templates/meshexpansion.yaml b/istio/charts/pilot/templates/meshexpansion.yaml index 88e604dda82030323e3cde2c857b40a35d18e39a..4f3d595706f1d2d1b10f93fbc3b4f43a7e47d52a 100644 --- a/istio/charts/pilot/templates/meshexpansion.yaml +++ b/istio/charts/pilot/templates/meshexpansion.yaml @@ -1,59 +1,91 @@ -{{- if .Values.global.meshExpansion }} - +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: meshexpansion-pilot + name: meshexpansion-ilb-vs-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: hosts: - - "pilot.istio-system" + - istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} gateways: - - meshexpansion-gateway + - meshexpansion-ilb-gateway tcp: - match: - port: 15011 route: - destination: - host: istio-pilot.istio-system.svc.cluster.local + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} port: number: 15011 - - -{{- end }} - - -{{- if .Values.global.meshExpansionILB }} + - match: + - port: 15010 + route: + - destination: + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15010 + - match: + - port: 5353 + route: + - destination: + host: kube-dns.kube-system.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 53 --- +{{- else }} + apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: ilb-meshexpansion-pilot + name: meshexpansion-vs-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: hosts: - - "meshexpansionilb.istio-system" + - istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} gateways: - - meshexpansion-ilb-gateway + - meshexpansion-gateway tcp: - match: - port: 15011 route: - destination: - host: istio-pilot.istio-system.svc.cluster.local + host: istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} port: number: 15011 - - match: - - port: 15010 - route: - - destination: - host: istio-pilot.istio-system.svc.cluster.local - port: - number: 15010 - - match: - - port: 5353 - route: - - destination: - host: kube-dns.kube-system.svc.cluster.local - port: - number: 53 +--- +{{- end }} +{{- if .Values.global.controlPlaneSecurityEnabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15011 + tls: + mode: DISABLE +--- {{- end }} +{{- end }} + diff --git a/istio/charts/pilot/templates/poddisruptionbudget.yaml b/istio/charts/pilot/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000000000000000000000000000000000..fd9e06a7177f0772f4c440f7b1a94f50222683c4 --- /dev/null +++ b/istio/charts/pilot/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: pilot +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ template "pilot.name" . }} + release: {{ .Release.Name }} + istio: pilot +{{- end }} diff --git a/istio/charts/pilot/templates/service.yaml b/istio/charts/pilot/templates/service.yaml index e43511f37d78574c4cb637cdf3f73b403012c856..a61d93025e46efd9c8d90c53af52086e105787dd 100644 --- a/istio/charts/pilot/templates/service.yaml +++ b/istio/charts/pilot/templates/service.yaml @@ -4,10 +4,11 @@ metadata: name: istio-pilot namespace: {{ .Release.Namespace }} labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: pilot spec: ports: - port: 15010 @@ -16,7 +17,7 @@ spec: name: https-xds # mTLS - port: 8080 name: http-legacy-discovery # direct - - port: 9093 + - port: {{ .Values.global.monitoringPort }} name: http-monitoring selector: istio: pilot diff --git a/istio/charts/pilot/templates/serviceaccount.yaml b/istio/charts/pilot/templates/serviceaccount.yaml index c7125b90c7e05d0e74462c768943efb3145f8455..7ec2a66de7ee7c0ce77b6289e6843d82260141a0 100644 --- a/istio/charts/pilot/templates/serviceaccount.yaml +++ b/istio/charts/pilot/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ metadata: name: istio-pilot-service-account namespace: {{ .Release.Namespace }} labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/pilot/values.yaml b/istio/charts/pilot/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0a7da57ea9fbd6ecc097b213fa128214c05511de --- /dev/null +++ b/istio/charts/pilot/values.yaml @@ -0,0 +1,49 @@ +# +# pilot configuration +# +enabled: true +autoscaleEnabled: true +autoscaleMin: 1 +autoscaleMax: 5 +# specify replicaCount when autoscaleEnabled: false +# replicaCount: 1 +image: pilot +sidecar: true +traceSampling: 1.0 +# Resources for a small pilot install +resources: + requests: + cpu: 500m + memory: 2048Mi +env: + PILOT_PUSH_THROTTLE: 100 + GODEBUG: gctrace=1 +cpu: + targetAverageUtilization: 80 +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +# The following is used to limit how long a sidecar can be connected +# to a pilot. It balances out load across pilot instances at the cost of +# increasing system churn. +keepaliveMaxServerConnectionAge: 30m diff --git a/istio/charts/prometheus/Chart.yaml b/istio/charts/prometheus/Chart.yaml index 2d6804e4fa82369e331f3691e6cdf096affe4105..6431a43dd00b70c7ffe3a230c56e64f64612614a 100644 --- a/istio/charts/prometheus/Chart.yaml +++ b/istio/charts/prometheus/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: prometheus -version: 1.0.1 -appVersion: 2.3.1 +version: 1.1.0 +appVersion: 2.8.0 tillerVersion: ">=2.7.2" diff --git a/istio/charts/prometheus/templates/_helpers.tpl b/istio/charts/prometheus/templates/_helpers.tpl index 52a2ad36890c247eb86948fc71ae16035483399c..039388329b5d3993887713e91e687bcfc13327c5 100644 --- a/istio/charts/prometheus/templates/_helpers.tpl +++ b/istio/charts/prometheus/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/prometheus/templates/clusterrole.yaml b/istio/charts/prometheus/templates/clusterrole.yaml index 7d966f0e50233ad13140af818b58305b55b502c5..06fdfaf53350cc65d11a198b5ac0cc7022d7f051 100644 --- a/istio/charts/prometheus/templates/clusterrole.yaml +++ b/istio/charts/prometheus/templates/clusterrole.yaml @@ -1,7 +1,12 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: prometheus-{{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} rules: - apiGroups: [""] resources: diff --git a/istio/charts/prometheus/templates/clusterrolebindings.yaml b/istio/charts/prometheus/templates/clusterrolebindings.yaml index 6114d6b25b0b7c5648af60395a32229886804fdb..295e0df729e791e94c9afe84dc9d3d58133b4eff 100644 --- a/istio/charts/prometheus/templates/clusterrolebindings.yaml +++ b/istio/charts/prometheus/templates/clusterrolebindings.yaml @@ -1,7 +1,12 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: prometheus-{{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/istio/charts/prometheus/templates/configmap.yaml b/istio/charts/prometheus/templates/configmap.yaml index 63bd4cd786044164c60db87a5ad8bfe74facad19..e00563d06c3161f18e9ece897342d1db42ca5f1e 100644 --- a/istio/charts/prometheus/templates/configmap.yaml +++ b/istio/charts/prometheus/templates/configmap.yaml @@ -5,19 +5,16 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: prometheus - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "prometheus.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} data: prometheus.yml: |- global: - scrape_interval: 15s + scrape_interval: {{ .Values.scrapeInterval }} scrape_configs: - job_name: 'istio-mesh' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - kubernetes_sd_configs: - role: endpoints namespaces: @@ -29,29 +26,63 @@ data: action: keep regex: istio-telemetry;prometheus - - job_name: 'envoy' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - {{ .Release.Namespace }} + - role: pod relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: [__meta_kubernetes_pod_container_port_name] action: keep - regex: istio-statsd-prom-bridge;statsd-prom + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name - - job_name: 'istio-policy' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. + metric_relabel_configs: + # Exclude some of the envoy metrics that have massive cardinality + # This list may need to be pruned further moving forward, as informed + # by performance and scalability testing. + - source_labels: [ cluster_name ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ tcp_prefix ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ listener_address ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_listener_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tls.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tcp_downstream.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_http_(stats|admin).*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' + action: drop + - job_name: 'istio-policy' kubernetes_sd_configs: - role: endpoints namespaces: @@ -65,11 +96,6 @@ data: regex: istio-policy;http-monitoring - job_name: 'istio-telemetry' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - kubernetes_sd_configs: - role: endpoints namespaces: @@ -82,11 +108,6 @@ data: regex: istio-telemetry;http-monitoring - job_name: 'pilot' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - kubernetes_sd_configs: - role: endpoints namespaces: @@ -99,11 +120,6 @@ data: regex: istio-pilot;http-monitoring - job_name: 'galley' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - kubernetes_sd_configs: - role: endpoints namespaces: @@ -115,6 +131,18 @@ data: action: keep regex: istio-galley;http-monitoring + - job_name: 'citadel' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-citadel;http-monitoring + # scrape config for API servers - job_name: 'kubernetes-apiservers' kubernetes_sd_configs: @@ -210,19 +238,66 @@ data: action: replace target_label: kubernetes_name - # Example scrape config for pods - job_name: 'kubernetes-pods' kubernetes_sd_configs: - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: keep + regex: ((;.*)|(.*;http)) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] action: keep regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: drop + regex: (http) - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] action: replace regex: ([^:]+)(?::\d+)?;(\d+) @@ -235,4 +310,4 @@ data: target_label: namespace - source_labels: [__meta_kubernetes_pod_name] action: replace - target_label: pod_name + target_label: pod_name \ No newline at end of file diff --git a/istio/charts/prometheus/templates/deployment.yaml b/istio/charts/prometheus/templates/deployment.yaml index 34cb5f9d36e5bb1c2661a50d52574e68e6f71cce..831557e98343e057d383e60761c5f93da91db299 100644 --- a/istio/charts/prometheus/templates/deployment.yaml +++ b/istio/charts/prometheus/templates/deployment.yaml @@ -1,14 +1,14 @@ # TODO: the original template has service account, roles, etc -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: prometheus namespace: {{ .Release.Namespace }} labels: app: prometheus - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "prometheus.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} selector: @@ -18,20 +18,32 @@ spec: metadata: labels: app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: prometheus {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.security.enabled }} + initContainers: + - name: prom-init + image: "busybox:1.30.1" + command: ['sh', '-c', 'counter=0; until [ "$counter" -ge 30 ]; do if [ -f /etc/istio-certs/key.pem ]; then exit 0; else echo waiting for istio certs && sleep 1 && counter=$((counter+1)); fi; done; exit 1;'] + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - mountPath: /etc/istio-certs + name: istio-certs {{- end }} containers: - name: prometheus image: "{{ .Values.hub }}/prometheus:{{ .Values.tag }}" imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: - - '--storage.tsdb.retention=6h' + - '--storage.tsdb.retention={{ .Values.retention }}' - '--config.file=/etc/prometheus/prometheus.yml' ports: - containerPort: 9090 @@ -53,9 +65,17 @@ spec: volumeMounts: - name: config-volume mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs volumes: - name: config-volume configMap: name: prometheus + - name: istio-certs + secret: + defaultMode: 420 + optional: true + secretName: istio.default affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/prometheus/templates/ingress.yaml b/istio/charts/prometheus/templates/ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..43be6552326737333052deb1e78383c58cc0f7b7 --- /dev/null +++ b/istio/charts/prometheus/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: prometheus + servicePort: 9090 + {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: prometheus + servicePort: 9090 +{{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio/charts/prometheus/templates/service.yaml b/istio/charts/prometheus/templates/service.yaml index a9eec0f86c0669cf39e1f2dfa19cf2a2cc136bb5..d92525df0777df30cc8b773efb628026222ba6fe 100644 --- a/istio/charts/prometheus/templates/service.yaml +++ b/istio/charts/prometheus/templates/service.yaml @@ -6,10 +6,13 @@ metadata: annotations: prometheus.io/scrape: 'true' {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: - name: prometheus + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: selector: app: prometheus @@ -27,7 +30,10 @@ metadata: name: prometheus-nodeport namespace: {{ .Release.Namespace }} labels: - name: prometheus + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: type: NodePort ports: diff --git a/istio/charts/prometheus/templates/serviceaccount.yaml b/istio/charts/prometheus/templates/serviceaccount.yaml index cf083b744662ab5ea9a7af57e12617841902b519..7c2fab3f4c51b1717d0ef2e7a8f94c0ebebf4fba 100644 --- a/istio/charts/prometheus/templates/serviceaccount.yaml +++ b/istio/charts/prometheus/templates/serviceaccount.yaml @@ -9,3 +9,8 @@ imagePullSecrets: metadata: name: prometheus namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml b/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ba2c7d8da575a24613684f19fc5ecd9864b97cd7 --- /dev/null +++ b/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml @@ -0,0 +1,29 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "prometheus.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: prometheus-test + chart: {{ template "prometheus.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: prometheus + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "prometheus.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/prometheus/values.yaml b/istio/charts/prometheus/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f40b3cdeb3759a1ce243b95647c8f8c805cf8169 --- /dev/null +++ b/istio/charts/prometheus/values.yaml @@ -0,0 +1,58 @@ +# +# addon prometheus configuration +# +enabled: true +replicaCount: 1 +hub: docker.io/prom +tag: v2.8.0 +retention: 6h +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +# Controls the frequency of prometheus scraping +scrapeInterval: 15s + +contextPath: /prometheus + +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - prometheus.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: prometheus-tls + # hosts: + # - prometheus.local + +service: + annotations: {} + nodePort: + enabled: false + port: 32090 + +security: + enabled: true diff --git a/istio/charts/security/Chart.yaml b/istio/charts/security/Chart.yaml index 63c834f0d4b7bf8a4128697deffbdbced0a7ad24..6cafffacd16dbc6c3211a52f4d8ceb1eb9069538 100644 --- a/istio/charts/security/Chart.yaml +++ b/istio/charts/security/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: security -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for istio authentication keywords: diff --git a/istio/charts/security/templates/_helpers.tpl b/istio/charts/security/templates/_helpers.tpl index 7564a1b275c2504c1642b20ba34e062bb9c10ae7..7f36f9d5107f7d5b09eba7581e0b8040ceb90660 100644 --- a/istio/charts/security/templates/_helpers.tpl +++ b/istio/charts/security/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "security.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "security.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/security/templates/cleanup-secrets.yaml b/istio/charts/security/templates/cleanup-secrets.yaml index ae93b9fc1f5b55c9da7e78af76a91bfb9824752b..be6f26e9fed7ed52a96c1af6f4618dd469e0ee42 100644 --- a/istio/charts/security/templates/cleanup-secrets.yaml +++ b/istio/charts/security/templates/cleanup-secrets.yaml @@ -9,6 +9,12 @@ apiVersion: v1 kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} metadata: name: istio-cleanup-secrets-service-account namespace: {{ .Release.Namespace }} @@ -18,11 +24,17 @@ metadata: "helm.sh/hook-weight": "1" labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} +- name: {{ . }} +{{- end }} +{{- end }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-cleanup-secrets-{{ .Release.Namespace }} @@ -32,7 +44,7 @@ metadata: "helm.sh/hook-weight": "1" labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: @@ -40,7 +52,7 @@ rules: resources: ["secrets"] verbs: ["list", "delete"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-cleanup-secrets-{{ .Release.Namespace }} @@ -50,7 +62,7 @@ metadata: "helm.sh/hook-weight": "2" labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: @@ -65,7 +77,7 @@ subjects: apiVersion: batch/v1 kind: Job metadata: - name: istio-cleanup-secrets + name: istio-cleanup-secrets-{{ .Values.global.tag | printf "%v" | trunc 32 }} namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": post-delete @@ -73,21 +85,24 @@ metadata: "helm.sh/hook-weight": "3" labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: template: metadata: name: istio-cleanup-secrets labels: app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: serviceAccountName: istio-cleanup-secrets-service-account containers: - - name: hyperkube - image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: IfNotPresent command: - /bin/bash - -c @@ -98,3 +113,6 @@ spec: kubectl delete secret $name -n $ns; done restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/security/templates/clusterrole.yaml b/istio/charts/security/templates/clusterrole.yaml index d7879a9958075812b78a7317bac31049368be64f..cdeb0c054e6803555af942b38e66ad00a074e232 100644 --- a/istio/charts/security/templates/clusterrole.yaml +++ b/istio/charts/security/templates/clusterrole.yaml @@ -1,19 +1,22 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-citadel-{{ .Release.Namespace }} labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "update"] - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "watch", "list", "update", "delete"] - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["services"] + resources: ["serviceaccounts", "services"] verbs: ["get", "watch", "list"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] diff --git a/istio/charts/security/templates/clusterrolebinding.yaml b/istio/charts/security/templates/clusterrolebinding.yaml index 501f8ad521532b0043dc35329cbf93e79fcf7d59..0a15799ce9c0ab11ff91414bd59e8d766b86295a 100644 --- a/istio/charts/security/templates/clusterrolebinding.yaml +++ b/istio/charts/security/templates/clusterrolebinding.