From 499ef2affe7a6bbc457a2c855aa4dc2575d20aef Mon Sep 17 00:00:00 2001 From: Dimitar Zafirov Date: Tue, 16 Apr 2019 11:14:36 +0300 Subject: [PATCH 1/4] istio update to 1.1.2 --- istio/Chart.yaml | 4 +- istio/README.md | 148 ++- istio/charts/certmanager/Chart.yaml | 4 +- .../charts/certmanager/templates/_helpers.tpl | 14 +- istio/charts/certmanager/templates/crds.yaml | 50 - .../certmanager/templates/deployment.yaml | 77 +- .../charts/certmanager/templates/issuer.yaml | 10 + istio/charts/certmanager/templates/rbac.yaml | 19 +- .../certmanager/templates/serviceaccount.yaml | 3 + istio/charts/galley/Chart.yaml | 4 +- istio/charts/galley/templates/_helpers.tpl | 16 + .../charts/galley/templates/clusterrole.yaml | 29 +- .../galley/templates/clusterrolebinding.yaml | 6 +- istio/charts/galley/templates/configmap.yaml | 11 +- istio/charts/galley/templates/deployment.yaml | 67 +- istio/charts/galley/templates/service.yaml | 8 +- .../galley/templates/serviceaccount.yaml | 4 +- .../validatingwehookconfiguration.yaml.tpl | 113 -- istio/charts/gateways/Chart.yaml | 4 +- .../charts/gateways/templates/autoscale.yaml | 29 +- .../gateways/templates/clusterrole.yaml | 16 +- .../templates/clusterrolebindings.yaml | 17 +- .../charts/gateways/templates/deployment.yaml | 185 ++- istio/charts/gateways/templates/service.yaml | 26 +- .../gateways/templates/serviceaccount.yaml | 7 +- istio/charts/grafana/Chart.yaml | 4 +- istio/charts/grafana/templates/_helpers.tpl | 16 + istio/charts/grafana/templates/configmap.yaml | 25 +- .../create-custom-resources-job.yaml | 45 +- .../charts/grafana/templates/deployment.yaml | 65 +- .../grafana/templates/grafana-ports-mtls.yaml | 5 + istio/charts/grafana/templates/pvc.yaml | 7 +- istio/charts/grafana/templates/secret.yaml | 14 - istio/charts/grafana/templates/service.yaml | 17 +- istio/charts/ingress/Chart.yaml | 13 - istio/charts/ingress/templates/autoscale.yaml | 19 - .../charts/ingress/templates/clusterrole.yaml | 16 - .../ingress/templates/clusterrolebinding.yaml | 12 - .../charts/ingress/templates/deployment.yaml | 106 -- istio/charts/ingress/templates/service.yaml | 29 - .../ingress/templates/serviceaccount.yaml | 16 - istio/charts/kiali/Chart.yaml | 6 +- istio/charts/kiali/templates/clusterrole.yaml | 195 ++- .../kiali/templates/clusterrolebinding.yaml | 4 +- istio/charts/kiali/templates/configmap.yaml | 14 +- istio/charts/kiali/templates/deployment.yaml | 50 +- istio/charts/kiali/templates/ingress.yaml | 16 +- istio/charts/kiali/templates/secrets.yaml | 12 - istio/charts/kiali/templates/service.yaml | 8 +- .../kiali/templates/serviceaccount.yaml | 4 +- istio/charts/mixer/Chart.yaml | 4 +- istio/charts/mixer/templates/_helpers.tpl | 16 + istio/charts/mixer/templates/autoscale.yaml | 17 +- istio/charts/mixer/templates/clusterrole.yaml | 16 +- .../mixer/templates/clusterrolebinding.yaml | 6 +- istio/charts/mixer/templates/config.yaml | 1078 ++++++++++------ istio/charts/mixer/templates/configmap.yaml | 13 - istio/charts/mixer/templates/deployment.yaml | 233 +++- istio/charts/mixer/templates/service.yaml | 25 +- .../mixer/templates/serviceaccount.yaml | 4 +- .../charts/mixer/templates/statsdtoprom.yaml | 69 - istio/charts/pilot/Chart.yaml | 4 +- istio/charts/pilot/templates/autoscale.yaml | 32 +- istio/charts/pilot/templates/clusterrole.yaml | 13 +- .../pilot/templates/clusterrolebinding.yaml | 6 +- istio/charts/pilot/templates/deployment.yaml | 87 +- istio/charts/pilot/templates/gateway.yaml | 74 -- .../charts/pilot/templates/meshexpansion.yaml | 92 +- istio/charts/pilot/templates/service.yaml | 9 +- .../pilot/templates/serviceaccount.yaml | 4 +- istio/charts/prometheus/Chart.yaml | 4 +- .../charts/prometheus/templates/_helpers.tpl | 16 + .../prometheus/templates/clusterrole.yaml | 7 +- .../templates/clusterrolebindings.yaml | 7 +- .../prometheus/templates/configmap.yaml | 155 ++- .../prometheus/templates/deployment.yaml | 30 +- .../charts/prometheus/templates/service.yaml | 12 +- .../prometheus/templates/serviceaccount.yaml | 5 + istio/charts/security/Chart.yaml | 4 +- istio/charts/security/templates/_helpers.tpl | 16 + .../security/templates/cleanup-secrets.yaml | 38 +- .../security/templates/clusterrole.yaml | 15 +- .../templates/clusterrolebinding.yaml | 4 +- .../charts/security/templates/configmap.yaml | 36 +- .../create-custom-resources-job.yaml | 173 +-- .../charts/security/templates/deployment.yaml | 30 +- .../security/templates/enable-mesh-mtls.yaml | 36 +- .../security/templates/meshexpansion.yaml | 43 +- istio/charts/security/templates/service.yaml | 8 +- .../security/templates/serviceaccount.yaml | 2 +- istio/charts/servicegraph/Chart.yaml | 4 +- .../servicegraph/templates/_helpers.tpl | 16 + .../servicegraph/templates/deployment.yaml | 34 +- .../servicegraph/templates/ingress.yaml | 9 +- .../servicegraph/templates/service.yaml | 17 +- .../charts/sidecarInjectorWebhook/Chart.yaml | 4 +- .../templates/_helpers.tpl | 16 + .../templates/clusterrole.yaml | 9 +- .../templates/clusterrolebinding.yaml | 7 +- .../templates/deployment.yaml | 25 +- .../templates/mutatingwebhook.yaml | 11 +- .../templates/service.yaml | 4 + .../templates/serviceaccount.yaml | 5 +- istio/charts/telemetry-gateway/Chart.yaml | 7 - .../telemetry-gateway/templates/gateway.yaml | 84 -- istio/charts/tracing/Chart.yaml | 2 +- istio/charts/tracing/templates/_helpers.tpl | 20 +- .../charts/tracing/templates/deployment.yaml | 62 - .../tracing/templates/ingress-jaeger.yaml | 32 - istio/charts/tracing/templates/ingress.yaml | 28 +- .../tracing/templates/service-jaeger.yaml | 26 +- istio/charts/tracing/templates/service.yaml | 34 +- istio/requirements.yaml | 35 +- istio/templates/_affinity.tpl | 59 +- istio/templates/_helpers.tpl | 16 + istio/templates/configmap.yaml | 208 ++- istio/templates/crds.yaml | 1116 ----------------- .../templates/install-custom-resources.sh.tpl | 8 +- .../templates/sidecar-injector-configmap.yaml | 257 +++- istio/values-istio-auth-galley.yaml | 26 - istio/values-istio-auth-multicluster.yaml | 21 - istio/values-istio-auth.yaml | 20 - istio/values-istio-demo-auth.yaml | 25 +- istio/values-istio-demo.yaml | 33 +- istio/values-istio-galley.yaml | 26 - istio/values-istio-gateways.yaml | 130 -- istio/values-istio-multicluster.yaml | 24 - istio/values-istio-one-namespace-auth.yaml | 20 - istio/values-istio-one-namespace.yaml | 20 - istio/values-istio.yaml | 9 - istio/values.yaml | 789 ++++++------ 131 files changed, 3519 insertions(+), 3811 deletions(-) delete mode 100644 istio/charts/certmanager/templates/crds.yaml delete mode 100644 istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl delete mode 100644 istio/charts/grafana/templates/secret.yaml delete mode 100644 istio/charts/ingress/Chart.yaml delete mode 100644 istio/charts/ingress/templates/autoscale.yaml delete mode 100644 istio/charts/ingress/templates/clusterrole.yaml delete mode 100644 istio/charts/ingress/templates/clusterrolebinding.yaml delete mode 100644 istio/charts/ingress/templates/deployment.yaml delete mode 100644 istio/charts/ingress/templates/service.yaml delete mode 100644 istio/charts/ingress/templates/serviceaccount.yaml delete mode 100644 istio/charts/kiali/templates/secrets.yaml delete mode 100644 istio/charts/mixer/templates/configmap.yaml delete mode 100644 istio/charts/mixer/templates/statsdtoprom.yaml delete mode 100644 istio/charts/pilot/templates/gateway.yaml delete mode 100644 istio/charts/telemetry-gateway/Chart.yaml delete mode 100644 istio/charts/telemetry-gateway/templates/gateway.yaml delete mode 100644 istio/charts/tracing/templates/deployment.yaml delete mode 100644 istio/charts/tracing/templates/ingress-jaeger.yaml delete mode 100644 istio/templates/crds.yaml delete mode 100644 istio/values-istio-auth-galley.yaml delete mode 100644 istio/values-istio-auth-multicluster.yaml delete mode 100644 istio/values-istio-auth.yaml delete mode 100644 istio/values-istio-galley.yaml delete mode 100644 istio/values-istio-gateways.yaml delete mode 100644 istio/values-istio-multicluster.yaml delete mode 100644 istio/values-istio-one-namespace-auth.yaml delete mode 100644 istio/values-istio-one-namespace.yaml delete mode 100644 istio/values-istio.yaml diff --git a/istio/Chart.yaml b/istio/Chart.yaml index 592e39f..9132dfd 100644 --- a/istio/Chart.yaml +++ b/istio/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: istio -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.2 +appVersion: 1.1.2 tillerVersion: ">=2.7.2-0" description: Helm chart for all istio components keywords: diff --git a/istio/README.md b/istio/README.md index 466864e..a1cf37d 100644 --- a/istio/README.md +++ b/istio/README.md @@ -2,14 +2,17 @@ [Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. + + +The documentation here is for developers only, please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/install/helm/) for all other uses. + ## Introduction -This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +This chart bootstraps all Istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. ## Chart Details -This chart can install multiple istio components as subcharts: -- ingress +This chart can install multiple Istio components as subcharts: - ingressgateway - egressgateway - sidecarInjectorWebhook @@ -30,6 +33,7 @@ To enable or disable each component, change the corresponding `enabled` flag. - Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required - Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required - If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order. +- The `istio-init` chart must be run to completion prior to install the `istio` chart. ## Resources Required @@ -38,33 +42,83 @@ The chart deploys pods that consume minimum resources as specified in the resour ## Installing the Chart 1. If a service account has not already been installed for Tiller, install one: -``` -$ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml -``` - -2. Install Tiller on your cluster with the service account: -``` -$ helm init --service-account tiller -``` - -3. Install Istio’s [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the kube-apiserver: - ``` - $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml - ``` - **Note**: If you are enabling `certmanager`, you also need to install its CRDs and wait a few seconds for the CRDs to be committed in the kube-apiserver: - ``` - $ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml - ``` - -4. To install the chart with the release name `istio` in namespace `istio-system`: + ``` + $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml + ``` + +1. Install Tiller on your cluster with the service account: + ``` + $ helm init --service-account tiller + ``` + +1. Set and create the namespace where Istio was installed: + ``` + $ NAMESPACE=istio-system + $ kubectl create ns $NAMESPACE + ``` + +1. If you are enabling `kiali`, you need to create the secret that contains the username and passphrase for `kiali` dashboard: + ``` + $ echo -n 'admin' | base64 + YWRtaW4= + $ echo -n '1f2d1e2e67df' | base64 + MWYyZDFlMmU2N2Rm + $ cat <=1.9.0): ``` - $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system + $ helm install istio --name istio --namespace $NAMESPACE ``` - Without the sidecar injection webhook: ``` - $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false + $ helm install istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false ``` ## Configuration @@ -72,46 +126,16 @@ $ helm init --service-account tiller The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. -Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: - -| Parameter | Description | Values | Default | -| --- | --- | --- | --- | -| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` | -| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | -| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` | -| `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` | -| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | -| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` | -| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` | -| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` | -| `global.refreshInterval` | Specifies the mesh discovery refresh interval | integer followed by s | `10s` | -| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | -| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | -| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | -| `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` | -| `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` | -| `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` | -| `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | `true` | -| `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` | -| `mixer.enabled` | Specifies whether Mixer should be installed | true/false | `true` | -| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` | -| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` | -| `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` | -| `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" | -| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` | -| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` | -| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` | -| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` | +Helm charts expose configuration options which are currently in alpha. The currently exposed options can be found [here](https://istio.io/docs/reference/config/installation-options/). ## Uninstalling the Chart -To uninstall/delete the `istio` release: -``` -$ helm delete istio -``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +To uninstall/delete the `istio` release but continue to track the release: + ``` + $ helm delete istio + ``` To uninstall/delete the `istio` release completely and make its name free for later use: -``` -$ helm delete istio --purge -``` + ``` + $ helm delete istio --purge + ``` diff --git a/istio/charts/certmanager/Chart.yaml b/istio/charts/certmanager/Chart.yaml index fd2e206..b83f4d1 100644 --- a/istio/charts/certmanager/Chart.yaml +++ b/istio/charts/certmanager/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: certmanager -version: 1.0.1 -appVersion: 0.3.1 +version: 1.1.0 +appVersion: 0.6.2 tillerVersion: ">=2.7.2" diff --git a/istio/charts/certmanager/templates/_helpers.tpl b/istio/charts/certmanager/templates/_helpers.tpl index 8cb480b..331a91d 100644 --- a/istio/charts/certmanager/templates/_helpers.tpl +++ b/istio/charts/certmanager/templates/_helpers.tpl @@ -9,16 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "certmanager.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} -{{- $fullname := printf "%s-%s" $name .Release.Name -}} -{{- default $fullname .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} {{- end -}} {{/* Create chart name and version as used by the chart label. */}} {{- define "certmanager.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/istio/charts/certmanager/templates/crds.yaml b/istio/charts/certmanager/templates/crds.yaml deleted file mode 100644 index f5fb4aa..0000000 --- a/istio/charts/certmanager/templates/crds.