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-citadel-{{ .Release.Namespace }} labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: diff --git a/istio/charts/security/templates/configmap.yaml b/istio/charts/security/templates/configmap.yaml index 1e64ed74e690f890445681aef4a6d66a7ee7137d..95854bfd59ec2d6bd537d392e2905395f803364a 100644 --- a/istio/charts/security/templates/configmap.yaml +++ b/istio/charts/security/templates/configmap.yaml @@ -1,18 +1,20 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-security-custom-resources - namespace: {{ .Release.Namespace }} - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: security -data: - custom-resources.yaml: |- - {{- if .Values.global.mtls.enabled }} - {{- include "security-default.yaml.tpl" . | indent 4}} - {{- end }} - run.sh: |- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel +data: + custom-resources.yaml: |- + {{- if .Values.global.mtls.enabled }} + {{- include "security-default.yaml.tpl" . | indent 4}} + {{- else }} + {{- include "security-permissive.yaml.tpl" . | indent 4}} + {{- end }} + run.sh: |- {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/istio/charts/security/templates/create-custom-resources-job.yaml b/istio/charts/security/templates/create-custom-resources-job.yaml index 9d2d442009f931df4a1e0148fe3fdb3b4a2307f7..4daacdce6c0f7ca37750e83276c0f15711fbee78 100644 --- a/istio/charts/security/templates/create-custom-resources-job.yaml +++ b/istio/charts/security/templates/create-custom-resources-job.yaml @@ -1,89 +1,94 @@ -{{- if .Values.global.mtls.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-security-post-install-account - namespace: {{ .Release.Namespace }} - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} +{{- if .Values.createMeshPolicy }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: istio-security-post-install-{{ .Release.Namespace }} - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["authentication.istio.io"] # needed to create default authn policy - resources: ["*"] - verbs: ["*"] -- apiGroups: ["networking.istio.io"] # needed to create security destination rules - resources: ["*"] - verbs: ["*"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get"] -- apiGroups: ["extensions"] - resources: ["deployments", "replicasets"] - verbs: ["get", "list", "watch"] +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: istio-security-post-install-role-binding-{{ .Release.Namespace }} - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-security-post-install-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-security-post-install-account - namespace: {{ .Release.Namespace }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: {{ .Release.Namespace }} --- - apiVersion: batch/v1 -kind: Job -metadata: - name: istio-security-post-install - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - name: istio-security-post-install - labels: - app: istio-security - release: {{ .Release.Name }} - spec: - serviceAccountName: istio-security-post-install-account - containers: - - name: hyperkube - image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" - command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] - volumeMounts: - - mountPath: "/tmp/security" - name: tmp-configmap-security - volumes: - - name: tmp-configmap-security - configMap: - name: istio-security-custom-resources - restartPolicy: OnFailure +kind: Job +metadata: + name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: IfNotPresent + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} {{- end }} diff --git a/istio/charts/security/templates/deployment.yaml b/istio/charts/security/templates/deployment.yaml index 8913143ec52029e20b5c17d74548a2bc1afe34e7..6488b923c2f1ceaf296552eeb55133af6a170ada 100644 --- a/istio/charts/security/templates/deployment.yaml +++ b/istio/charts/security/templates/deployment.yaml @@ -1,24 +1,34 @@ # istio CA watching all namespaces -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: istio-citadel namespace: {{ .Release.Namespace }} labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: citadel spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: citadel + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 template: metadata: labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: citadel annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-citadel-service-account {{- if .Values.global.priorityClassName }} @@ -26,14 +36,18 @@ spec: {{- end }} containers: - name: citadel +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: - --append-dns-names=true - --grpc-port=8060 - - --grpc-hostname=citadel - --citadel-storage-namespace={{ .Release.Namespace }} - - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }},istio-ingressgateway-service-account.{{ .Release.Namespace }}:istio-ingressgateway.{{ .Release.Namespace }} + - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }} + - --monitoring-port={{ .Values.global.monitoringPort }} {{- if .Values.selfSigned }} - --self-signed-ca=true {{- else }} @@ -43,6 +57,9 @@ spec: - --root-cert=/etc/cacerts/root-cert.pem - --cert-chain=/etc/cacerts/cert-chain.pem {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} resources: {{- if .Values.resources }} {{ toYaml .Values.resources | indent 12 }} @@ -62,3 +79,4 @@ spec: {{- end }} affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/security/templates/enable-mesh-mtls.yaml b/istio/charts/security/templates/enable-mesh-mtls.yaml index 7eddaa6df9aee900fbd1d2ccdfa0dfc6a47f3ec9..75e4a18e330210acbc6d793ec2c3ca1cd61b0e48 100644 --- a/istio/charts/security/templates/enable-mesh-mtls.yaml +++ b/istio/charts/security/templates/enable-mesh-mtls.yaml @@ -1,4 +1,4 @@ -{{ define "security-default.yaml.tpl" }} +{{- define "security-default.yaml.tpl" }} # These policy and destination rules effectively enable mTLS for all services in the mesh. For now, # they are added to Istio installation yaml for backward compatible. In future, they should be in # a separated yaml file so that customer can enable mTLS independent from installation. @@ -9,10 +9,10 @@ kind: "MeshPolicy" metadata: name: "default" labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: peers: - mtls: {} @@ -23,30 +23,40 @@ apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: "default" + namespace: {{ .Release.Namespace }} labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: host: "*.local" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} trafficPolicy: tls: mode: ISTIO_MUTUAL --- -# Destination rule to dislabe (m)TLS when talking to API server, as API server doesn't have sidecar. -# Customer should add similar destination rules for other services that dont' have sidecar. +# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar. +# Customer should add similar destination rules for other services that don't have sidecar. apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: "api-server" + namespace: {{ .Release.Namespace }} labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - host: "kubernetes.default.svc.cluster.local" + host: "kubernetes.default.svc.{{ .Values.global.proxy.clusterDomain }}" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} trafficPolicy: tls: mode: DISABLE diff --git a/istio/charts/security/templates/enable-mesh-permissive.yaml b/istio/charts/security/templates/enable-mesh-permissive.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a6931b3b9497ac5ed88f810777aea32d5873bcfa --- /dev/null +++ b/istio/charts/security/templates/enable-mesh-permissive.yaml @@ -0,0 +1,16 @@ +{{- define "security-permissive.yaml.tpl" }} +# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + peers: + - mtls: + mode: PERMISSIVE +{{- end }} diff --git a/istio/charts/security/templates/meshexpansion.yaml b/istio/charts/security/templates/meshexpansion.yaml index fcf677f504c261ea53629f0363be70c4d5ce654d..581ce964a7d057e39e2de3f5d1a0f7121241aaed 100644 --- a/istio/charts/security/templates/meshexpansion.yaml +++ b/istio/charts/security/templates/meshexpansion.yaml @@ -1,45 +1,56 @@ -{{- if .Values.global.meshExpansion }} - +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: meshexpansion-citadel + name: meshexpansion-vs-citadel-ilb + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel spec: hosts: - - "istio-citadel.istio-system" + - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} gateways: - - meshexpansion-gateway + - meshexpansion-ilb-gateway tcp: - match: - port: 8060 route: - destination: - host: istio-citadel.istio-system.svc.cluster.local + host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} port: number: 8060 - -{{- end }} - --- - -{{- if .Values.global.meshExpansionILB }} +{{- else }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: meshexpansion-ilb-citadel + name: meshexpansion-vs-citadel + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel spec: hosts: - - "istio-citadel.istio-system" + - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} gateways: - - meshexpansion-ilb-gateway + - meshexpansion-gateway tcp: - match: - port: 8060 route: - destination: - host: istio-citadel.istio-system.svc.cluster.local + host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} port: number: 8060 - +--- +{{- end }} {{- end }} diff --git a/istio/charts/security/templates/service.yaml b/istio/charts/security/templates/service.yaml index 902c138dfa00ec4b577f464c7eed7ecaf29f5a6f..efea17544abb1012872fdc60f09a8de6c34eabdd 100644 --- a/istio/charts/security/templates/service.yaml +++ b/istio/charts/security/templates/service.yaml @@ -6,7 +6,11 @@ metadata: name: istio-citadel namespace: {{ .Release.Namespace }} labels: - app: istio-citadel + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel spec: ports: - name: grpc-citadel @@ -14,6 +18,6 @@ spec: targetPort: 8060 protocol: TCP - name: http-monitoring - port: 9093 + port: {{ .Values.global.monitoringPort }} selector: istio: citadel diff --git a/istio/charts/security/templates/serviceaccount.yaml b/istio/charts/security/templates/serviceaccount.yaml index 58501afbdfcc691183629d9711fe543be6451106..d07d566fa543b111e5e27b593dbc7479f216d982 100644 --- a/istio/charts/security/templates/serviceaccount.yaml +++ b/istio/charts/security/templates/serviceaccount.yaml @@ -11,6 +11,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/security/templates/tests/test-citadel-connection.yaml b/istio/charts/security/templates/tests/test-citadel-connection.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2e3da06148a568bb4ccda2caeec2d05e6ad7488e --- /dev/null +++ b/istio/charts/security/templates/tests/test-citadel-connection.yaml @@ -0,0 +1,29 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "security.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: istio-citadel-test + chart: {{ template "security.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "security.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && exit 0 || sleep 15; done; exit 1'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/security/values.yaml b/istio/charts/security/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..01501e1fe3159dd2d2103e7bd4691e1765d6a99e --- /dev/null +++ b/istio/charts/security/values.yaml @@ -0,0 +1,30 @@ +# +# security configuration +# +enabled: true +replicaCount: 1 +image: citadel +selfSigned: true # indicate if self-signed CA is used. +createMeshPolicy: true +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/servicegraph/.helmignore b/istio/charts/servicegraph/.helmignore new file mode 100644 index 0000000000000000000000000000000000000000..f0c13194444163d1cba5c67d9e79231a62bc8f44 --- /dev/null +++ b/istio/charts/servicegraph/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/istio/charts/servicegraph/Chart.yaml b/istio/charts/servicegraph/Chart.yaml index 8138dfc4e873a5d46b5c954700ed833074552d81..66b2a1eb5bae13312272c2875b0484fa3a431a94 100644 --- a/istio/charts/servicegraph/Chart.yaml +++ b/istio/charts/servicegraph/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: servicegraph -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" diff --git a/istio/charts/servicegraph/templates/NOTES.txt b/istio/charts/servicegraph/templates/NOTES.txt new file mode 100644 index 0000000000000000000000000000000000000000..87d1755e2f0da283ac06f81082157c0e3a48bd67 --- /dev/null +++ b/istio/charts/servicegraph/templates/NOTES.txt @@ -0,0 +1,19 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "servicegraph.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "servicegraph.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "servicegraph.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.externalPort }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "servicegraph.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:8088 +{{- end }} diff --git a/istio/charts/servicegraph/templates/_helpers.tpl b/istio/charts/servicegraph/templates/_helpers.tpl index c63ede3ceee13758b1441ea45251c57b6c2480dd..f1330aed1f4d66e93894038960bceb9d9a16bcad 100644 --- a/istio/charts/servicegraph/templates/_helpers.tpl +++ b/istio/charts/servicegraph/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "servicegraph.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "servicegraph.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/servicegraph/templates/deployment.yaml b/istio/charts/servicegraph/templates/deployment.yaml index 7fbe843e3120f4f35a6414757ab4456eb07726fc..1073a9a414bef50b4495f3ffe38a2ac7d3e06a4a 100644 --- a/istio/charts/servicegraph/templates/deployment.yaml +++ b/istio/charts/servicegraph/templates/deployment.yaml @@ -1,42 +1,57 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: servicegraph namespace: {{ .Release.Namespace }} labels: - app: {{ template "servicegraph.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: servicegraph + chart: {{ template "servicegraph.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: servicegraph template: metadata: labels: app: servicegraph + chart: {{ template "servicegraph.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} {{- end }} containers: - name: servicegraph +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - - containerPort: {{ .Values.service.internalPort }} + - containerPort: 8088 args: - - --prometheusAddr=http://prometheus:9090 + - --prometheusAddr={{- .Values.prometheusAddr }} livenessProbe: httpGet: path: /graph - port: {{ .Values.service.internalPort }} + port: 8088 readinessProbe: httpGet: path: /graph - port: {{ .Values.service.internalPort }} + port: 8088 resources: {{- if .Values.resources }} {{ toYaml .Values.resources | indent 12 }} @@ -45,3 +60,4 @@ spec: {{- end }} affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/servicegraph/templates/ingress.yaml b/istio/charts/servicegraph/templates/ingress.yaml index 145a9cb8220260c2cbe5ab9096ddb7c9c2d5fb85..12972b70cc911139bad6a5fd8667141025c6ce3f 100644 --- a/istio/charts/servicegraph/templates/ingress.yaml +++ b/istio/charts/servicegraph/templates/ingress.yaml @@ -1,5 +1,4 @@ {{- if .Values.ingress.enabled -}} -{{- $serviceName := include "servicegraph.fullname" . -}} {{- $servicePort := .Values.service.externalPort -}} apiVersion: extensions/v1beta1 kind: Ingress @@ -7,10 +6,10 @@ metadata: name: {{ template "servicegraph.fullname" . }} namespace: {{ .Release.Namespace }} labels: - app: {{ template "servicegraph.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: servicegraph + chart: {{ template "servicegraph.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: {{- range $key, $value := .Values.ingress.annotations }} {{ $key }}: {{ $value | quote }} @@ -23,7 +22,7 @@ spec: paths: - path: / backend: - serviceName: {{ $serviceName }} + serviceName: servicegraph servicePort: {{ $servicePort }} {{- end -}} {{- if .Values.ingress.tls }} diff --git a/istio/charts/servicegraph/templates/service.yaml b/istio/charts/servicegraph/templates/service.yaml index f3d20124683371b0b52cbad502dedb3dc4198151..974da15c7cc5ffda2c76822f5233b7f981e62d3e 100644 --- a/istio/charts/servicegraph/templates/service.yaml +++ b/istio/charts/servicegraph/templates/service.yaml @@ -5,19 +5,28 @@ metadata: namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: app: servicegraph - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "servicegraph.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} + targetPort: 8088 protocol: TCP name: {{ .Values.service.name }} selector: app: servicegraph +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} + {{if .Values.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{range $rangeList := .Values.service.loadBalancerSourceRanges}} + - {{ $rangeList }} + {{end}} + {{end}} \ No newline at end of file diff --git a/istio/charts/servicegraph/templates/tests/test-servicegraph-connection.yaml b/istio/charts/servicegraph/templates/tests/test-servicegraph-connection.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1244259d80c0f7fb700ac926f38b93cc491115ec --- /dev/null +++ b/istio/charts/servicegraph/templates/tests/test-servicegraph-connection.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "servicegraph.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: servicegraph-test + chart: {{ template "servicegraph.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: servicegraph + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "servicegraph.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + args: ['http://servicegraph:{{ .Values.servicegraph.service.externalPort }}'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/servicegraph/values.yaml b/istio/charts/servicegraph/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..037c03d85dcfa41db23a229e3e07f142a7b3f1ec --- /dev/null +++ b/istio/charts/servicegraph/values.yaml @@ -0,0 +1,51 @@ +# +# addon servicegraph configuration +# +enabled: false +replicaCount: 1 +image: servicegraph +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +service: + annotations: {} + name: http + type: ClusterIP + externalPort: 8088 + loadBalancerIP: + loadBalancerSourceRanges: +ingress: + enabled: false + # Used to create an Ingress record. + hosts: + - servicegraph.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: servicegraph-tls + # hosts: + # - servicegraph.local +# prometheus address +prometheusAddr: http://prometheus:9090 diff --git a/istio/charts/sidecarInjectorWebhook/Chart.yaml b/istio/charts/sidecarInjectorWebhook/Chart.yaml index 9672be30282aeaa62f8c5796815b966245621f2c..87880296249ddbede3df99815404fea60ed610d8 100644 --- a/istio/charts/sidecarInjectorWebhook/Chart.yaml +++ b/istio/charts/sidecarInjectorWebhook/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: sidecarInjectorWebhook -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for sidecar injector webhook deployment keywords: diff --git a/istio/charts/sidecarInjectorWebhook/OWNERS b/istio/charts/sidecarInjectorWebhook/OWNERS new file mode 100644 index 0000000000000000000000000000000000000000..9e2c32b96b23fc9320c8b8e36b202caad442b0e7 --- /dev/null +++ b/istio/charts/sidecarInjectorWebhook/OWNERS @@ -0,0 +1,2 @@ +approvers: + - ostromart diff --git a/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl b/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl index 8ed67e292259cc0a9de283321dd59f79756349bd..f3b9fb15b92855899022300e43f421ecc83f54a7 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl +++ b/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "sidecar-injector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sidecar-injector.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml b/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml index b36fdb0e7f85c131bbdd449e2bbdea5b9bb4865e..27f9acb51782887aab99ee61acfae2ad8497ee84 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml @@ -1,14 +1,15 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-sidecar-injector-{{ .Release.Namespace }} labels: - app: istio-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + istio: sidecar-injector rules: -- apiGroups: ["*"] +- apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] diff --git a/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml b/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml index 10b0d713e4701b94ab63d1451b3a7826246b7c55..748a93244c6e01c4524cb4a33e3e46ea15a45120 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml @@ -1,12 +1,13 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} labels: - app: istio-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + istio: sidecar-injector roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml b/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml index 37751d42b18d4791614cf269710eda4661745262..fa153f7742f2afe7a9a4170113cb59515206b0c0 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml @@ -1,31 +1,45 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: istio-sidecar-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "sidecar-injector.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: sidecar-injector spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: sidecar-injector + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 template: metadata: labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: sidecar-injector annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-sidecar-injector-service-account - {{- if .Values.global.priorityClassName }} +{{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} containers: - name: sidecar-injector-webhook +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: - --caCertFile=/etc/istio/certs/root-cert.pem @@ -84,3 +98,4 @@ spec: path: config affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml b/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml index e7f7519012bd77b8c3117be5ebae7e1bfea4b596..a30dd38e5c143ed3994748c4b3a2b924cb87ea7c 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -2,12 +2,11 @@ apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector - namespace: {{ .Release.Namespace }} labels: - app: istio-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} webhooks: - name: sidecar-injector.istio.io clientConfig: @@ -25,6 +24,10 @@ webhooks: namespaceSelector: {{- if .Values.enableNamespacesByDefault }} matchExpressions: + - key: name + operator: NotIn + values: + - {{ .Release.Namespace }} - key: istio-injection operator: NotIn values: diff --git a/istio/charts/sidecarInjectorWebhook/templates/service.yaml b/istio/charts/sidecarInjectorWebhook/templates/service.yaml index b24900b8aea3b9db11e44ea243733daa6a3b8170..a68557a847c0daf4d258be0081e7bf6d2ce2f1a2 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/service.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/service.yaml @@ -4,6 +4,10 @@ metadata: name: istio-sidecar-injector namespace: {{ .Release.Namespace }} labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: sidecar-injector spec: ports: diff --git a/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml b/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml index 8beb35b30c13e4feea315f373e63dd0aa7acfb99..d4020b51702765b493104e042cf1a26974704c77 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml @@ -10,7 +10,8 @@ metadata: name: istio-sidecar-injector-service-account namespace: {{ .Release.Namespace }} labels: - app: istio-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + istio: sidecar-injector diff --git a/istio/charts/sidecarInjectorWebhook/values.yaml b/istio/charts/sidecarInjectorWebhook/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4f326eaa53ca382bab03d797cf4ef35e284ef5cd --- /dev/null +++ b/istio/charts/sidecarInjectorWebhook/values.yaml @@ -0,0 +1,34 @@ +# +# sidecar-injector webhook configuration +# +enabled: true +replicaCount: 1 +image: sidecar_injector +enableNamespacesByDefault: false +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +# If true, webhook or istioctl injector will rewrite PodSpec for liveness +# health check to redirect request to sidecar. This makes liveness check work +# even when mTLS is enabled. +rewriteAppHTTPProbe: false diff --git a/istio/charts/telemetry-gateway/Chart.yaml b/istio/charts/telemetry-gateway/Chart.yaml deleted file mode 100644 index 2511a2bf99b08c3b6c699b7adb96a67ca2d1f916..0000000000000000000000000000000000000000 --- a/istio/charts/telemetry-gateway/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -name: telemetry-gateway -version: 1.0.1 -appVersion: 1.0.1 -tillerVersion: ">=2.7.2" -description: Helm chart for configuring a gateway for Istio telemetry addons -icon: https://istio.io/favicons/android-192x192.png diff --git a/istio/charts/telemetry-gateway/templates/gateway.yaml b/istio/charts/telemetry-gateway/templates/gateway.yaml deleted file mode 100644 index 3a8e5e002adc69a45fd071d1799c20f47fec6e0e..0000000000000000000000000000000000000000 --- a/istio/charts/telemetry-gateway/templates/gateway.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{- if or (.Values.prometheusEnabled) (.Values.grafanaEnabled) }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-telemetry-gateway - namespace: {{ .Release.Namespace }} -spec: - selector: - istio: {{ .Values.gatewayName }} - servers: - {{- if .Values.prometheusEnabled }} - - port: - number: 15030 - name: http2-prometheus - protocol: HTTP2 - hosts: - - "*" - {{- end }} - {{- if .Values.grafanaEnabled }} - - port: - number: 15031 - name: http2-grafana - protocol: HTTP2 - hosts: - - "*" - {{- end }} -{{- if .Values.grafanaEnabled }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: grafana - namespace: {{ .Release.Namespace }} -spec: - host: grafana.{{ .Release.Namespace }}.svc.cluster.local - trafficPolicy: - tls: - mode: DISABLE -{{- end }} -{{- if .Values.prometheusEnabled }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} -spec: - host: prometheus.{{ .Release.Namespace }}.svc.cluster.local - trafficPolicy: - tls: - mode: DISABLE -{{- end }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: telemetry-virtual-service - namespace: {{ .Release.Namespace }} -spec: - hosts: - - "*" - gateways: - - istio-telemetry-gateway - http: - {{- if .Values.prometheusEnabled }} - - match: - - port: 15030 - route: - - destination: - host: prometheus.{{ .Release.Namespace }}.svc.cluster.local - port: - number: 9090 - {{- end }} - {{- if .Values.grafanaEnabled }} - - match: - - port: 15031 - route: - - destination: - host: grafana.{{ .Release.Namespace }}.svc.cluster.local - port: - number: 3000 - {{- end }} ---- -{{- end }} diff --git a/istio/charts/tracing/.helmignore b/istio/charts/tracing/.helmignore new file mode 100644 index 0000000000000000000000000000000000000000..f0c13194444163d1cba5c67d9e79231a62bc8f44 --- /dev/null +++ b/istio/charts/tracing/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/istio/charts/tracing/Chart.yaml b/istio/charts/tracing/Chart.yaml index 736bd3a31dde289a7be5cf9566cfff5185a9dec5..c95789ed71d146aa71d0f8546022a069b1f23d29 100644 --- a/istio/charts/tracing/Chart.yaml +++ b/istio/charts/tracing/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: tracing -version: 1.0.1 +version: 1.1.0 appVersion: 1.5.1 tillerVersion: ">=2.7.2" diff --git a/istio/charts/tracing/templates/_helpers.tpl b/istio/charts/tracing/templates/_helpers.tpl index 9fba8d578e5e61de00a4e3b98b1f84a340170a21..e246b59b1e631e2d4955621167d54805c4d78729 100644 --- a/istio/charts/tracing/templates/_helpers.tpl +++ b/istio/charts/tracing/templates/_helpers.tpl @@ -2,15 +2,31 @@ {{/* Expand the name of the chart. */}} -{{- define "zipkin.name" -}} +{{- define "tracing.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} -{{- define "zipkin.fullname" -}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tracing.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/tracing/templates/deployment.yaml b/istio/charts/tracing/templates/deployment-jaeger.yaml similarity index 55% rename from istio/charts/tracing/templates/deployment.yaml rename to istio/charts/tracing/templates/deployment-jaeger.yaml index 166377c41f3a68701bb9a61bd8d0458b4bb4cc31..d3cba6e9c9f39b95ec507c33840112882b541ecf 100644 --- a/istio/charts/tracing/templates/deployment.yaml +++ b/istio/charts/tracing/templates/deployment-jaeger.yaml @@ -1,33 +1,52 @@ -apiVersion: extensions/v1beta1 +{{ if eq .Values.provider "jaeger" }} + +apiVersion: apps/v1 kind: Deployment metadata: name: istio-tracing namespace: {{ .Release.Namespace }} labels: - app: istio-tracing - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: jaeger + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: jaeger template: metadata: labels: app: jaeger + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/scrape: "true" + prometheus.io/port: "16686" +{{- if .Values.contextPath }} + prometheus.io/path: "{{ .Values.contextPath }}/metrics" +{{- else }} + prometheus.io/path: "/{{ .Values.provider }}/metrics" +{{- end }} spec: {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} {{- end }} containers: - name: jaeger image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}" imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.jaeger.ui.port }} + - containerPort: 9411 + - containerPort: 16686 - containerPort: 5775 protocol: UDP - containerPort: 6831 @@ -41,22 +60,26 @@ spec: apiVersion: v1 fieldPath: metadata.namespace - name: COLLECTOR_ZIPKIN_HTTP_PORT - value: "{{ .Values.service.internalPort }}" + value: "9411" - name: MEMORY_MAX_TRACES value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} livenessProbe: httpGet: path: / - port: {{ .Values.jaeger.ui.port }} + port: 16686 readinessProbe: httpGet: path: / - port: {{ .Values.jaeger.ui.port }} + port: 16686 resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} {{- else }} {{ toYaml .Values.global.defaultResources | indent 12 }} {{- end }} affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} +{{ end }} diff --git a/istio/charts/tracing/templates/deployment-zipkin.yaml b/istio/charts/tracing/templates/deployment-zipkin.yaml new file mode 100644 index 0000000000000000000000000000000000000000..511033efa174e2ae6ec923b06a6f9454e5245b46 --- /dev/null +++ b/istio/charts/tracing/templates/deployment-zipkin.yaml @@ -0,0 +1,74 @@ +{{ if eq .Values.provider "zipkin" }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-tracing + namespace: {{ .Release.Namespace }} + labels: + app: zipkin + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: zipkin + template: + metadata: + labels: + app: zipkin + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} + containers: + - name: zipkin + image: "{{ .Values.zipkin.hub }}/zipkin:{{ .Values.zipkin.tag }}" + ports: + - containerPort: {{ .Values.zipkin.queryPort }} + livenessProbe: + initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }} + tcpSocket: + port: {{ .Values.zipkin.queryPort }} + readinessProbe: + initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }} + httpGet: + path: /health + port: {{ .Values.zipkin.queryPort }} + resources: +{{- if .Values.zipkin.resources }} +{{ toYaml .Values.zipkin.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: QUERY_PORT + value: "{{ .Values.zipkin.queryPort }}" + - name: JAVA_OPTS + value: "-XX:ConcGCThreads={{ .Values.zipkin.node.cpus }} -XX:ParallelGCThreads={{ .Values.zipkin.node.cpus }} -Djava.util.concurrent.ForkJoinPool.common.parallelism={{ .Values.zipkin.node.cpus }} -Xms{{ .Values.zipkin.javaOptsHeap }}M -Xmx{{ .Values.zipkin.javaOptsHeap }}M -XX:+UseG1GC -server" + - name: STORAGE_METHOD + value: "mem" + - name: ZIPKIN_STORAGE_MEM_MAXSPANS + value: "{{ .Values.zipkin.maxSpans }}" + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} +{{ end }} diff --git a/istio/charts/tracing/templates/ingress-jaeger.yaml b/istio/charts/tracing/templates/ingress-jaeger.yaml deleted file mode 100644 index 1647e8ae0d640d94c66044234bdfc9d0a8c14944..0000000000000000000000000000000000000000 --- a/istio/charts/tracing/templates/ingress-jaeger.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{ if (.Values.jaeger.ingress.enabled) and eq .Values.provider "jaeger" }} -{{- $servicePort := .Values.jaeger.ui.port -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: jaeger-query - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - {{- range $key, $value := .Values.jaeger.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: - {{- range $host := .Values.jaeger.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: / - backend: - serviceName: jaeger-query - servicePort: {{ $servicePort }} - {{- end -}} - {{- if .Values.jaeger.ingress.tls }} - tls: -{{ toYaml .Values.jaeger.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/istio/charts/tracing/templates/ingress.yaml b/istio/charts/tracing/templates/ingress.yaml index 77d53ca270bd10bcf4f7533c12d56b7a1fc92d37..72f362166d52069ba635966faccdf82ac55839c2 100644 --- a/istio/charts/tracing/templates/ingress.yaml +++ b/istio/charts/tracing/templates/ingress.yaml @@ -1,32 +1,40 @@ {{- if .Values.ingress.enabled -}} -{{- $serviceName := "zipkin" -}} -{{- $servicePort := .Values.service.externalPort -}} apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: {{ template "zipkin.fullname" . }} + name: {{ template "tracing.fullname" . }} namespace: {{ .Release.Namespace }} labels: - app: {{ template "zipkin.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: {{- range $key, $value := .Values.ingress.