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: clusterissuers.certmanager.k8s.io - annotations: - "helm.sh/hook": crd-install - labels: - app: certmanager -spec: - group: certmanager.k8s.io - version: v1alpha1 - names: - kind: ClusterIssuer - plural: clusterissuers - scope: Cluster ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: issuers.certmanager.k8s.io - annotations: - "helm.sh/hook": crd-install - labels: - app: certmanager -spec: - group: certmanager.k8s.io - version: v1alpha1 - names: - kind: Issuer - plural: issuers - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: certificates.certmanager.k8s.io - annotations: - "helm.sh/hook": crd-install - labels: - app: certmanager -spec: - group: certmanager.k8s.io - version: v1alpha1 - scope: Namespaced - names: - kind: Certificate - plural: certificates - shortNames: - - cert - - certs diff --git a/istio/charts/certmanager/templates/deployment.yaml b/istio/charts/certmanager/templates/deployment.yaml index f113d7b..83a1e8b 100644 --- a/istio/charts/certmanager/templates/deployment.yaml +++ b/istio/charts/certmanager/templates/deployment.yaml @@ -1,10 +1,13 @@ -apiVersion: apps/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: certmanager namespace: {{ .Release.Namespace }} labels: - app: {{ template "certmanager.name" . }} + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: 1 selector: @@ -14,53 +17,47 @@ spec: metadata: labels: app: certmanager -{{- if .Values.podLabels }} + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + {{- if .Values.podLabels }} {{ toYaml .Values.podLabels | indent 8 }} -{{- end }} + {{- end }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - {{- if .Values.podAnnotations }} + {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} + {{- end }} spec: serviceAccountName: certmanager {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} containers: - - name: certmanager - image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - args: - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=$(POD_NAMESPACE) - {{- if .Values.extraArgs }} -{{ toYaml .Values.extraArgs | indent 10 }} - {{- end }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} -{{- if .Values.podDnsPolicy }} + - name: certmanager + image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=$(POD_NAMESPACE) + {{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 8 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: +{{ toYaml .Values.resources | indent 10 }} + + {{- if .Values.podDnsPolicy }} dnsPolicy: {{ .Values.podDnsPolicy }} -{{- end }} -{{- if .Values.podDnsConfig }} + {{- end }} + {{- if .Values.podDnsConfig }} dnsConfig: -{{ toYaml .Values.podDnsConfig | indent 8 }} -{{- end }} + {{ toYaml .Values.podDnsConfig | indent 8 }} + {{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/certmanager/templates/issuer.yaml b/istio/charts/certmanager/templates/issuer.yaml index 15dfc06..59402da 100644 --- a/istio/charts/certmanager/templates/issuer.yaml +++ b/istio/charts/certmanager/templates/issuer.yaml @@ -4,6 +4,11 @@ kind: ClusterIssuer metadata: name: letsencrypt-staging namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory @@ -18,6 +23,11 @@ kind: ClusterIssuer metadata: name: letsencrypt namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: acme: server: https://acme-v02.api.letsencrypt.org/directory diff --git a/istio/charts/certmanager/templates/rbac.yaml b/istio/charts/certmanager/templates/rbac.yaml index c9738de..b3a4ef3 100644 --- a/istio/charts/certmanager/templates/rbac.yaml +++ b/istio/charts/certmanager/templates/rbac.yaml @@ -1,31 +1,32 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: certmanager labels: app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} rules: - apiGroups: ["certmanager.k8s.io"] - resources: ["certificates", "issuers", "clusterissuers"] + resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"] verbs: ["*"] - apiGroups: [""] - # TODO: remove endpoints once 0.4 is released. We include it here in case - # users use the 'master' version of the Helm chart with a 0.2.x release of - # certManager that still performs leader election with Endpoint resources. - # We advise users don't do this, but some will anyway and this will reduce - # friction. - resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"] + resources: ["configmaps", "secrets", "events", "services", "pods"] verbs: ["*"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["*"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: certmanager labels: app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/istio/charts/certmanager/templates/serviceaccount.yaml b/istio/charts/certmanager/templates/serviceaccount.yaml index 0bfb517..f875435 100644 --- a/istio/charts/certmanager/templates/serviceaccount.yaml +++ b/istio/charts/certmanager/templates/serviceaccount.yaml @@ -11,3 +11,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio/charts/galley/Chart.yaml b/istio/charts/galley/Chart.yaml index 99625e1..5933bde 100644 --- a/istio/charts/galley/Chart.yaml +++ b/istio/charts/galley/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: galley -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for galley deployment keywords: diff --git a/istio/charts/galley/templates/_helpers.tpl b/istio/charts/galley/templates/_helpers.tpl index 3df13cc..5d42f4a 100644 --- a/istio/charts/galley/templates/_helpers.tpl +++ b/istio/charts/galley/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "galley.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "galley.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/galley/templates/clusterrole.yaml b/istio/charts/galley/templates/clusterrole.yaml index a10cc3d..6385c88 100644 --- a/istio/charts/galley/templates/clusterrole.yaml +++ b/istio/charts/galley/templates/clusterrole.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-galley-{{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: @@ -14,11 +14,26 @@ rules: - apiGroups: ["config.istio.io"] # istio mixer CRD watcher resources: ["*"] verbs: ["get", "list", "watch"] -- apiGroups: ["*"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions","apps"] resources: ["deployments"] resourceNames: ["istio-galley"] verbs: ["get"] -- apiGroups: ["*"] - resources: ["endpoints"] +- apiGroups: [""] + resources: ["pods", "nodes", "services", "endpoints"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["deployments/finalizers"] resourceNames: ["istio-galley"] - verbs: ["get"] + verbs: ["update"] diff --git a/istio/charts/galley/templates/clusterrolebinding.yaml b/istio/charts/galley/templates/clusterrolebinding.yaml index 11c51dd..88cde25 100644 --- a/istio/charts/galley/templates/clusterrolebinding.yaml +++ b/istio/charts/galley/templates/clusterrolebinding.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-galley-admin-role-binding-{{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: diff --git a/istio/charts/galley/templates/configmap.yaml b/istio/charts/galley/templates/configmap.yaml index 2d1ed2c..b138f2e 100644 --- a/istio/charts/galley/templates/configmap.yaml +++ b/istio/charts/galley/templates/configmap.yaml @@ -4,12 +4,11 @@ metadata: name: istio-galley-configuration namespace: {{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} - istio: mixer + release: {{ .Release.Name }} + istio: galley data: validatingwebhookconfiguration.yaml: |- - {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} - + {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} \ No newline at end of file diff --git a/istio/charts/galley/templates/deployment.yaml b/istio/charts/galley/templates/deployment.yaml index aed8f3b..0ef8ded 100644 --- a/istio/charts/galley/templates/deployment.yaml +++ b/istio/charts/galley/templates/deployment.yaml @@ -1,16 +1,19 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: istio-galley namespace: {{ .Release.Namespace }} labels: app: {{ template "galley.