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: rules: +{{- if .Values.ingress.hosts }} {{- range $host := .Values.ingress.hosts }} - host: {{ $host }} http: paths: - - path: / + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} /{{ $.Values.provider }} {{ end }} backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} + serviceName: tracing + servicePort: 80 + {{- end -}} - {{- if .Values.ingress.tls }} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + backend: + serviceName: tracing + servicePort: 80 +{{- end }} + {{- if .Values.ingress.tls }} tls: {{ toYaml .Values.ingress.tls | indent 4 }} {{- end -}} diff --git a/istio/charts/tracing/templates/service-jaeger.yaml b/istio/charts/tracing/templates/service-jaeger.yaml index 43b4c3a5ffb09dee2ee431eb0b783c199babdd03..23979baf8d87c5bf63d20a755a446e5bff88509e 100644 --- a/istio/charts/tracing/templates/service-jaeger.yaml +++ b/istio/charts/tracing/templates/service-jaeger.yaml @@ -2,6 +2,14 @@ apiVersion: v1 kind: List +metadata: + name: jaeger-services + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} items: - apiVersion: v1 kind: Service @@ -10,20 +18,20 @@ items: namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: app: jaeger jaeger-infra: jaeger-service - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - name: query-http - port: {{ .Values.jaeger.ui.port }} + port: 16686 protocol: TCP - targetPort: {{ .Values.jaeger.ui.port }} + targetPort: 16686 selector: app: jaeger - apiVersion: v1 @@ -34,9 +42,9 @@ items: labels: app: jaeger jaeger-infra: collector-service - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - name: jaeger-collector-tchannel @@ -58,9 +66,9 @@ items: labels: app: jaeger jaeger-infra: agent-service - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - name: agent-zipkin-thrift diff --git a/istio/charts/tracing/templates/service.yaml b/istio/charts/tracing/templates/service.yaml index 6a3cadc605f5d7e566ba42dc03c336343994a728..fe94067b0a6cb24b488e50791248ea4046b2e985 100644 --- a/istio/charts/tracing/templates/service.yaml +++ b/istio/charts/tracing/templates/service.yaml @@ -1,5 +1,13 @@ apiVersion: v1 kind: List +metadata: + name: tracing-services + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} items: - apiVersion: v1 kind: Service @@ -7,19 +15,19 @@ items: name: zipkin namespace: {{ .Release.Namespace }} labels: - app: jaeger - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} + targetPort: 9411 protocol: TCP name: {{ .Values.service.name }} selector: - app: jaeger + app: {{ .Values.provider }} - apiVersion: v1 kind: Service metadata: @@ -27,18 +35,22 @@ items: namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: - app: jaeger - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - name: http-query port: 80 protocol: TCP - targetPort: {{ .Values.jaeger.ui.port }} +{{ if eq .Values.provider "jaeger" }} + targetPort: 16686 +{{ else }} + targetPort: 9411 +{{ end}} selector: - app: jaeger + app: {{ .Values.provider }} diff --git a/istio/charts/tracing/templates/tests/test-tracing-connection.yaml b/istio/charts/tracing/templates/tests/test-tracing-connection.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9090cee0fc6b945f7d255b0ea7e68b8a82f38888 --- /dev/null +++ b/istio/charts/tracing/templates/tests/test-tracing-connection.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ .Release.Name }}-{{ .Values.provider }}-test + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }}-test + chart: {{ template "tracing.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ .Values.provider }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + {{- if eq .Values.provider "jaeger" }} + args: ['http://tracing:80{{ .Values.jaeger.contextPath}}'] + {{- else }} + args: ['http://tracing:80'] + {{- end }} + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/tracing/values.yaml b/istio/charts/tracing/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a97053d46f6278ed986a351f254981fd78006c46 --- /dev/null +++ b/istio/charts/tracing/values.yaml @@ -0,0 +1,76 @@ +# +# addon jaeger tracing configuration +# +enabled: false + +provider: jaeger +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +jaeger: + hub: docker.io/jaegertracing + tag: 1.9 + memory: + max_traces: 50000 + +zipkin: + hub: docker.io/openzipkin + tag: 2 + probeStartupDelay: 200 + queryPort: 9411 + resources: + limits: + cpu: 300m + memory: 900Mi + requests: + cpu: 150m + memory: 900Mi + javaOptsHeap: 700 + # From: https://github.com/openzipkin/zipkin/blob/master/zipkin-server/src/main/resources/zipkin-server-shared.yml#L51 + # Maximum number of spans to keep in memory. When exceeded, oldest traces (and their spans) will be purged. + # A safe estimate is 1K of memory per span (each span with 2 annotations + 1 binary annotation), plus + # 100 MB for a safety buffer. You'll need to verify in your own environment. + maxSpans: 500000 + node: + cpus: 2 + +service: + annotations: {} + name: http + type: ClusterIP + externalPort: 9411 + +ingress: + enabled: false + # Used to create an Ingress record. + hosts: + # - tracing.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: tracing-tls + # hosts: + # - tracing.local + diff --git a/istio/example-values/README.md b/istio/example-values/README.md new file mode 100644 index 0000000000000000000000000000000000000000..74fedcb6073b93dbe599740cc8dc19fd6d10c5b6 --- /dev/null +++ b/istio/example-values/README.md @@ -0,0 +1,5 @@ +# Example Values + +These files provide various example values for different Istio setups. + +To use them, [read the docs](https://istio.io/docs/setup/kubernetes/helm-install/) and add the flag `--values example-file.yaml`. diff --git a/istio/example-values/values-istio-example-sds-vault.yaml b/istio/example-values/values-istio-example-sds-vault.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ed06c4ae667715e215ca8cb0fa18ed99f2138f9c --- /dev/null +++ b/istio/example-values/values-istio-example-sds-vault.yaml @@ -0,0 +1,29 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useNormalJwt: true + +nodeagent: + enabled: true + image: node-agent-k8s + env: + # https://35.233.249.249:8200 is the IP address and the port number + # of a testing Vault server. + CA_ADDR: "https://35.233.249.249:8200" + CA_PROVIDER: "VaultCA" + VALID_TOKEN: true + # https://35.233.249.249:8200 is the IP address and the port number + # of a testing Vault server. + VAULT_ADDR: "https://35.233.249.249:8200" + VAULT_AUTH_PATH: "auth/kubernetes/login" + VAULT_ROLE: "istio-cert" + VAULT_SIGN_CSR_PATH: "istio_ca/sign/istio-pki-role" + VAULT_TLS_ROOT_CERT: '-----BEGIN CERTIFICATE-----\nMIIC3jCCAcagAwIBAgIRAIcSFH1jneS0XPz5r2QDbigwDQYJKoZIhvcNAQELBQAw\nEDEOMAwGA1UEChMFVmF1bHQwIBcNMTgxMjI2MDkwMDU3WhgPMjExODEyMDIwOTAw\nNTdaMBAxDjAMBgNVBAoTBVZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA2q5lfJCLAOTEjX3xV8qMLEX8zUQpd0AjD6zzOMzx51GVM7Plf7CJmaDq\nyloRz3zcrTEltHUrln5fvouvp4TetOlqEU979vvccnFLgXrSpn+Zt/EyjE0rUYY3\n5e2qxy9bP2E7zJSKONIT6zRDd2zUQGH3zUem1ZG0GFY1ZL5qFSOIy+PvuQ4u8HCa\n1CcnHmI613fVDbFbaxuF2G2MIwCZ/Fg6KBd9kgU7uCOvkbR4AtRe0ntwweIjOIas\nFiohPQzVY4obrYZiTV43HT4lGti7ySn2c96UnRSnmHLWyBb7cafd4WZN/t+OmYSd\nooxCVQ2Zqub6NlZ5OySYOz/0BJq6DQIDAQABozEwLzAOBgNVHQ8BAf8EBAMCBaAw\nDAYDVR0TAQH/BAIwADAPBgNVHREECDAGhwQj6fn5MA0GCSqGSIb3DQEBCwUAA4IB\nAQBORvUcW0wgg/Wo1aKFaZQuPPFVLjOZat0QpCJYNDhsSIO4Y0JS+Y1cEIkvXB3S\nQ3D7IfNP0gh1fhtP/d45LQSPqpyJF5vKWAvwa/LSPKpw2+Zys4oDahcH+SEKiQco\nIhkkHNEgC4LEKEaGvY4A8Cw7uWWquUJB16AapSSnkeD2vTcxErfCO59yR7yEWDa6\n8j6QNzmGNj2YXtT86+Mmedhfh65Rrh94mhAPQHBAdCNGCUwZ6zHPQ6Z1rj+x3Wm9\ngqpveVq2olloNbnLNmM3V6F9mqSZACgADmRqf42bixeHczkTfRDKThJcpY5U44vy\nw4Nm32yDWhD6AC68rDkXX68m\n-----END CERTIFICATE-----' \ No newline at end of file diff --git a/istio/values-istio-gateways.yaml b/istio/example-values/values-istio-gateways.yaml similarity index 72% rename from istio/values-istio-gateways.yaml rename to istio/example-values/values-istio-gateways.yaml index 5826fc2d2f617ff8ac5eb5593666f17e6989c097..1ffcd199a77d75671b3bbd76b69efd768c48a755 100644 --- a/istio/values-istio-gateways.yaml +++ b/istio/example-values/values-istio-gateways.yaml @@ -1,12 +1,5 @@ # Common settings. global: - # Include the crd definition when generating the template. - # For 'helm template' and helm install > 2.10 it should be true. - # For helm < 2.9, crds must be installed ahead of time with - # 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml - # and this options must be set off. - crds: false - # Omit the istio-sidecar-injector configmap when generate a # standalone gateway. Gateways may be created in namespaces other # than `istio-system` and we don't want to re-create the injector @@ -21,18 +14,21 @@ global: proxy: # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument # would be :). - # Can also be disabled (e.g. when Mixer is not installed). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. envoyStatsd: - enabled: true - host: istio-statsd-prom-bridge.istio-system - port: 9125 + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + # # Gateways Configuration # By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. # You can add more gateways in addition to the defaults but make sure those are uniquely named # and that NodePorts are not conflicting. -# Disable specifc gateway by setting the `enabled` to false. +# Disable specific gateway by setting the `enabled` to false. # gateways: enabled: true @@ -51,11 +47,15 @@ gateways: #requests: # cpu: 1800m # memory: 256Mi - + cpu: + targetAverageUtilization: 80 loadBalancerIP: "" + loadBalancerSourceRanges: {} + externalIPs: [] serviceAnnotations: {} + podAnnotations: {} type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - + #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out ports: ## You can add custom gateway ports - port: 80 @@ -76,14 +76,22 @@ gateways: - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls + # Addon ports for kiali are enabled in gateway - but will only redirect if + # the gateway configuration for the various components are enabled. + - port: 15029 + targetPort: 15029 + name: http2-kiali # Telemetry-related ports are enabled in gateway - but will only redirect if - # the gateway configration for the various components are enabled. + # the gateway configuration for the various components are enabled. - port: 15030 targetPort: 15030 name: http2-prometheus - port: 15031 targetPort: 15031 name: http2-grafana + - port: 15032 + targetPort: 15032 + name: http2-tracing secretVolumes: - name: customgateway-certs secretName: istio-customgateway-certs @@ -93,9 +101,6 @@ gateways: mountPath: /etc/istio/customgateway-ca-certs # all other components are disabled except the gateways -ingress: - enabled: false - security: enabled: false @@ -106,7 +111,10 @@ galley: enabled: false mixer: - enabled: false + policy: + enabled: false + telemetry: + enabled: false pilot: enabled: false diff --git a/istio/example-values/values-istio-googleca.yaml b/istio/example-values/values-istio-googleca.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e0c633ea1ddcf5a14a7abc6e67687fa1583f1394 --- /dev/null +++ b/istio/example-values/values-istio-googleca.yaml @@ -0,0 +1,22 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useTrustworthyJwt: true + + trustDomain: "" + +nodeagent: + enabled: true + image: node-agent-k8s + env: + CA_PROVIDER: "GoogleCA" + CA_ADDR: "istioca.googleapis.com:443" + Plugins: "GoogleTokenExchange" diff --git a/istio/example-values/values-istio-multicluster-gateways.yaml b/istio/example-values/values-istio-multicluster-gateways.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bdc1863755785f282af8dc2cc571a0a8a6011e2a --- /dev/null +++ b/istio/example-values/values-istio-multicluster-gateways.yaml @@ -0,0 +1,27 @@ +global: + # Provides dns resolution for global services + podDNSSearchNamespaces: + - global + - "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global" + + multiCluster: + enabled: true + + controlPlaneSecurityEnabled: true + +# Multicluster with gateways requires a root CA +# Cluster local CAs are bootstrapped with the root CA. +security: + selfSigned: false + +# Provides dns resolution for service entries of form +# name.namespace.global +istiocoredns: + enabled: true + +gateways: + istio-egressgateway: + enabled: true + env: + # Needed to route traffic via egress gateway if desired. + ISTIO_META_REQUESTED_NETWORK_VIEW: "external" diff --git a/istio/requirements.yaml b/istio/requirements.yaml index 8586760697d8303be4466d25321af2dd929b9166..c8e36b0f6821d0fbf713cffd04f79e5a63976ec9 100644 --- a/istio/requirements.yaml +++ b/istio/requirements.yaml @@ -1,40 +1,43 @@ dependencies: - name: sidecarInjectorWebhook - version: 1.0.1 + version: 1.1.0 condition: sidecarInjectorWebhook.enabled - name: security - version: 1.0.1 + version: 1.1.0 condition: security.enabled - - name: ingress - version: 1.0.1 - condition: ingress.enabled - name: gateways - version: 1.0.1 + version: 1.1.0 condition: gateways.enabled - name: mixer - version: 1.0.1 - condition: mixer.enabled + version: 1.1.0 + condition: or mixer.policy.enabled mixer.telemetry.enabled + - name: nodeagent + version: 1.1.0 + condition: nodeagent.enabled - name: pilot - version: 1.0.1 + version: 1.1.0 condition: pilot.enabled - name: grafana - version: 1.0.1 + version: 1.1.0 condition: grafana.enabled - name: prometheus - version: 1.0.1 + version: 1.1.0 condition: prometheus.enabled - name: servicegraph - version: 1.0.1 + version: 1.1.0 condition: servicegraph.enabled - name: tracing - version: 1.0.1 + version: 1.1.0 condition: tracing.enabled - name: galley - version: 1.0.1 + version: 1.1.0 condition: galley.enabled - name: kiali - version: 1.0.1 + version: 1.1.0 condition: kiali.enabled + - name: istiocoredns + version: 1.1.0 + condition: istiocoredns.enabled - name: certmanager - version: 1.0.1 + version: 1.1.0 condition: certmanager.enabled diff --git a/istio/templates/NOTES.txt b/istio/templates/NOTES.txt new file mode 100644 index 0000000000000000000000000000000000000000..d17982c66925a91f61c8a90eb849fa54da60f50f --- /dev/null +++ b/istio/templates/NOTES.txt @@ -0,0 +1,29 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +To get started running application with Istio, execute the following steps: + +{{- if index .Values "sidecarInjectorWebhook" "enabled" }} +1. Label namespace that application object will be deployed to by the following command (take default namespace as an example) + +$ kubectl label namespace default istio-injection=enabled +$ kubectl get namespace -L istio-injection + +2. Deploy your applications + +$ kubectl apply -f .yaml +{{- else }} +1. Download the latest release package to get sidecar injection tool + +$ curl -L https://git.io/getLatestIstio | sh - +$ mv istio-* istio-latest +$ export PATH="$PATH:$PWD/istio-latest/bin" + +2. Deploy your application by manually injecting envoy sidecar with `istioctl kube-inject` + +$ kubectl apply -f <(istioctl kube-inject -f .yaml) +{{- end }} + +For more information on running Istio, visit: +https://istio.io/ \ No newline at end of file diff --git a/istio/templates/_affinity.tpl b/istio/templates/_affinity.tpl index 0a702d40213e16f2eeda8bd5e22c04a9e9adcd20..3c495d3e6ef34df52c1fa9eeece96f129beb1ec9 100644 --- a/istio/templates/_affinity.tpl +++ b/istio/templates/_affinity.tpl @@ -19,6 +19,13 @@ - {{ $key }} {{- end }} {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val }} + {{- end }} {{- end }} {{- define "nodeAffinityPreferredDuringScheduling" }} @@ -33,4 +40,54 @@ - {{ $key }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.value }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/istio/templates/_helpers.tpl b/istio/templates/_helpers.tpl index b85468d2d45348c77775589d9680eb3b9ca4db57..631585227bdce73e87f501ff9e528a51ff062165 100644 --- a/istio/templates/_helpers.tpl +++ b/istio/templates/_helpers.tpl @@ -9,11 +9,27 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{/* Create a fully qualified configmap name. diff --git a/istio/templates/_podDisruptionBudget.tpl b/istio/templates/_podDisruptionBudget.tpl new file mode 100644 index 0000000000000000000000000000000000000000..ebb86068cc7d319592f2dee60790cfa065ccf791 --- /dev/null +++ b/istio/templates/_podDisruptionBudget.tpl @@ -0,0 +1,3 @@ +{{- define "podDisruptionBudget.spec" }} + minAvailable: 1 +{{- end }} diff --git a/istio/templates/clusterrole.yaml b/istio/templates/clusterrole.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b92c9ef8b45b27f28e328c5b6541ca33bea71a96 --- /dev/null +++ b/istio/templates/clusterrole.yaml @@ -0,0 +1,11 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] diff --git a/istio/templates/clusterrolebinding.yaml b/istio/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..827601b3dd5ee7527fcdf55f609d95d2d9991329 --- /dev/null +++ b/istio/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi + namespace: {{ .Release.Namespace }} diff --git a/istio/templates/configmap.yaml b/istio/templates/configmap.yaml index e2ec8648c2eb8e7eb87ee1696df55a8d6e6bbb1b..02591ec805ab540e961a6cffd9ca01217e2a4d94 100644 --- a/istio/templates/configmap.yaml +++ b/istio/templates/configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.pilot.enabled }} +{{- if or .Values.pilot.enabled .Values.global.istioRemote }} apiVersion: v1 kind: ConfigMap metadata: @@ -6,48 +6,157 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "istio.