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: galley spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: galley strategy: rollingUpdate: maxSurge: 1 @@ -18,46 +21,68 @@ spec: template: metadata: labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: galley annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-galley-service-account {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} containers: - - name: validator + - name: galley +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - containerPort: 443 - - containerPort: 9093 + - containerPort: {{ .Values.global.monitoringPort }} + - containerPort: 9901 command: - /usr/local/bin/galley - - validator - - --deployment-namespace={{ .Release.Namespace }} - - --caCertFile=/etc/istio/certs/root-cert.pem - - --tlsCertFile=/etc/istio/certs/cert-chain.pem - - --tlsKeyFile=/etc/istio/certs/key.pem - - --healthCheckInterval=1s - - --healthCheckFile=/health - - --webhook-config-file - - /etc/istio/config/validatingwebhookconfiguration.yaml + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/healthliveness + - --readinessProbePath=/healthready + - --readinessProbeInterval=1s +{{- if $.Values.global.controlPlaneSecurityEnabled}} + - --insecure=false +{{- else }} + - --insecure=true +{{- end }} +{{- if not $.Values.global.useMCP }} + - --enable-server=false +{{- end }} + - --validation-webhook-config-file + - /etc/config/validatingwebhookconfiguration.yaml + - --monitoringPort={{ .Values.global.monitoringPort }} +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} volumeMounts: - name: certs - mountPath: /etc/istio/certs + mountPath: /etc/certs readOnly: true - name: config - mountPath: /etc/istio/config + mountPath: /etc/config + readOnly: true + - name: mesh-config + mountPath: /etc/mesh-config readOnly: true livenessProbe: exec: command: - /usr/local/bin/galley - probe - - --probe-path=/health + - --probe-path=/healthliveness - --interval=10s initialDelaySeconds: 5 periodSeconds: 5 @@ -66,7 +91,7 @@ spec: command: - /usr/local/bin/galley - probe - - --probe-path=/health + - --probe-path=/healthready - --interval=10s initialDelaySeconds: 5 periodSeconds: 5 @@ -83,5 +108,9 @@ spec: - name: config configMap: name: istio-galley-configuration + - name: mesh-config + configMap: + name: istio affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/galley/templates/service.yaml b/istio/charts/galley/templates/service.yaml index 4519e80..cd21fd1 100644 --- a/istio/charts/galley/templates/service.yaml +++ b/istio/charts/galley/templates/service.yaml @@ -4,12 +4,18 @@ metadata: name: istio-galley namespace: {{ .Release.Namespace }} labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: galley spec: ports: - port: 443 name: https-validation - - port: 9093 + - port: {{ .Values.global.monitoringPort }} name: http-monitoring + - port: 9901 + name: grpc-mcp selector: istio: galley diff --git a/istio/charts/galley/templates/serviceaccount.yaml b/istio/charts/galley/templates/serviceaccount.yaml index f13858d..1ff54c4 100644 --- a/istio/charts/galley/templates/serviceaccount.yaml +++ b/istio/charts/galley/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ metadata: name: istio-galley-service-account namespace: {{ .Release.Namespace }} labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl b/istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl deleted file mode 100644 index 45f78c7..0000000 --- a/istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl +++ /dev/null @@ -1,113 +0,0 @@ -{{ define "validatingwebhookconfiguration.yaml.tpl" }} -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-galley - namespace: {{ .Release.Namespace }} - labels: - app: istio-galley - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -webhooks: -{{- if .Values.global.configValidation }} - - name: pilot.validation.istio.io - clientConfig: - service: - name: istio-galley - namespace: {{ .Release.Namespace }} - path: "/admitpilot" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - apiVersions: - - v1alpha2 - resources: - - httpapispecs - - httpapispecbindings - - quotaspecs - - quotaspecbindings - - operations: - - CREATE - - UPDATE - apiGroups: - - rbac.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - authentication.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - networking.istio.io - apiVersions: - - "*" - resources: - - destinationrules - - envoyfilters - - gateways - # disabled per @costinm's request - # - serviceentries - - virtualservices - failurePolicy: Fail - - name: mixer.validation.istio.io - clientConfig: - service: - name: istio-galley - namespace: {{ .Release.Namespace }} - path: "/admitmixer" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - apiVersions: - - v1alpha2 - resources: - - rules - - attributemanifests - - circonuses - - deniers - - fluentds - - kubernetesenvs - - listcheckers - - memquotas - - noops - - opas - - prometheuses - - rbacs - - servicecontrols - - solarwindses - - stackdrivers - - statsds - - stdios - - apikeys - - authorizations - - checknothings - # - kuberneteses - - listentries - - logentries - - metrics - - quotas - - reportnothings - - servicecontrolreports - - tracespans - failurePolicy: Fail -{{- end }} -{{- end }} diff --git a/istio/charts/gateways/Chart.yaml b/istio/charts/gateways/Chart.yaml index 6c962e6..1bc2806 100644 --- a/istio/charts/gateways/Chart.yaml +++ b/istio/charts/gateways/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: gateways -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/istio/charts/gateways/templates/autoscale.yaml b/istio/charts/gateways/templates/autoscale.yaml index 1976d89..2455ac3 100644 --- a/istio/charts/gateways/templates/autoscale.yaml +++ b/istio/charts/gateways/templates/autoscale.yaml @@ -1,19 +1,26 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} -{{- if and $spec.enabled $spec.autoscaleMin }} +{{- if ne $key "enabled" }} +{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ $key }} - namespace: {{ $spec.namespace | default $.Release.Namespace }} + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} spec: - maxReplicas: {{ $spec.autoscaleMax }} - minReplicas: {{ $spec.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1beta1 - kind: Deployment - name: {{ $key }} - metrics: + maxReplicas: {{ $spec.autoscaleMax }} + minReplicas: {{ $spec.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $key }} + metrics: - type: Resource resource: name: cpu diff --git a/istio/charts/gateways/templates/clusterrole.yaml b/istio/charts/gateways/templates/clusterrole.yaml index e8987d8..9c8862a 100644 --- a/istio/charts/gateways/templates/clusterrole.yaml +++ b/istio/charts/gateways/templates/clusterrole.yaml @@ -1,18 +1,20 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: {{ $key }}-{{ $.Release.Namespace }} labels: - app: {{ template "istio.name" $ }} - chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} + chart: {{ template "gateway.chart" $ }} heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} - name: {{ $key }}-{{ $.Release.Namespace }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} rules: -- apiGroups: ["extensions"] - resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] verbs: ["get", "watch", "list", "update"] --- {{- end }} diff --git a/istio/charts/gateways/templates/clusterrolebindings.yaml b/istio/charts/gateways/templates/clusterrolebindings.yaml index 1665a08..bbcc551 100644 --- a/istio/charts/gateways/templates/clusterrolebindings.yaml +++ b/istio/charts/gateways/templates/clusterrolebindings.yaml @@ -1,18 +1,25 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ $key }}-{{ $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ $key }}-{{ $.Release.Namespace }} subjects: - - kind: ServiceAccount - name: {{ $key }}-service-account - namespace: {{ $.Release.Namespace }} +- kind: ServiceAccount + name: {{ $key }}-service-account + namespace: {{ $.Release.Namespace }} --- {{- end }} {{- end }} diff --git a/istio/charts/gateways/templates/deployment.yaml b/istio/charts/gateways/templates/deployment.yaml index ce38f79..9b702ea 100644 --- a/istio/charts/gateways/templates/deployment.yaml +++ b/istio/charts/gateways/templates/deployment.yaml @@ -1,49 +1,117 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: {{ $key }} namespace: {{ $spec.namespace | default $.Release.Namespace }} labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} - release: {{ $.Release.Name }} + chart: {{ template "gateway.chart" $ }} heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} {{- range $key, $val := $spec.labels }} {{ $key }}: {{ $val }} {{- end }} spec: +{{- if not $spec.autoscaleEnabled }} +{{- if $spec.replicaCount }} replicas: {{ $spec.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + selector: + matchLabels: + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} template: metadata: labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} {{- range $key, $val := $spec.labels }} {{ $key }}: {{ $val }} {{- end }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" +{{- if $spec.podAnnotations }} +{{ toYaml $spec.podAnnotations | indent 8 }} +{{ end }} spec: serviceAccountName: {{ $key }}-service-account {{- if $.Values.global.priorityClassName }} priorityClassName: "{{ $.Values.global.priorityClassName }}" +{{- end }} +{{- if $.Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" $.Values.global.proxy_init.image }} + image: "{{ $.Values.global.proxy_init.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy_init.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + securityContext: + privileged: true {{- end }} containers: +{{- if $spec.sds }} +{{- if $spec.sds.enabled }} + - name: ingress-sds +{{- if contains "/" $spec.sds.image }} + image: "{{ $spec.sds.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $spec.sds.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + env: + - name: "ENABLE_WORKLOAD_SDS" + value: "false" + - name: "ENABLE_INGRESS_GATEWAY_SDS" + value: "true" + - name: "INGRESS_GATEWAY_NAMESPACE" + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + volumeMounts: + - name: ingressgatewaysdsudspath + mountPath: /var/run/ingress_gateway +{{- end }} +{{- end }} - name: istio-proxy - image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}" +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: {{- range $key, $val := $spec.ports }} - containerPort: {{ $val.port }} {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom args: - proxy - router - - -v - - "2" - - --discoveryRefreshDelay - - '1s' #discoveryRefreshDelay + - --domain + - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }} + {{- if $.Values.global.proxy.logLevel }} + - --proxyLogLevel={{ $.Values.global.proxy.logLevel }} + {{- end}} + {{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} + {{- end}} - --drainDuration - '45s' #drainDuration - --parentShutdownDuration @@ -53,7 +121,9 @@ spec: - --serviceCluster - {{ $key }} - --zipkinAddress - {{- if $.Values.global.istioNamespace }} + {{- if $.Values.global.tracer.zipkin.address }} + - {{ $.Values.global.tracer.zipkin.address }} + {{- else if $.Values.global.istioNamespace }} - zipkin.{{ $.Values.global.istioNamespace }}:9411 {{- else }} - zipkin:9411 @@ -61,28 +131,47 @@ spec: {{- if $.Values.global.proxy.envoyStatsd.enabled }} - --statsdUdpAddress - {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }} + {{- end }} + {{- if $.Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - {{ $.Values.global.proxy.envoyMetricsService.host }}:{{ $.Values.global.proxy.envoyMetricsService.port }} {{- end }} - --proxyAdminPort - "15000" + - --statusPort + - "15020" {{- if $.Values.global.controlPlaneSecurityEnabled }} - --controlPlaneAuthPolicy - MUTUAL_TLS - --discoveryAddress {{- if $.Values.global.istioNamespace }} - - istio-pilot.{{ $.Values.global.istioNamespace }}:15005 + - istio-pilot.{{ $.Values.global.istioNamespace }}:15011 {{- else }} - - istio-pilot:15005 + - istio-pilot:15011 {{- end }} {{- else }} - --controlPlaneAuthPolicy - NONE - --discoveryAddress {{- if $.Values.global.istioNamespace }} - - istio-pilot.{{ $.Values.global.istioNamespace }}:8080 + - istio-pilot.{{ $.Values.global.istioNamespace }}:15010 {{- else }} - - istio-pilot:8080 + - istio-pilot:15010 {{- end }} {{- end }} + {{- if $.Values.global.trustDomain }} + - --trust-domain={{ $.Values.global.trustDomain }} + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 resources: {{- if $spec.resources }} {{ toYaml $spec.resources | indent 12 }} @@ -90,6 +179,11 @@ spec: {{ toYaml $.Values.global.defaultResources | indent 12 }} {{- end }} env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: @@ -105,11 +199,48 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: + apiVersion: v1 fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ISTIO_META_USER_SDS + value: "true" + {{- end }} + {{- end }} + {{- if $spec.env }} + {{- range $key, $val := $spec.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + {{- end }} volumeMounts: + {{- if $.Values.global.sds.enabled }} + - name: sdsudspath + mountPath: /var/run/sds/uds_path + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ingressgatewaysdsudspath + mountPath: /var/run/ingress_gateway + {{- end }} + {{- end }} - name: istio-certs mountPath: /etc/certs readOnly: true @@ -122,6 +253,27 @@ spec: {{ toYaml $spec.additionalContainers | indent 8 }} {{- end }} volumes: + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ingressgatewaysdsudspath + emptyDir: {} + {{- end }} + {{- end }} + {{- if $.Values.global.sds.enabled }} + - name: sdsudspath + hostPath: + path: /var/run/sds/uds_path + type: Socket + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ $.Values.global.trustDomain }} + {{- end }} + {{- end }} - name: istio-certs secret: secretName: istio.{{ $key }}-service-account @@ -139,7 +291,8 @@ spec: optional: true {{- end }} affinity: - {{- include "nodeaffinity" $ | indent 6 }} + {{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }} + {{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }} --- {{- end }} {{- end }} diff --git a/istio/charts/gateways/templates/service.yaml b/istio/charts/gateways/templates/service.yaml index 0d594cc..9474f04 100644 --- a/istio/charts/gateways/templates/service.yaml +++ b/istio/charts/gateways/templates/service.yaml @@ -1,5 +1,5 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} apiVersion: v1 kind: Service @@ -8,12 +8,12 @@ metadata: namespace: {{ $spec.namespace | default $.Release.Namespace }} annotations: {{- range $key, $val := $spec.serviceAnnotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} - release: {{ $.Release.Name }} + chart: {{ template "gateway.chart" $ }} heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} {{- range $key, $val := $spec.labels }} {{ $key }}: {{ $val }} {{- end }} @@ -23,12 +23,18 @@ spec: {{- end }} {{- if $spec.loadBalancerSourceRanges }} loadBalancerSourceRanges: -{{- range $spec.loadBalancerSourceRanges }} - - {{ . }} +{{ toYaml $spec.loadBalancerSourceRanges | indent 4 }} {{- end }} +{{- if $spec.externalTrafficPolicy }} + externalTrafficPolicy: {{$spec.externalTrafficPolicy }} +{{- end }} +{{- if $spec.externalIPs }} + externalIPs: +{{ toYaml $spec.externalIPs | indent 4 }} {{- end }} type: {{ .type }} selector: + release: {{ $.Release.Name }} {{- range $key, $val := $spec.labels }} {{ $key }}: {{ $val }} {{- end }} @@ -39,6 +45,14 @@ spec: {{ $pkey}}: {{ $pval }} {{- end }} {{- end }} + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $spec.meshExpansionPorts }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} --- {{- end }} {{- end }} diff --git a/istio/charts/gateways/templates/serviceaccount.yaml b/istio/charts/gateways/templates/serviceaccount.yaml index 37a252c..d4f6938 100644 --- a/istio/charts/gateways/templates/serviceaccount.yaml +++ b/istio/charts/gateways/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ {{- range $key, $spec := .Values }} -{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if ne $key "enabled" }} {{- if $spec.enabled }} apiVersion: v1 kind: ServiceAccount @@ -13,11 +13,12 @@ metadata: name: {{ $key }}-service-account namespace: {{ $spec.namespace | default $.Release.Namespace }} labels: - app: {{ $spec.labels.istio }} - chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} + app: {{ $spec.labels.app }} + chart: {{ template "gateway.chart" $ }} heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} --- {{- end }} {{- end }} {{- end }} + diff --git a/istio/charts/grafana/Chart.yaml b/istio/charts/grafana/Chart.yaml index d64a073..8ed3469 100644 --- a/istio/charts/grafana/Chart.yaml +++ b/istio/charts/grafana/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: grafana -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" diff --git a/istio/charts/grafana/templates/_helpers.tpl b/istio/charts/grafana/templates/_helpers.tpl index dae241d..9d4c592 100644 --- a/istio/charts/grafana/templates/_helpers.tpl +++ b/istio/charts/grafana/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "grafana.