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} data: mesh: |- # Set the following variable to true to disable policy checks by the Mixer. # Note that metrics will still be reported to the Mixer. + {{- if .Values.mixer.policy.enabled }} disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} + {{- else }} + disablePolicyChecks: true + {{- end }} # Set enableTracing to false to disable request tracing. enableTracing: {{ .Values.global.enableTracing }} # Set accessLogFile to empty string to disable access log. accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" - # - # Deprecated: mixer is using EDS - {{- if .Values.mixer.enabled }} + + # If accessLogEncoding is TEXT, value will be used directly as the log format + # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" + # If AccessLogEncoding is JSON, value will be parsed as map[string]string + # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' + # Leave empty to use default log format + accessLogFormat: {{ .Values.global.proxy.accessLogFormat | quote }} + + # Set accessLogEncoding to JSON or TEXT to configure sidecar access log + accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}' + + {{- if .Values.global.istioRemote }} + + {{- if .Values.global.remotePolicyAddress }} + {{- if .Values.global.createRemoteSvcEndpoints }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 + {{- else }} + mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004 + {{- end }} + {{- end }} + {{- if .Values.global.remoteTelemetryAddress }} + {{- if .Values.global.createRemoteSvcEndpoints }} + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}:15004 + {{- else }} + mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 + {{- end }} + {{- end }} + + {{- else }} + + {{- if .Values.mixer.policy.enabled }} + {{- if .Values.global.controlPlaneSecurityEnabled }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 + {{- else }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 + {{- end }} + {{- end }} + {{- if .Values.mixer.telemetry.enabled }} {{- if .Values.global.controlPlaneSecurityEnabled }} - mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:15004 - mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:15004 + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 {{- else }} - mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:9091 - mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 {{- end }} {{- end }} + + {{- end }} + + {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} + {{- end }} - {{- if .Values.ingress.enabled }} - # This is the k8s ingress service name, update if you used a different name - ingressService: istio-{{ .Values.global.k8sIngressSelector }} + {{- if .Values.gateways.enabled }} + # Let Pilot give ingresses the public IP of the Istio ingressgateway + ingressService: istio-ingressgateway {{- end }} + # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS + connectTimeout: 10s + + # DNS refresh rate for Envoy clusters of type STRICT_DNS + dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }} + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. - sdsUdsPath: "" - - # How frequently should Envoy fetch key/cert from NodeAgent. - sdsRefreshDelay: 15s + sdsUdsPath: {{ .Values.global.sds.udsPath }} + + # This flag is used by secret discovery service(SDS). + # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which + # will be used to generate key/cert eventually. This isn't supported for non-k8s case. + enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }} + + # This flag is used by secret discovery service(SDS). + # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + # and pass to sds server, which will be used to request key/cert eventually. + # this flag is ignored if enableSdsTokenMount is set. + # This isn't supported for non-k8s case. + sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }} + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: {{ .Values.global.trustDomain }} + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + outboundTrafficPolicy: + mode: {{ .Values.global.outboundTrafficPolicy.mode }} + + localityLbSetting: +{{ toYaml .Values.global.localityLbSetting | indent 6 }} + + # The namespace to treat as the administrative root namespace for istio + # configuration. + {{- if .Values.global.configRootNamespace }} + rootNamespace: {{ .Values.global.configRootNamespace }} + {{- else }} + rootNamespace: {{ .Release.Namespace }} + {{- end }} + + {{- if .Values.global.defaultConfigVisibilitySettings }} + defaultServiceExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + defaultVirtualServiceExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + defaultDestinationRuleExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + {{- end }} + + {{- if $.Values.global.useMCP }} + configSources: + - address: istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- if $.Values.global.controlPlaneSecurityEnabled}} + tlsSettings: + mode: ISTIO_MUTUAL + {{- end }} + {{- end }} - # defaultConfig: # - # TCP connection timeout between Envoy & the application, and between Envoys. + # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters + # defined in Envoy's configuration file connectTimeout: 10s # ### ADVANCED SETTINGS ############# @@ -86,28 +195,79 @@ data: # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: {{ .Values.global.proxy.concurrency }} # - # Zipkin trace collector - zipkinAddress: zipkin.{{ .Release.Namespace }}:9411 + {{- if eq .Values.global.proxy.tracer "lightstep" }} + tracing: + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + # Whether communication with the Satellite pool should be secure + secure: {{ .Values.global.tracer.lightstep.secure }} + # Path to the file containing the cacert to use when verifying TLS + cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + tracing: + zipkin: + # Address of the Zipkin collector + {{- if .Values.global.tracer.zipkin.address }} + address: {{ .Values.global.tracer.zipkin.address }} + {{- else if .Values.global.remoteZipkinAddress }} + address: {{ .Values.global.remoteZipkinAddress }}:9411 + {{- else }} + address: zipkin.{{ .Release.Namespace }}:9411 + {{- end }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + tracing: + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address }} + {{- end }} {{- if .Values.global.proxy.envoyStatsd.enabled }} # # Statsd metrics collector converts statsd metrics into Prometheus metrics. - statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}.{{ .Release.Namespace }}:{{ .Values.global.proxy.envoyStatsd.port }} + statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} {{- end }} + {{- if .Values.global.proxy.envoyMetricsService.enabled }} + # + # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API. + envoyMetricsServiceAddress: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }} + {{- end}} + + {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }} + {{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }} {{- if .Values.global.controlPlaneSecurityEnabled }} # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running - discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15005 + {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + discoveryAddress: {{ $defPilotHostname }}:15011 + {{- else }} + discoveryAddress: {{ $pilotAddress }}:15011 + {{- end }} {{- else }} # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running - discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15007 + {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + discoveryAddress: {{ $defPilotHostname }}:15010 + {{- else }} + discoveryAddress: {{ $pilotAddress }}:15010 + {{- end }} {{- end }} + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | indent 6 }} + {{- else }} + networks: {} + {{- end }} {{- end }} diff --git a/istio/templates/crds.yaml b/istio/templates/crds.yaml deleted file mode 100644 index acdf5392bb2cbb2bb4bc5cb99d3be620d55c03a1..0000000000000000000000000000000000000000 --- a/istio/templates/crds.yaml +++ /dev/null @@ -1,1116 +0,0 @@ -# {{ if or .Values.global.crds (semverCompare ">=2.10.0-0" .Capabilities.TillerVersion.SemVer) }} -# these CRDs only make sense when pilot is enabled -# {{- if .Values.pilot.enabled }} -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: virtualservices.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - singular: virtualservice - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: destinationrules.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - singular: destinationrule - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceentries.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - singular: serviceentry - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: gateways.networking.istio.io - annotations: - "helm.sh/hook": crd-install - "helm.sh/hook-weight": "-5" - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: Gateway - plural: gateways - singular: gateway - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: envoyfilters.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: EnvoyFilter - plural: envoyfilters - singular: envoyfilter - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -# {{- end }} - -# these CRDs only make sense when security is enabled -# {{- if .Values.security.enabled }} -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: policies.authentication.istio.io -spec: - group: authentication.istio.io - names: - kind: Policy - plural: policies - singular: policy - categories: - - istio-io - - authentication-istio-io - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: meshpolicies.authentication.istio.io -spec: - group: authentication.istio.io - names: - kind: MeshPolicy - listKind: MeshPolicyList - plural: meshpolicies - singular: meshpolicy - categories: - - istio-io - - authentication-istio-io - scope: Cluster - version: v1alpha1 ---- -# {{- end }} - -# {{- if .Values.mixer.enabled }} -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - kind: HTTPAPISpecBinding - plural: httpapispecbindings - singular: httpapispecbinding - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - kind: HTTPAPISpec - plural: httpapispecs - singular: httpapispec - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - kind: QuotaSpecBinding - plural: quotaspecbindings - singular: quotaspecbinding - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - kind: QuotaSpec - plural: quotaspecs - singular: quotaspec - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- - -# Mixer CRDs -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: rules.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: core -spec: - group: config.istio.io - names: - kind: rule - plural: rules - singular: rule - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: attributemanifests.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: core -spec: - group: config.istio.io - names: - kind: attributemanifest - plural: attributemanifests - singular: attributemanifest - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: bypasses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: bypass - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: bypass - plural: bypasses - singular: bypass - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: circonuses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: circonus - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: circonus - plural: circonuses - singular: circonus - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: deniers.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: denier - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: denier - plural: deniers - singular: denier - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: fluentds.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: fluentd - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: fluentd - plural: fluentds - singular: fluentd - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: kubernetesenvs.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: kubernetesenv - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: kubernetesenv - plural: kubernetesenvs - singular: kubernetesenv - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: listcheckers.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: listchecker - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: listchecker - plural: listcheckers - singular: listchecker - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: memquotas.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: memquota - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: memquota - plural: memquotas - singular: memquota - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: noops.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: noop - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: noop - plural: noops - singular: noop - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: opas.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: opa - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: opa - plural: opas - singular: opa - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: prometheuses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: prometheus - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: prometheus - plural: prometheuses - singular: prometheus - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: rbacs.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: rbac - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: rbac - plural: rbacs - singular: rbac - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: redisquotas.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - package: redisquota - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: redisquota - plural: redisquotas - singular: redisquota - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: servicecontrols.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: servicecontrol - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: servicecontrol - plural: servicecontrols - singular: servicecontrol - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 - ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: signalfxs.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: signalfx - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: signalfx - plural: signalfxs - singular: signalfx - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: solarwindses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: solarwinds - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: solarwinds - plural: solarwindses - singular: solarwinds - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: stackdrivers.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: stackdriver - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: stackdriver - plural: stackdrivers - singular: stackdriver - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: statsds.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: statsd - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: statsd - plural: statsds - singular: statsd - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: stdios.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: stdio - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: stdio - plural: stdios - singular: stdio - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: apikeys.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: apikey - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: apikey - plural: apikeys - singular: apikey - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: authorizations.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: authorization - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: authorization - plural: authorizations - singular: authorization - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: checknothings.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: checknothing - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: checknothing - plural: checknothings - singular: checknothing - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: kuberneteses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: adapter.template.kubernetes - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: kubernetes - plural: kuberneteses - singular: kubernetes - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: listentries.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: listentry - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: listentry - plural: listentries - singular: listentry - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: logentries.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: logentry - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: logentry - plural: logentries - singular: logentry - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: edges.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: edge - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: edge - plural: edges - singular: edge - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: metrics.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: metric - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: metric - plural: metrics - singular: metric - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: quotas.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: quota - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: quota - plural: quotas - singular: quota - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: reportnothings.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: reportnothing - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: reportnothing - plural: reportnothings - singular: reportnothing - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: servicecontrolreports.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: servicecontrolreport - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: servicecontrolreport - plural: servicecontrolreports - singular: servicecontrolreport - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: tracespans.