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "grafana.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/grafana/templates/configmap.yaml b/istio/charts/grafana/templates/configmap.yaml index 17730f2..c86efe1 100644 --- a/istio/charts/grafana/templates/configmap.yaml +++ b/istio/charts/grafana/templates/configmap.yaml @@ -1,16 +1,25 @@ apiVersion: v1 kind: ConfigMap metadata: - name: istio-grafana-custom-resources + name: istio-grafana namespace: {{ .Release.Namespace }} labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: grafana data: - custom-resources.yaml: |- - {{- include "grafana-default.yaml.tpl" . | indent 4}} - run.sh: |- - {{- include "install-custom-resources.sh.tpl" . | indent 4}} +{{- if .Values.datasources }} + {{- range $key, $value := .Values.datasources }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio/charts/grafana/templates/create-custom-resources-job.yaml b/istio/charts/grafana/templates/create-custom-resources-job.yaml index 6d8b93d..2fe2c96 100644 --- a/istio/charts/grafana/templates/create-custom-resources-job.yaml +++ b/istio/charts/grafana/templates/create-custom-resources-job.yaml @@ -1,21 +1,33 @@ apiVersion: v1 kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} metadata: name: istio-grafana-post-install-account namespace: {{ .Release.Namespace }} labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-grafana-post-install-{{ .Release.Namespace }} labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: @@ -23,13 +35,13 @@ rules: resources: ["*"] verbs: ["*"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-grafana-post-install-role-binding-{{ .Release.Namespace }} labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: @@ -44,28 +56,30 @@ subjects: apiVersion: batch/v1 kind: Job metadata: - name: istio-grafana-post-install + name: istio-grafana-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": post-install "helm.sh/hook-delete-policy": hook-succeeded labels: - app: istio-grafana - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: template: metadata: name: istio-grafana-post-install labels: app: istio-grafana + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: serviceAccountName: istio-grafana-post-install-account containers: - - name: hyperkube - image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] volumeMounts: - mountPath: "/tmp/grafana" @@ -75,3 +89,6 @@ spec: configMap: name: istio-grafana-custom-resources restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/grafana/templates/deployment.yaml b/istio/charts/grafana/templates/deployment.yaml index cd6541a..9348494 100644 --- a/istio/charts/grafana/templates/deployment.yaml +++ b/istio/charts/grafana/templates/deployment.yaml @@ -1,54 +1,64 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: grafana namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: grafana template: metadata: labels: app: grafana + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: + securityContext: + runAsUser: 472 + fsGroup: 472 {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} {{- end }} containers: - name: {{ .Chart.Name }} -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" -{{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - - containerPort: {{ .Values.service.internalPort }} + - containerPort: 3000 readinessProbe: httpGet: path: /login - port: {{ .Values.service.internalPort }} + port: 3000 env: - name: GRAFANA_PORT - value: {{ .Values.service.internalPort | quote }} + value: "3000" {{- if .Values.security.enabled }} - name: GF_SECURITY_ADMIN_USER valueFrom: secretKeyRef: - name: grafana - key: username + name: {{ .Values.security.secretName }} + key: {{ .Values.security.usernameKey }} - name: GF_SECURITY_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: grafana - key: password + name: {{ .Values.security.secretName }} + key: {{ .Values.security.passphraseKey }} - name: GF_AUTH_BASIC_ENABLED value: "true" - name: GF_AUTH_ANONYMOUS_ENABLED @@ -74,9 +84,26 @@ spec: volumeMounts: - name: data mountPath: /data/grafana + {{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} + {{- $filename := trimSuffix (ext $path) (base $path) }} + - name: dashboards-istio-{{ $filename }} + mountPath: "/var/lib/grafana/dashboards/istio/{{ base $path }}" + subPath: {{ base $path }} + readOnly: true + {{- end }} + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} volumes: + - name: config + configMap: + name: istio-grafana - name: data {{- if .Values.persist }} persistentVolumeClaim: @@ -84,3 +111,9 @@ spec: {{- else }} emptyDir: {} {{- end }} +{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} +{{- $filename := trimSuffix (ext $path) (base $path) }} + - name: dashboards-istio-{{ $filename }} + configMap: + name: istio-grafana-configuration-dashboards-{{ $filename }} +{{- end }} diff --git a/istio/charts/grafana/templates/grafana-ports-mtls.yaml b/istio/charts/grafana/templates/grafana-ports-mtls.yaml index 8f2258d..b9a3926 100644 --- a/istio/charts/grafana/templates/grafana-ports-mtls.yaml +++ b/istio/charts/grafana/templates/grafana-ports-mtls.yaml @@ -4,6 +4,11 @@ kind: Policy metadata: name: grafana-ports-mtls-disabled namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: targets: - name: grafana diff --git a/istio/charts/grafana/templates/pvc.yaml b/istio/charts/grafana/templates/pvc.yaml index d95b94b..e376a13 100644 --- a/istio/charts/grafana/templates/pvc.yaml +++ b/istio/charts/grafana/templates/pvc.yaml @@ -3,15 +3,16 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: istio-grafana-pvc + namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: storageClassName: {{ .Values.storageClassName }} accessModes: - - ReadWriteOnce + - {{ .Values.accessMode }} resources: requests: storage: 5Gi diff --git a/istio/charts/grafana/templates/secret.yaml b/istio/charts/grafana/templates/secret.yaml deleted file mode 100644 index ec0e2ad..0000000 --- a/istio/charts/grafana/templates/secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ - -{{- if .Values.security.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: grafana - namespace: {{ .Release.Namespace }} - labels: - app: grafana -type: Opaque -data: - username: {{ .Values.security.adminUser | b64enc | quote }} - password: {{ .Values.security.adminPassword | b64enc | quote }} -{{- end -}} diff --git a/istio/charts/grafana/templates/service.yaml b/istio/charts/grafana/templates/service.yaml index 555a3f1..1dfd82c 100644 --- a/istio/charts/grafana/templates/service.yaml +++ b/istio/charts/grafana/templates/service.yaml @@ -5,19 +5,28 @@ metadata: namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "grafana.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} + targetPort: 3000 protocol: TCP name: {{ .Values.service.name }} selector: app: grafana +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} + {{if .Values.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{range $rangeList := .Values.service.loadBalancerSourceRanges}} + - {{ $rangeList }} + {{end}} + {{end}} \ No newline at end of file diff --git a/istio/charts/ingress/Chart.yaml b/istio/charts/ingress/Chart.yaml deleted file mode 100644 index a2f12b1..0000000 --- a/istio/charts/ingress/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: ingress -version: 1.0.1 -appVersion: 1.0.1 -tillerVersion: ">=2.7.2" -description: Helm chart for ingress deployment -keywords: - - istio - - ingress -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/istio/charts/ingress/templates/autoscale.yaml b/istio/charts/ingress/templates/autoscale.yaml deleted file mode 100644 index d962840..0000000 --- a/istio/charts/ingress/templates/autoscale.