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: tracespan - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: tracespan - plural: tracespans - singular: tracespan - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: rbacconfigs.rbac.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: rbac -spec: - group: rbac.istio.io - names: - kind: RbacConfig - plural: rbacconfigs - singular: rbacconfig - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: serviceroles.rbac.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: rbac -spec: - group: rbac.istio.io - names: - kind: ServiceRole - plural: serviceroles - singular: servicerole - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: servicerolebindings.rbac.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: rbac -spec: - group: rbac.istio.io - names: - kind: ServiceRoleBinding - plural: servicerolebindings - singular: servicerolebinding - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: adapters.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: adapter - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: instances.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: instance - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: instance - plural: instances - singular: instance - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: templates.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: template - istio: mixer-template -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: handlers.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: handler - istio: mixer-handler -spec: - group: config.istio.io - names: - kind: handler - plural: handlers - singular: handler - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -# {{- end }} -# {{ end }} \ No newline at end of file diff --git a/istio/templates/endpoints.yaml b/istio/templates/endpoints.yaml new file mode 100644 index 0000000000000000000000000000000000000000..81b821853622b0a0e03e501e346cc16afead2a39 --- /dev/null +++ b/istio/templates/endpoints.yaml @@ -0,0 +1,63 @@ +{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15003 + name: http-old-discovery # mTLS or non-mTLS depending on auth setting + - port: 15005 + name: https-discovery # always mTLS + - port: 15007 + name: http-discovery # always plain-text + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS or non-mTLS depending on auth setting + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring +{{- end }} +{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-policy + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePolicyAddress }} + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 +{{- end }} +{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-telemetry + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remoteTelemetryAddress }} + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 +{{- end }} diff --git a/istio/templates/install-custom-resources.sh.tpl b/istio/templates/install-custom-resources.sh.tpl index 6123902c399ab6a005bd0a84d669f7a750f86466..a5525a139145b1dc8a8247bdff6a864080d7bd55 100644 --- a/istio/templates/install-custom-resources.sh.tpl +++ b/istio/templates/install-custom-resources.sh.tpl @@ -10,17 +10,17 @@ fi pathToResourceYAML=${1} -/kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null +kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null if [ "$?" -eq 0 ]; then echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" while true; do - /kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null + kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null if [ "$?" -eq 0 ]; then break fi sleep 1 done - /kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley + kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley if [ "$?" -ne 0 ]; then echo "istio-galley deployment rollout status check failed" exit 1 @@ -28,5 +28,5 @@ if [ "$?" -eq 0 ]; then echo "istio-galley deployment ready for configuration validation" fi sleep 5 -/kubectl apply -f ${pathToResourceYAML} +kubectl apply -f ${pathToResourceYAML} {{ end }} diff --git a/istio/templates/service.yaml b/istio/templates/service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..732cdefd200fd30a47a03b636c5b15e31bd6427b --- /dev/null +++ b/istio/templates/service.yaml @@ -0,0 +1,60 @@ +{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15003 + name: http-old-discovery # mTLS or non-mTLS depending on auth setting + - port: 15005 + name: https-discovery # always mTLS + - port: 15007 + name: http-discovery # always plain-text + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS or non-mTLS depending on auth setting + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring + clusterIP: None +{{- end }} +{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-policy + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + clusterIP: None +{{- end }} +{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-telemetry + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 + clusterIP: None +{{- end }} diff --git a/istio/templates/serviceaccount.yaml b/istio/templates/serviceaccount.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e52d9eb9c312a96685cc85a2514dceecb653950f --- /dev/null +++ b/istio/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi + namespace: {{ .Release.Namespace }} diff --git a/istio/templates/sidecar-injector-configmap.yaml b/istio/templates/sidecar-injector-configmap.yaml index 0b28252502cfa63c1f0218d7bdc4a875320b456c..f1a00aabf686e8caca10e5a7d69e5fdbcc63d72a 100644 --- a/istio/templates/sidecar-injector-configmap.yaml +++ b/istio/templates/sidecar-injector-configmap.yaml @@ -6,15 +6,19 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "istio.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: sidecar-injector data: config: |- policy: {{ .Values.global.proxy.autoInject }} template: |- + rewriteAppHTTPProbe: {{ .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe }} +{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }} initContainers: + {{ "[[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"NONE\" ]]" }} +{{- if not .Values.istio_cni.enabled }} - name: istio-init {{- if contains "/" .Values.global.proxy_init.image }} image: "{{ .Values.global.proxy_init.image }}" @@ -27,87 +31,115 @@ data: - "-u" - 1337 - "-m" - - {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }} - "-i" - {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\") -]]" }} - {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\" ]]\"" }} - {{ "[[ else -]]" }} - - "{{ .Values.global.proxy.includeIPRanges }}" - {{ "[[ end -]]" }} + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }} - "-x" - {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\") -]]" }} - {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\" ]]\"" }} - {{ "[[ else -]]" }} - - "{{ .Values.global.proxy.excludeIPRanges }}" - {{ "[[ end -]]" }} + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }} - "-b" - {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\") -]]" }} - {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\" ]]\"" }} - {{ "[[ else -]]" }} - - {{ "[[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]" }} + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }} - "-d" - {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\") -]]" }} - {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\" ]]\"" }} - {{ "[[ else -]]" }} - - "{{ .Values.global.proxy.excludeInboundPorts }}" + - {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }} + {{ "[[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]" }} + - "-k" + {{ "- \"[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]\"" }} {{ "[[ end -]]" }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: 100m + memory: 50Mi securityContext: + runAsUser: 0 capabilities: add: - NET_ADMIN - {{ if .Values.global.proxy.privileged }} + {{- if .Values.global.proxy.privileged }} privileged: true - {{ end -}} + {{- end }} restartPolicy: Always - {{ if eq .Values.global.proxy.enableCoreDump true }} +{{- end }} + {{ "[[ end -]]" }} + {{- if eq .Values.global.proxy.enableCoreDump true }} - name: enable-core-dump args: - -c - - sysctl -w kernel.core_pattern=/etc/istio/proxy/core.%e.%p.%t && ulimit -c unlimited + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited command: - /bin/sh - image: {{ .Values.global.hub }}/proxy_init:{{ .Values.global.tag }} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} imagePullPolicy: IfNotPresent resources: {} securityContext: privileged: true {{ end }} +{{- end }} containers: - name: istio-proxy - image: {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\") -]]" }} - {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\" ]]\"" }} - {{ "[[ else -]]" }} - {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} - {{ "[[ end -]]" }} +{{- if contains "/" .Values.global.proxy.image }} + image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.proxy.image }}" {{ " ]]" }} +{{- else }} + image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{ " ]]" }} +{{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom args: - proxy - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --configPath - {{ "[[ .ProxyConfig.ConfigPath ]]" }} - --binaryPath - {{ "[[ .ProxyConfig.BinaryPath ]]" }} - --serviceCluster {{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }} - - {{ "[[ index .ObjectMeta.Labels \"app\" ]]" }} + - {{ "[[ index .ObjectMeta.Labels \"app\" ]]." }}$(POD_NAMESPACE) {{ "[[ else -]]" }} - - "istio-proxy" + - {{ "[[ valueOrDefault .DeploymentMeta.Name \"istio-proxy\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]" }} {{ "[[ end -]]" }} - --drainDuration - {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }} - --parentShutdownDuration - {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }} - --discoveryAddress - - {{ "[[ .ProxyConfig.DiscoveryAddress ]]" }} - - --discoveryRefreshDelay - - {{ "[[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]" }} + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]" }} + {{- if eq .Values.global.proxy.tracer "lightstep" }} + - --lightstepAddress + - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAddress ]]" }} + - --lightstepAccessToken + - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken ]]" }} + - --lightstepSecure={{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetSecure ]]" }} + - --lightstepCacertPath + - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} - --zipkinAddress - - {{ "[[ .ProxyConfig.ZipkinAddress ]]" }} + - {{ "[[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]" }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + - --datadogAgentAddress + - {{ "[[ .ProxyConfig.GetTracing.GetDatadog.GetAddress ]]" }} + {{- end }} + {{- if $.Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} - --connectTimeout - {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }} {{- if .Values.global.proxy.envoyStatsd.enabled }} - --statsdUdpAddress - {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }} + {{- end }} + {{- if .Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - {{ "[[ .ProxyConfig.EnvoyMetricsServiceAddress ]]" }} {{- end }} - --proxyAdminPort - {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }} @@ -116,7 +148,16 @@ data: - {{ "[[ .ProxyConfig.Concurrency ]]" }} {{ "[[ end -]]" }} - --controlPlaneAuthPolicy - - {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/controlPlaneAuthPolicy\") .ProxyConfig.ControlPlaneAuthPolicy ]]" }} + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }} + {{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} + - --statusPort + - {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} + - --applicationPorts + - {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }} + {{ "[[- end ]]" }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} env: - name: POD_NAME valueFrom: @@ -130,47 +171,151 @@ data: valueFrom: fieldRef: fieldPath: status.podIP + {{ if eq .Values.global.proxy.tracer "datadog" }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{ end }} - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: ISTIO_META_INTERCEPTION_MODE value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ "[[ if .ObjectMeta.Annotations ]]" }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ "[[ toJSON .ObjectMeta.Annotations ]]" }} + {{ "[[ end ]]" }} + {{ "[[ if .ObjectMeta.Labels ]]" }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ "[[ toJSON .ObjectMeta.Labels ]]" }} + {{ "[[ end ]]" }} + {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{ "[[- end ]]" }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: ISTIO_META_SDS_TOKEN_PATH + value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" + {{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} + {{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} + initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }} + periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }} + failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }} + {{ "[[ end -]]" -}} securityContext: - {{ if .Values.global.proxy.privileged }} + {{- if .Values.global.proxy.privileged }} privileged: true - {{ end -}} + {{- end }} + {{- if ne .Values.global.proxy.enableCoreDump true }} readOnlyRootFilesystem: true - {{ "[[ if eq (or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String) \"TPROXY\" -]]" }} + {{- end }} + {{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }} capabilities: add: - NET_ADMIN runAsGroup: 1337 {{ "[[ else -]]" }} + {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }} + runAsGroup: 1337 + {{- end }} runAsUser: 1337 - {{ "[[ end -]]" }} - restartPolicy: Always + {{ "[[- end ]]" }} resources: - {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\") -]]" }} + {{ "[[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }} requests: - cpu: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\" ]]\"" }} - memory: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyMemory\" ]]\"" }} + {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }} + cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }} + {{ "[[ end ]]" }} + {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }} + memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }} + {{ "[[ end ]]" }} {{ "[[ else -]]" }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 10 }} {{- end }} {{ "[[ end -]]" }} volumeMounts: + {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{ "[[- end ]]" }} - mountPath: /etc/istio/proxy name: istio-envoy + {{- if .Values.global.sds.enabled }} + - mountPath: /var/run/sds/uds_path + name: sds-uds-path + readOnly: true + {{- if .Values.global.sds.useTrustworthyJwt }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.sds.customTokenDirectory }} + - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" + name: custom-sds-token + readOnly: true + {{- end }} + {{- else }} - mountPath: /etc/certs/ name: istio-certs readOnly: true + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - mountPath: {{ "[[ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }} + name: lightstep-certs + readOnly: true + {{- end }} + {{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]]" }} + {{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]]" }} + - name: {{ "\"[[ $index ]]\"" }} + {{ "[[ toYaml $value | indent 4 ]]" }} + {{ "[[ end ]]" }} + {{ "[[- end ]]" }} volumes: + {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }} + - name: custom-bootstrap-volume + configMap: + name: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]]" }} + {{ "[[- end ]]" }} - emptyDir: medium: Memory name: istio-envoy + {{- if .Values.global.sds.enabled }} + - name: sds-uds-path + hostPath: + path: /var/run/sds/uds_path + type: Socket + {{- if .Values.global.sds.customTokenDirectory }} + - name: custom-sds-token + secret: + secretName: sdstokensecret + {{- end }} + {{- if .Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.trustDomain }} + {{- end }} + {{- else }} - name: istio-certs secret: optional: true @@ -179,4 +324,24 @@ data: {{ "[[ else -]]" }} secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }} {{ "[[ end -]]" }} + {{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]]" }} + {{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]]" }} + - name: {{ "\"[[ $index ]]\"" }} + {{ "[[ toYaml $value | indent 2 ]]" }} + {{ "[[ end ]]" }} + {{ "[[ end ]]" }} + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} +{{- end }} +{{- if .Values.global.podDNSSearchNamespaces }} + dnsConfig: + searches: + {{- range .Values.global.podDNSSearchNamespaces }} + - {{ . }} + {{- end }} {{- end }} diff --git a/istio/test-values/README.md b/istio/test-values/README.md new file mode 100644 index 0000000000000000000000000000000000000000..8e5ff277cb22ad43be5156e4fb9b4a6f7e484d5a --- /dev/null +++ b/istio/test-values/README.md @@ -0,0 +1,7 @@ +# Test Values + +These files are intended to be used to install Istio for E2E tests. + +The rendered files can be generated with `make generate_e2e_yaml`. + +These files will all have `values-e2e.yaml` applied to them *first*, so if there are settings there that should not be included in the test the must be overridden. diff --git a/istio/test-values/values-e2e.yaml b/istio/test-values/values-e2e.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a6e436037922fa4aea7766a59de12341a164e47b --- /dev/null +++ b/istio/test-values/values-e2e.yaml @@ -0,0 +1,70 @@ +# This file overrides values for e2e testing. + +global: + proxy: + concurrency: 0 + resources: + requests: + cpu: 10m + memory: 40Mi + + accessLogFile: "/dev/stdout" + enableCoreDump: true + + disablePolicyChecks: false + outboundTrafficPolicy: + mode: REGISTRY_ONLY + +prometheus: + scrapeInterval: 5s + +gateways: + istio-ingressgateway: + autoscaleMax: 1 + resources: + requests: + cpu: 10m + memory: 40Mi + limits: + cpu: 100m + memory: 128Mi + + istio-egressgateway: + enabled: true + autoscaleMax: 1 + resources: + requests: + cpu: 10m + memory: 40Mi + limits: + cpu: 100m + memory: 128Mi + +mixer: + policy: + enabled: true + replicaCount: 2 + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + telemetry: + enabled: true + loadshedding: + mode: disabled + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + adapters: + stdio: + enabled: true + kiali: + enabled: true diff --git a/istio/values-istio-auth-galley.yaml b/istio/test-values/values-istio-auth-mcp.yaml similarity index 53% rename from istio/values-istio-auth-galley.yaml rename to istio/test-values/values-istio-auth-mcp.yaml index c95b29925952c887e69f1918d174950a5cfab844..fb284d926cdbf71813a8d44a02851296013848db 100644 --- a/istio/values-istio-auth-galley.yaml +++ b/istio/test-values/values-istio-auth-mcp.yaml @@ -1,26 +1,17 @@ -# This is used to generate istio.yaml +# This is used to generate istio-auth.yaml with MCP enabled global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: true - + mtls: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: true - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. # imagePullSecrets: # - name: "private-registry-key" + + useMCP: true - # Default is 10s second - refreshInterval: 1s - -istiotesting: - oneNameSpace: false - -prometheus: - enabled: true - -galley: - enabled: true diff --git a/istio/values-istio-auth-multicluster.yaml b/istio/test-values/values-istio-auth-multicluster.yaml similarity index 74% rename from istio/values-istio-auth-multicluster.yaml rename to istio/test-values/values-istio-auth-multicluster.yaml index 4c7999997703c1de768d030935929f2673d16091..af147981f4ecd920831515b2b3f85078013a4496 100644 --- a/istio/values-istio-auth-multicluster.yaml +++ b/istio/test-values/values-istio-auth-multicluster.yaml @@ -1,6 +1,6 @@ # This is used to generate istio-auth-multicluster.yaml, used for CI/CD. global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: true @@ -9,13 +9,13 @@ global: # destination rules or service annotations. enabled: true - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + proxy: + accessLogFile: "/dev/stdout" + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. # imagePullSecrets: # - name: "private-registry-key" - # Default is 10s second - refreshInterval: 1s - # In a multiple cluster environment, citadel uses the same root certificate in all the clusters security: selfSigned: false diff --git a/istio/test-values/values-istio-auth-non-mcp.yaml b/istio/test-values/values-istio-auth-non-mcp.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4401aa509d165661d52ebc4322582967a9233b6f --- /dev/null +++ b/istio/test-values/values-istio-auth-non-mcp.yaml @@ -0,0 +1,7 @@ +global: + mtls: + enabled: true + + controlPlaneSecurityEnabled: true + + useMCP: false \ No newline at end of file diff --git a/istio/test-values/values-istio-auth-sds.yaml b/istio/test-values/values-istio-auth-sds.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a01172645c222fa345b61f8cebe1a1f79cbb2ad0 --- /dev/null +++ b/istio/test-values/values-istio-auth-sds.yaml @@ -0,0 +1,23 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useNormalJwt: true + + proxy: + enableCoreDump: true + +nodeagent: + enabled: true + image: node-agent-k8s + env: + CA_PROVIDER: "Citadel" + CA_ADDR: "istio-citadel:8060" + VALID_TOKEN: true \ No newline at end of file diff --git a/istio/values-istio-auth.yaml b/istio/test-values/values-istio-auth.yaml similarity index 73% rename from istio/values-istio-auth.yaml rename to istio/test-values/values-istio-auth.yaml index 49ad827c4f7e3f51e40e1b89a5453a04c43f46df..4ec1d35c5f7dbbd2f701ec1aa4e5841c7cb5b22d 100644 --- a/istio/values-istio-auth.yaml +++ b/istio/test-values/values-istio-auth.yaml @@ -1,20 +1,14 @@ # This is used to generate istio-auth.yaml for automated CI/CD test, using v1/alpha1 # or v2/alpha3 with 'gradual migration' (using env variable at inject time). global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: true - + mtls: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: true - - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. # imagePullSecrets: # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s - diff --git a/istio/values-istio-galley.yaml b/istio/test-values/values-istio-mcp.yaml similarity index 54% rename from istio/values-istio-galley.yaml rename to istio/test-values/values-istio-mcp.yaml index 858fbb0ac9116f50593a9c80c2bbc88728173fd0..a6638eefd2ddfb50ab59d4b52ddfdde5994a5fcb 100644 --- a/istio/values-istio-galley.yaml +++ b/istio/test-values/values-istio-mcp.yaml @@ -1,6 +1,6 @@ -# This is used to generate istio.yaml +# This is used to generate istio.yaml with MCP enabled global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: false @@ -9,18 +9,10 @@ global: # destination rules or service annotations. enabled: false - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. # imagePullSecrets: # - name: "private-registry-key" - # Default is 10s second - refreshInterval: 1s + useMCP: true -istiotesting: - oneNameSpace: false -prometheus: - enabled: true - -galley: - enabled: true diff --git a/istio/values-istio-multicluster.yaml b/istio/test-values/values-istio-multicluster.yaml similarity index 72% rename from istio/values-istio-multicluster.yaml rename to istio/test-values/values-istio-multicluster.yaml index 6974a55a15ff7b630bc07e84e9c07beb71ac1211..59b924ac11575405c2c53a4ec40ac43bcd6e3394 100644 --- a/istio/values-istio-multicluster.yaml +++ b/istio/test-values/values-istio-multicluster.yaml @@ -1,6 +1,6 @@ # This is used to generate istio-multicluster.yaml, used for CI/CD. global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: false @@ -9,16 +9,13 @@ global: # destination rules or service annotations. enabled: false - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + proxy: + accessLogFile: "/dev/stdout" + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. # imagePullSecrets: # - name: "private-registry-key" - # Default is 10s second - refreshInterval: 1s - -prometheus: - enabled: true - # In a multiple cluster environment, citadel uses the same root certificate in all the clusters security: selfSigned: false diff --git a/istio/test-values/values-istio-non-mcp.yaml b/istio/test-values/values-istio-non-mcp.yaml new file mode 100644 index 0000000000000000000000000000000000000000..66b236b32ff1cd8c243090cf874255c76f1242ba --- /dev/null +++ b/istio/test-values/values-istio-non-mcp.yaml @@ -0,0 +1,2 @@ +global: + useMCP: false \ No newline at end of file diff --git a/istio/values-istio-one-namespace-auth.yaml b/istio/test-values/values-istio-one-namespace-auth.yaml similarity index 63% rename from istio/values-istio-one-namespace-auth.yaml rename to istio/test-values/values-istio-one-namespace-auth.yaml index d0a11d7f5d36435f855959440e555a8807bc0d8e..c49f402542c4ae1aea5406d23125e8daca92d376 100644 --- a/istio/values-istio-one-namespace-auth.yaml +++ b/istio/test-values/values-istio-one-namespace-auth.yaml @@ -1,20 +1,17 @@ # This is used to generate istio.yaml used for deprecated CI/CD testing. global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: true - + mtls: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: true - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. # imagePullSecrets: # - name: "private-registry-key" - # Default is 10s second - refreshInterval: 1s - -istiotesting: - oneNameSpace: true + # Restrict the applications in one namespace the controller manages + oneNamespace: true diff --git a/istio/test-values/values-istio-one-namespace-trust-domain.yaml b/istio/test-values/values-istio-one-namespace-trust-domain.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1840ab3551acf9dd62c67d906ceaa6845010b561 --- /dev/null +++ b/istio/test-values/values-istio-one-namespace-trust-domain.yaml @@ -0,0 +1,19 @@ +# This is used to generate istio.yaml used for deprecated CI/CD testing. +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + # Default is 10s second + refreshInterval: 1s + + # The trust domain corresponds to the trust root of a system + trustDomain: test.local + + # Restrict the applications in one namespace the controller manages + oneNamespace: true diff --git a/istio/values-istio-one-namespace.yaml b/istio/test-values/values-istio-one-namespace.yaml similarity index 63% rename from istio/values-istio-one-namespace.yaml rename to istio/test-values/values-istio-one-namespace.yaml index c097b9733bb6c45136f0743235cf9a56a70bf9d9..14aa45033f05890b05bbd6df1e1140ba63171523 100644 --- a/istio/values-istio-one-namespace.yaml +++ b/istio/test-values/values-istio-one-namespace.yaml @@ -1,20 +1,17 @@ # This is used to generate istio.yaml used for deprecated CI/CD testing. global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: false - + mtls: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: false - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. # imagePullSecrets: # - name: "private-registry-key" - # Default is 10s second - refreshInterval: 1s - -istiotesting: - oneNameSpace: true + # Restrict the applications in one namespace the controller manages + oneNamespace: true diff --git a/istio/values-istio.yaml b/istio/test-values/values-istio.yaml similarity index 72% rename from istio/values-istio.yaml rename to istio/test-values/values-istio.yaml index 37eba9cc6c6732e8d01d31e99a3e00409bedca75..c115103e1211c47cbddcfb950e966d5ad6237d78 100644 --- a/istio/values-istio.yaml +++ b/istio/test-values/values-istio.yaml @@ -1,9 +1,7 @@ + # This is used to generate istio.yaml for automated CI/CD test, using v1/alpha1 # or v2/alpha3 with 'gradual migration' (using env variable at inject time). -global: - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. +# global: + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with private docker registry. # imagePullSecrets: # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s diff --git a/istio/values-istio-demo-auth.yaml b/istio/values-istio-demo-auth.yaml index ffb0cd0ec1dafb3c4fa75bdca0504c7a1414b204..296bfb196da6b565c508c36bdadd626a73c11d7b 100644 --- a/istio/values-istio-demo-auth.yaml +++ b/istio/values-istio-demo-auth.yaml @@ -1,6 +1,8 @@ # This is used to generate istio-auth.yaml for minimal, demo mode with MTLS enabled. # It is shipped with the release, used for bookinfo or quick installation of istio. # Includes components used in the demo, defaults to alpha3 rules. + +# @include global: controlPlaneSecurityEnabled: true @@ -8,26 +10,3 @@ global: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: true - -ingress: - # Ingress is used for migration, for alpha3 we expect ingressgateway - enabled: false - -prometheus: - enabled: true - -sidecarInjectorWebhook: - enabled: true - enableNamespacesByDefault: false - -grafana: - enabled: true - -tracing: - enabled: true - -servicegraph: - enabled: true - -galley: - enabled: true diff --git a/istio/values-istio-demo-common.yaml b/istio/values-istio-demo-common.yaml new file mode 100644 index 0000000000000000000000000000000000000000..601555f5b5e7d929361d9af946b6abe5ee153c4a --- /dev/null +++ b/istio/values-istio-demo-common.yaml @@ -0,0 +1,85 @@ +# This is used to generate minimal demo mode. It is included from demo and demo-auth values. +# It is shipped with the release, used for bookinfo or quick installation of istio. +# Includes components used in the demo, defaults to alpha3 rules. +# Note: please only put common configuration for the demo profiles here. +global: + proxy: + accessLogFile: "/dev/stdout" + resources: + requests: + cpu: 10m + memory: 40Mi + + disablePolicyChecks: false + + sidecarInjectorWebhook: + enabled: true + # If true, webhook or istioctl injector will rewrite PodSpec for liveness + # health check to redirect request to sidecar. This makes liveness check work + # even when mTLS is enabled. + rewriteAppHTTPProbe: false + +pilot: + traceSampling: 100.0 + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + cpu: 100m + memory: 200Mi + +mixer: + policy: + enabled: true + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + + telemetry: + enabled: true + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + + adapters: + stdio: + enabled: true + +grafana: + enabled: true + +tracing: + enabled: true + +kiali: + enabled: true + createDemoSecret: true + +gateways: + istio-ingressgateway: + resources: + requests: + cpu: 10m + memory: 40Mi + limits: + cpu: 100m + memory: 128Mi + + istio-egressgateway: + enabled: true + resources: + requests: + cpu: 10m + memory: 40Mi + limits: + cpu: 100m + memory: 128Mi diff --git a/istio/values-istio-demo.yaml b/istio/values-istio-demo.yaml index 1362618558888b168e9e91755d8ff949dbfb4f8d..fd20f62e581115fa0e00b03b210bf6128692ffee 100644 --- a/istio/values-istio-demo.yaml +++ b/istio/values-istio-demo.yaml @@ -2,31 +2,12 @@ # It is shipped with the release, used for bookinfo or quick installation of istio. # Includes components used in the demo, defaults to alpha3 rules. -# If running in minikube you may add: -# --set global.nodePort=true -# --set ingressgateway.service.type=NodePort +# @include +# global: - nodePort: false + controlPlaneSecurityEnabled: false -ingress: - # Ingress is used for migration, for alpha3 we expect ingressgateway - enabled: false - -prometheus: - enabled: true - -sidecarInjectorWebhook: - enabled: true - enableNamespacesByDefault: false - -grafana: - enabled: true - -tracing: - enabled: true - -servicegraph: - enabled: true - -galley: - enabled: true + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false diff --git a/istio/values-istio-minimal.yaml b/istio/values-istio-minimal.yaml new file mode 100644 index 0000000000000000000000000000000000000000..eb92536e8058da0ad734d14edfec4106eb413170 --- /dev/null +++ b/istio/values-istio-minimal.yaml @@ -0,0 +1,46 @@ +# +# Minimal Istio Configuration: https://istio.io/docs/setup/kubernetes/minimal-install/ +# +pilot: + enabled: true + sidecar: false + +gateways: + enabled: false + +security: + enabled: false + +sidecarInjectorWebhook: + enabled: false + +galley: + enabled: false + +mixer: + policy: + enabled: false + telemetry: + enabled: false + +prometheus: + enabled: false + + +# Common settings. +global: + + proxy: + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + useMCP: false + + diff --git a/istio/values-istio-remote.yaml b/istio/values-istio-remote.yaml new file mode 100644 index 0000000000000000000000000000000000000000..20fe2ac3dd923da14d610d0c80a9b09045097471 --- /dev/null +++ b/istio/values-istio-remote.yaml @@ -0,0 +1,34 @@ +gateways: + enabled: false + +galley: + enabled: false + +mixer: + policy: + enabled: false + telemetry: + enabled: false + +pilot: + enabled: false + +security: + enabled: true + createMeshPolicy: false + +prometheus: + enabled: false + +global: + istioRemote: true + + enableTracing: false + + # Sets an identifier for the remote network to be used for Split Horizon EDS. The network will be sent + # to the Pilot when connected by the sidecar and will affect the results returned in EDS requests. + # Based on the network identifier Pilot will return all local endpoints + endpoints of gateways to + # other networks. + # + # Must match the names in the meshNetworks section in the Istio local. + network: "" diff --git a/istio/values-istio-sds-auth.yaml b/istio/values-istio-sds-auth.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a741bfdcfca6ce47c428c26d16120e19f89f07e0 --- /dev/null +++ b/istio/values-istio-sds-auth.yaml @@ -0,0 +1,20 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useNormalJwt: true + +nodeagent: + enabled: true + image: node-agent-k8s + env: + CA_PROVIDER: "Citadel" + CA_ADDR: "istio-citadel:8060" + VALID_TOKEN: true \ No newline at end of file diff --git a/istio/values.yaml b/istio/values.yaml index eab4f0d2831d8328d11dbbd13716d94fd1ee006f..81fe15678b36df2d237327699fd28e7bf7f748b4 100644 --- a/istio/values.yaml +++ b/istio/values.yaml @@ -1,52 +1,203 @@ -# Common settings. +# Top level istio values file has the following sections. +# +# global: This file is the authoritative and exhaustive source for the global section. +# +# chart sections: Every subdirectory inside the charts/ directory has a top level +# configuration key in this file. This file overrides the values specified +# by the charts/${chartname}/values.yaml. +# Check the chart level values file for exhaustive list of configuration options. + +# +# Gateways Configuration, refer to the charts/gateways/values.yaml +# for detailed configuration +# +gateways: + enabled: true + +# +# sidecar-injector webhook configuration, refer to the +# charts/sidecarInjectorWebhook/values.yaml for detailed configuration +# +sidecarInjectorWebhook: + enabled: true + +# +# galley configuration, refer to charts/galley/values.yaml +# for detailed configuration +# +galley: + enabled: true + +# +# mixer configuration +# +# @see charts/mixer/values.yaml, it takes precedence +mixer: + policy: + # if policy is enabled the global.disablePolicyChecks has affect. + enabled: true + + telemetry: + enabled: true +# +# pilot configuration +# +# @see charts/pilot/values.yaml +pilot: + enabled: true + +# +# security configuration +# +security: + enabled: true + +# +# nodeagent configuration +# +nodeagent: + enabled: false + +# +# addon grafana configuration +# +grafana: + enabled: false + +# +# addon prometheus configuration +# +prometheus: + enabled: true + +# +# addon servicegraph configuration +# +servicegraph: + enabled: false + +# +# addon jaeger tracing configuration +# +tracing: + enabled: false + +# +# addon kiali tracing configuration +# +kiali: + enabled: false + +# +# addon certmanager configuration +# +certmanager: + enabled: false + +# +# Istio CNI plugin enabled +# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately. +# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect +# settings for the istio-proxy. +# +istio_cni: + enabled: false + +# addon Istio CoreDNS configuration +# +istiocoredns: + enabled: false + +# Common settings used among istio subcharts. global: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly - hub: docker.io/istio + hub: gcr.io/istio-release # Default tag for Istio images. - tag: 1.0.2 + tag: master-latest-daily - # Gateway used for legacy k8s Ingress resources. By default it is - # using 'istio:ingress', to match 0.8 config. It requires that - # ingress.enabled is set to true. You can also set it - # to ingressgateway, or any other gateway you define in the 'gateway' - # section. - k8sIngressSelector: ingress + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" - # k8sIngressHttps will add port 443 on the ingress and ingressgateway. - # It REQUIRES that the certificates are installed in the - # expected secrets - enabling this option without certificates - # will result in LDS rejection and the ingress will not work. - k8sIngressHttps: false + # monitoring port used by mixer, pilot, galley + monitoringPort: 15014 + + k8sIngress: + enabled: false + # Gateway used for k8s Ingress resources. By default it is + # using 'istio:ingressgateway' that will be installed by setting + # 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' + # flags to true. + gatewayName: ingressgateway + # enableHttps will add port 443 on the ingress. + # It REQUIRES that the certificates are installed in the + # expected secrets - enabling this option without certificates + # will result in LDS rejection and the ingress will not work. + enableHttps: false proxy: image: proxyv2 + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + # Resources for the sidecar. resources: requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 128Mi # Controls number of Proxy worker threads. # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: 0 - # Configures the access log for each sidecar. Setting it to an empty string will - # disable access log for sidecar. + # Configures the access log for each sidecar. + # Options: + # "" - disables access log + # "/dev/stdout" - enables access log accessLogFile: "/dev/stdout" + # Configure how and what fields are displayed in sidecar access log. Setting to + # empty string will result in default log format + accessLogFormat: "" + + # Configure the access log for sidecar to JSON or TEXT. + accessLogEncoding: TEXT + + # Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: "" + + # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS + # 5 seconds is the default refresh rate used by Envoy + dnsRefreshRate: 5s + #If set to true, istio-proxy container will have privileged securityContext privileged: false # If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + # istio egress capture whitelist # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" @@ -55,6 +206,9 @@ global: includeIPRanges: "*" excludeIPRanges: "" + # pod internal interfaces + kubevirtInterfaces: "" + # istio ingress capture whitelist # examples: # Redirect no inbound traffic to Envoy: --includeInboundPorts="" @@ -68,11 +222,30 @@ global: # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument # would be :). - # Can also be disabled (e.g. when Mixer is not installed). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. envoyStatsd: - enabled: true - host: istio-statsd-prom-bridge - port: 9125 + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector + # via the Metrics Service gRPC API. This contains detailed stats information emitted directly + # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also + # available to scrape via the Envoy admin port at either /stats or /stats/prometheus. + # + # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto + # for details about Envoy's Metrics Service API. + # + # Disabled by default. + envoyMetricsService: + enabled: false + host: # example: metrics-service.istio-system + port: # example: 15000 + + # Specify which tracer to use. One of: lightstep, zipkin, datadog + tracer: "zipkin" proxy_init: # Base name for the proxy_init container, used to configure iptables. @@ -83,17 +256,46 @@ global: # TODO: Switch to Always as default, and override in the local tests. imagePullPolicy: IfNotPresent - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: false # disablePolicyChecks disables mixer policy checks. + # if mixer.policy.enabled==true then disablePolicyChecks has affect. # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. - disablePolicyChecks: false + disablePolicyChecks: true + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. enableTracing: true + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # secure: specifies whether data should be sent with TLS + # cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is + # required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination + # namespace with the key matching the base of the provided cacertPath and the value being the cacert itself. + # + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + secure: true # example: true|false + cacertPath: "" # example: /etc/lightstep/cacert.pem + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + # Default mtls policy. If true, mtls between services will be enabled by default. mtls: # Default setting for service-to-service mtls. Can be set explicitly using @@ -102,7 +304,9 @@ global: # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any clustser configured with privte docker registry. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. imagePullSecrets: # - private-registry-key @@ -120,16 +324,41 @@ global: # If not set, controller watches all namespaces oneNamespace: false + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + # Whether to perform server-side validation of configuration. configValidation: true + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global" + # If set to true, the pilot and citadel mtls will be exposed on the # ingress gateway - meshExpansion: false - - # If set to true, the pilot and citadel mtls and the plain text pilot ports - # will be exposed on an internal gateway - meshExpansionILB: false + meshExpansion: + enabled: false + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + useILB: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false # A minimal set of requested resources to applied to all deployments so that # Horizontal Pod Autoscaler will be able to function (if set). @@ -143,403 +372,113 @@ global: # cpu: 100m # memory: 128Mi - # Not recommended for user to configure this. Hyperkube image to use when creating custom resources - hyperkube: - hub: quay.io/coreos - tag: v1.7.6_coreos.0 + # enable pod distruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low prioroty class. + # will not be killed because of low priority class. # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass # for more detail. priorityClassName: "" - # Include the crd definition when generating the template. - # For 'helm template' and helm install > 2.10 it should be true. - # For helm < 2.9, crds must be installed ahead of time with - # 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml - # and this options must be set off. - crds: true - -# -# ingress configuration -# -ingress: - enabled: false - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - service: - annotations: {} - loadBalancerIP: "" - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - ports: - - port: 80 - name: http - nodePort: 32000 - - port: 443 - name: https - selector: - istio: ingress - -# -# Gateways Configuration -# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. -# You can add more gateways in addition to the defaults but make sure those are uniquely named -# and that NodePorts are not conflicting. -# Disable specifc gateway by setting the `enabled` to false. -# -gateways: - enabled: true - - istio-ingressgateway: - enabled: true - labels: - app: istio-ingressgateway - istio: ingressgateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 1800m - # memory: 256Mi - cpu: - targetAverageUtilization: 80 - loadBalancerIP: "" - serviceAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ports: - ## You can add custom gateway ports - - port: 80 - targetPort: 80 - name: http2 - nodePort: 31380 - - port: 443 - name: https - nodePort: 31390 - - port: 31400 - name: tcp - nodePort: 31400 - # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect - # to pilot/citadel if global.meshExpansion settings are enabled. - - port: 15011 - targetPort: 15011 - name: tcp-pilot-grpc-tls - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - - port: 853 - targetPort: 853 - name: tcp-dns-tls - - port: 15030 - targetPort: 15030 - name: http2-prometheus - - port: 15031 - targetPort: 15031 - name: http2-grafana - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - - istio-egressgateway: - enabled: true - labels: - app: istio-egressgateway - istio: egressgateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - cpu: - targetAverageUtilization: 80 - serviceAnnotations: {} - type: ClusterIP #change to NodePort or LoadBalancer if need be - ports: - - port: 80 - name: http2 - - port: 443 - name: https - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - - # Mesh ILB gateway creates a gateway of type InternalLoadBalancer, - # for mesh expansion. It exposes the mtls ports for Pilot,CA as well - # as non-mtls ports to support upgrades and gradual transition. - istio-ilbgateway: - enabled: false - labels: - app: istio-ilbgateway - istio: ilbgateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - resources: - requests: - cpu: 800m - memory: 512Mi - #limits: - # cpu: 1800m - # memory: 256Mi - cpu: - targetAverageUtilization: 80 - loadBalancerIP: "" - serviceAnnotations: - cloud.google.com/load-balancer-type: "internal" - type: LoadBalancer - ports: - ## You can add custom gateway ports - google ILB default quota is 5 ports, - - port: 15011 - name: grpc-pilot-mtls - # Insecure port - only for migration from 0.8. Will be removed in 1.1 - - port: 15010 - name: grpc-pilot - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - # Port 853 is reserved for the kube-dns gateway - - port: 853 - name: tcp-dns - secretVolumes: - - name: ilbgateway-certs - secretName: istio-ilbgateway-certs - mountPath: /etc/istio/ilbgateway-certs - - name: ilbgateway-ca-certs - secretName: istio-ilbgateway-ca-certs - mountPath: /etc/istio/ilbgateway-ca-certs - -# -# sidecar-injector webhook configuration -# -sidecarInjectorWebhook: - enabled: true - replicaCount: 1 - image: sidecar_injector - enableNamespacesByDefault: false - -# -# galley configuration -# -galley: - enabled: true - replicaCount: 1 - image: galley - -# -# mixer configuration -# -mixer: - enabled: true - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - image: mixer - - istio-policy: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - cpu: - targetAverageUtilization: 80 - - istio-telemetry: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - cpu: - targetAverageUtilization: 80 - - prometheusStatsdExporter: - hub: docker.io/prom - tag: v0.6.0 - -# -# pilot configuration -# -pilot: - enabled: true - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - image: pilot - sidecar: true - traceSampling: 100.0 - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - env: - PILOT_PUSH_THROTTLE_COUNT: 100 - GODEBUG: gctrace=2 - cpu: - targetAverageUtilization: 80 - -# -# security configuration -# -security: - replicaCount: 1 - image: citadel - selfSigned: true # indicate if self-signed CA is used. - -# -# addons configuration -# -telemetry-gateway: - gatewayName: ingressgateway - grafanaEnabled: false - prometheusEnabled: false - -grafana: - enabled: false - replicaCount: 1 - image: grafana - persist: false - storageClassName: "" - security: - enabled: false - adminUser: admin - adminPassword: admin - service: - annotations: {} - name: http - type: ClusterIP - externalPort: 3000 - internalPort: 3000 - -prometheus: - enabled: true - replicaCount: 1 - hub: docker.io/prom - tag: v2.3.1 - - service: - annotations: {} - nodePort: - enabled: false - port: 32090 - -servicegraph: - enabled: false - replicaCount: 1 - image: servicegraph - service: - annotations: {} - name: http - type: ClusterIP - externalPort: 8088 - internalPort: 8088 - ingress: + # Use the Mesh Control Protocol (MCP) for configuring Mixer and + # Pilot. Requires galley (`--set galley.enabled=true`). + useMCP: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + # Indicate the domain used in SPIFFE identity URL + # The default depends on the environment. + # kubernetes: cluster.local + # else: default dns domain + trustDomain: "" + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests + # to services outside of the mesh without any ServiceEntry. + # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY. + outboundTrafficPolicy: + mode: ALLOW_ANY + + # The namespace where globally shared configurations should be present. + # DestinationRules that apply to the entire mesh (e.g., enabling mTLS), + # default Sidecar configs, etc. should be added to this namespace. + # configRootNamespace: istio-config + + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + #defaultConfigVisibilitySettings: + #- '*' + + sds: + # SDS enabled. IF set to true, mTLS certificates for the sidecars will be + # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. enabled: false - # Used to create an Ingress record. - hosts: - - servicegraph.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: servicegraph-tls - # hosts: - # - servicegraph.local - # prometheus addres - prometheusAddr: http://prometheus:9090 - -tracing: - enabled: false - provider: jaeger - jaeger: - hub: docker.io/jaegertracing - tag: 1.5 - memory: - max_traces: 50000 - ui: - port: 16686 - ingress: - enabled: false - # Used to create an Ingress record. - hosts: - - jaeger.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: jaeger-tls - # hosts: - # - jaeger.local - replicaCount: 1 - service: - annotations: {} - name: http - type: ClusterIP - externalPort: 9411 - internalPort: 9411 - ingress: - enabled: false - # Used to create an Ingress record. - hosts: - - tracing.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: tracing-tls - # hosts: - # - tracing.local - -kiali: - enabled: false - replicaCount: 1 - hub: docker.io/kiali - tag: istio-release-1.0 - ingress: - enabled: false - ## Used to create an Ingress record. - # hosts: - # - kiali.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: kiali-tls - # hosts: - # - kiali.local - dashboard: - username: admin - # Default admin passphrase for kiali. Must be set during setup, and - # changed by overriding the secret - passphrase: admin - - # Override the automatically detected Grafana URL, usefull when Grafana service has no ExternalIPs - # grafanaURL: - - # Override the automatically detected Jaeger URL, usefull when Jaeger service has no ExternalIPs - # jaegerURL: - -# Certmanager uses ACME to sign certificates. Since Istio gateways are -# mounting the TLS secrets the Certificate CRDs must be created in the -# istio-system namespace. Once the certificate has been created, the -# gateway must be updated by adding 'secretVolumes'. After the gateway -# restart, DestinationRules can be created using the ACME-signed certificates. -certmanager: - enabled: false - hub: quay.io/jetstack - tag: v0.3.1 - resources: {} + udsPath: "" + useTrustworthyJwt: false + useNormalJwt: false + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (not + # supported yet). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway + # port: 443 + # + meshNetworks: {} + + # Specifies the global locality load balancing settings. + # Locality-weighted load balancing allows administrators to control the distribution of traffic to + # endpoints based on the localities of where the traffic originates and where it will terminate. + # Please set either failover or distribute configuration but not both. + # + # localityLbSetting: + # distribute: + # - from: "us-central1/*" + # to: + # "us-central1/*": 80 + # "us-central2/*": 20 + # + # localityLbSetting: + # failover: + # - from: us-east + # to: eu-west + # - from: us-west + # to: us-east + localityLbSetting: {} + + # Specifies whether helm test is enabled or not. + # This field is set to false by default, so 'helm template ...' + # will ignore the helm test yaml files when generating the template + enableHelmTest: false \ No newline at end of file