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.autoscaleMin }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istio-ingress - namespace: {{ .Release.Namespace }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1beta1 - kind: Deployment - name: istio-ingress - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 -{{ end }} diff --git a/istio/charts/ingress/templates/clusterrole.yaml b/istio/charts/ingress/templates/clusterrole.yaml deleted file mode 100644 index f65c0d6..0000000 --- a/istio/charts/ingress/templates/clusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - labels: - app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: istio-ingress-{{ .Release.Namespace }} -rules: -- apiGroups: ["extensions"] - resources: ["thirdpartyresources", "ingresses"] - verbs: ["get", "watch", "list", "update"] -- apiGroups: [""] - resources: ["configmaps", "pods", "endpoints", "services"] - verbs: ["get", "watch", "list"] diff --git a/istio/charts/ingress/templates/clusterrolebinding.yaml b/istio/charts/ingress/templates/clusterrolebinding.yaml deleted file mode 100644 index d07e893..0000000 --- a/istio/charts/ingress/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: istio-ingress-{{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-pilot-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-ingress-service-account - namespace: {{ .Release.Namespace }} diff --git a/istio/charts/ingress/templates/deployment.yaml b/istio/charts/ingress/templates/deployment.yaml deleted file mode 100644 index 83fb663..0000000 --- a/istio/charts/ingress/templates/deployment.yaml +++ /dev/null @@ -1,106 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: istio-ingress - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: ingress -spec: - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - istio: ingress - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: - serviceAccountName: istio-ingress-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "istio.name" . }} - image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 80 - - containerPort: 443 - args: - - proxy - - ingress - - -v - - "2" - - --discoveryRefreshDelay - - '1s' #discoveryRefreshDelay - - --drainDuration - - '45s' #drainDuration - - --parentShutdownDuration - - '1m0s' #parentShutdownDuration - - --connectTimeout - - '10s' #connectTimeout - - --serviceCluster - - istio-ingress - - --zipkinAddress - - zipkin:9411 - {{- if .Values.global.proxy.envoyStatsd.enabled }} - - --statsdUdpAddress - - {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} - {{- end }} - - --proxyAdminPort - - "15000" - {{- if .Values.global.controlPlaneSecurityEnabled }} - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --discoveryAddress - - istio-pilot:15005 - {{- else }} - - --controlPlaneAuthPolicy - - NONE - - --discoveryAddress - - istio-pilot:8080 - {{- end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - volumeMounts: - - name: istio-certs - mountPath: /etc/certs - readOnly: true - - name: ingress-certs - mountPath: /etc/istio/ingress-certs - readOnly: true - volumes: - - name: istio-certs - secret: - secretName: istio.istio-ingress-service-account - optional: true - - name: ingress-certs - secret: - secretName: istio-ingress-certs - optional: true - affinity: - {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio/charts/ingress/templates/service.yaml b/istio/charts/ingress/templates/service.yaml deleted file mode 100644 index 41bf272..0000000 --- a/istio/charts/ingress/templates/service.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istio-ingress - namespace: {{ .Release.Namespace }} - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: ingress - annotations: - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} - {{- end }} -spec: -{{- if .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" -{{- end }} - type: {{ .Values.service.type }} - selector: - istio: ingress - ports: - {{- range $key, $val := .Values.service.ports }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} ---- diff --git a/istio/charts/ingress/templates/serviceaccount.yaml b/istio/charts/ingress/templates/serviceaccount.yaml deleted file mode 100644 index dfcfe25..0000000 --- a/istio/charts/ingress/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-ingress-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/istio/charts/kiali/Chart.yaml b/istio/charts/kiali/Chart.yaml index bb7ed26..ff936e0 100644 --- a/istio/charts/kiali/Chart.yaml +++ b/istio/charts/kiali/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 -description: Kiali is an open source project for service mesh observability, refer to https://github.com/kiali/kiali for detail. +description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details. name: kiali -version: 1.0.1 -appVersion: 0.6.0 +version: 1.1.0 +appVersion: 0.16 tillerVersion: ">=2.7.2" diff --git a/istio/charts/kiali/templates/clusterrole.yaml b/istio/charts/kiali/templates/clusterrole.yaml index 05259fa..cd43b7b 100644 --- a/istio/charts/kiali/templates/clusterrole.yaml +++ b/istio/charts/kiali/templates/clusterrole.yaml @@ -3,64 +3,237 @@ kind: ClusterRole metadata: name: kiali labels: - app: kiali - version: master + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} rules: -- apiGroups: ["","apps", "autoscaling"] +- apiGroups: [""] resources: - configmaps + - endpoints - namespaces - nodes - pods - - projects - services - - endpoints + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: - horizontalpodautoscalers verbs: - get - list - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch - apiGroups: ["config.istio.io"] resources: - - rules + - apikeys + - authorizations + - checknothings - circonuses - deniers - fluentds + - handlers - kubernetesenvs + - kuberneteses - listcheckers + - listentries + - logentries - memquotas + - metrics - opas - prometheuses + - quotas + - quotaspecbindings + - quotaspecs - rbacs - - servicecontrols + - reportnothings + - rules - solarwindses - stackdrivers - statsds - stdios + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - services + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: - apikeys - authorizations - checknothings + - circonuses + - deniers + - fluentds + - handlers + - kubernetesenvs - kuberneteses + - listcheckers - listentries - logentries + - memquotas - metrics + - opas + - prometheuses - quotas + - quotaspecbindings + - quotaspecs + - rbacs - reportnothings + - rules - servicecontrolreports - - quotaspecs - - quotaspecbindings + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios verbs: - get - list - watch - apiGroups: ["networking.istio.io"] resources: - - virtualservices - destinationrules - - serviceentries - gateways + - serviceentries + - virtualservices + verbs: + - get + - list + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies verbs: - get - list - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - get + - list + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get diff --git a/istio/charts/kiali/templates/clusterrolebinding.yaml b/istio/charts/kiali/templates/clusterrolebinding.yaml index 82cfd7f..2fa14d6 100644 --- a/istio/charts/kiali/templates/clusterrolebinding.yaml +++ b/istio/charts/kiali/templates/clusterrolebinding.yaml @@ -3,8 +3,8 @@ kind: ClusterRoleBinding metadata: name: istio-kiali-admin-role-binding-{{ .Release.Namespace }} labels: - app: kiali - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: diff --git a/istio/charts/kiali/templates/configmap.yaml b/istio/charts/kiali/templates/configmap.yaml index 529d204..ec83a9e 100644 --- a/istio/charts/kiali/templates/configmap.yaml +++ b/istio/charts/kiali/templates/configmap.yaml @@ -4,9 +4,19 @@ metadata: name: kiali namespace: {{ .Release.Namespace }} labels: - app: kiali + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} data: config.yaml: | + istio_namespace: {{ .Release.Namespace }} server: port: 20001 - static_content_root_directory: /opt/kiali/console + external_services: + istio: + url_service_version: http://istio-pilot:8080/version + jaeger: + url: {{ .Values.dashboard.jaegerURL }} + grafana: + url: {{ .Values.dashboard.grafanaURL }} diff --git a/istio/charts/kiali/templates/deployment.yaml b/istio/charts/kiali/templates/deployment.yaml index 35d11c5..f0f9e5b 100644 --- a/istio/charts/kiali/templates/deployment.yaml +++ b/istio/charts/kiali/templates/deployment.yaml @@ -1,13 +1,13 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: kiali namespace: {{ .Release.Namespace }} labels: - app: kiali - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} selector: @@ -18,9 +18,14 @@ spec: name: kiali labels: app: kiali + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/scrape: "true" + prometheus.io/port: "9090" spec: serviceAccountName: kiali-service-account {{- if .Values.global.priorityClassName }} @@ -40,35 +45,17 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: SERVER_CREDENTIALS_USERNAME - valueFrom: - secretKeyRef: - name: kiali - key: username - - name: SERVER_CREDENTIALS_PASSWORD - valueFrom: - secretKeyRef: - name: kiali - key: passphrase - name: PROMETHEUS_SERVICE_URL - value: http://prometheus:9090 -{{- if .Values.dashboard.grafanaURL }} - - name: GRAFANA_URL - value: {{ .Values.dashboard.grafanaURL }} -{{- end }} - - name: GRAFANA_DASHBOARD - value: istio-service-dashboard - - name: GRAFANA_VAR_SERVICE_SOURCE - value: var-service - - name: GRAFANA_VAR_SERVICE_DEST - value: var-service -{{- if .Values.dashboard.jaegerURL }} - - name: JAEGER_URL - value: {{ .Values.dashboard.jaegerURL }} + value: {{ .Values.prometheusAddr }} +{{- if .Values.contextPath }} + - name: SERVER_WEB_ROOT + value: {{ .Values.contextPath }} {{- end }} volumeMounts: - name: kiali-configuration mountPath: "/kiali-configuration" + - name: kiali-secret + mountPath: "/kiali-secret" resources: {{- if .Values.resources }} {{ toYaml .Values.resources | indent 10 }} @@ -79,3 +66,10 @@ spec: - name: kiali-configuration configMap: name: kiali + - name: kiali-secret + secret: + secretName: {{ .Values.dashboard.secretName }} + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/kiali/templates/ingress.yaml b/istio/charts/kiali/templates/ingress.yaml index 834f885..2e2a0de 100644 --- a/istio/charts/kiali/templates/ingress.yaml +++ b/istio/charts/kiali/templates/ingress.yaml @@ -5,22 +5,34 @@ metadata: name: kiali namespace: {{ .Release.Namespace }} labels: - app: kiali + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: {{- range $key, $value := .Values.ingress.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: rules: +{{- if .Values.ingress.hosts }} {{- range $host := .Values.ingress.hosts }} - host: {{ $host }} http: paths: - - path: / + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} backend: serviceName: kiali servicePort: 20001 {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: kiali + servicePort: 20001 +{{- end }} {{- if .Values.ingress.tls }} tls: {{ toYaml .Values.ingress.tls | indent 4 }} diff --git a/istio/charts/kiali/templates/secrets.yaml b/istio/charts/kiali/templates/secrets.yaml deleted file mode 100644 index 6cbfe39..0000000 --- a/istio/charts/kiali/templates/secrets.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: kiali - namespace: {{ .Release.Namespace }} - labels: - app: kiali - -type: Opaque -data: - username: {{ .Values.dashboard.username | b64enc | quote }} - passphrase: {{ .Values.dashboard.passphrase | b64enc | quote }} diff --git a/istio/charts/kiali/templates/service.yaml b/istio/charts/kiali/templates/service.yaml index ef396af..1aa79bf 100644 --- a/istio/charts/kiali/templates/service.yaml +++ b/istio/charts/kiali/templates/service.yaml @@ -4,12 +4,14 @@ metadata: name: kiali namespace: {{ .Release.Namespace }} labels: - app: kiali + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - - name: tcp + - name: http-kiali protocol: TCP port: 20001 - name: http-kiali selector: app: kiali diff --git a/istio/charts/kiali/templates/serviceaccount.yaml b/istio/charts/kiali/templates/serviceaccount.yaml index 7adc385..2ae38a1 100644 --- a/istio/charts/kiali/templates/serviceaccount.yaml +++ b/istio/charts/kiali/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ metadata: name: kiali-service-account namespace: {{ .Release.Namespace }} labels: - app: kiali - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/mixer/Chart.yaml b/istio/charts/mixer/Chart.yaml index b28eafa..89c54c0 100644 --- a/istio/charts/mixer/Chart.yaml +++ b/istio/charts/mixer/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: mixer -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for mixer deployment keywords: diff --git a/istio/charts/mixer/templates/_helpers.tpl b/istio/charts/mixer/templates/_helpers.tpl index ebd724c..dac6da0 100644 --- a/istio/charts/mixer/templates/_helpers.tpl +++ b/istio/charts/mixer/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "mixer.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "mixer.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/mixer/templates/autoscale.yaml b/istio/charts/mixer/templates/autoscale.yaml index 8a80030..377b47d 100644 --- a/istio/charts/mixer/templates/autoscale.yaml +++ b/istio/charts/mixer/templates/autoscale.yaml @@ -1,18 +1,23 @@ {{- range $key, $spec := .Values }} -{{- if or (eq $key "istio-policy") (eq $key "istio-telemetry") }} -{{- if and $spec.autoscaleEnabled $spec.autoscaleMin }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ $key }} - namespace: {{ $.Release.Namespace }} + name: istio-{{ $key }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ template "mixer.name" $ }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} spec: maxReplicas: {{ $spec.autoscaleMax }} minReplicas: {{ $spec.autoscaleMin }} scaleTargetRef: - apiVersion: apps/v1beta1 + apiVersion: apps/v1 kind: Deployment - name: {{ $key }} + name: istio-{{ $key }} metrics: - type: Resource resource: diff --git a/istio/charts/mixer/templates/clusterrole.yaml b/istio/charts/mixer/templates/clusterrole.yaml index 65eed2e..3d7438f 100644 --- a/istio/charts/mixer/templates/clusterrole.yaml +++ b/istio/charts/mixer/templates/clusterrole.yaml @@ -1,28 +1,24 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-mixer-{{ .Release.Namespace }} labels: app: {{ template "mixer.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "mixer.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["rbac.istio.io"] # istio RBAC watcher - resources: ["*"] - verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions"] - resources: ["replicasets"] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] verbs: ["get", "list", "watch"] -- apiGroups: ["apps"] +- apiGroups: ["extensions", "apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] +{{- end }} diff --git a/istio/charts/mixer/templates/clusterrolebinding.yaml b/istio/charts/mixer/templates/clusterrolebinding.yaml index 5304a37..773e68b 100644 --- a/istio/charts/mixer/templates/clusterrolebinding.yaml +++ b/istio/charts/mixer/templates/clusterrolebinding.yaml @@ -1,10 +1,11 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-mixer-admin-role-binding-{{ .Release.Namespace }} labels: app: {{ template "mixer.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "mixer.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: @@ -15,3 +16,4 @@ subjects: - kind: ServiceAccount name: istio-mixer-service-account namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/istio/charts/mixer/templates/config.yaml b/istio/charts/mixer/templates/config.yaml index e8826d1..31b1139 100644 --- a/istio/charts/mixer/templates/config.yaml +++ b/istio/charts/mixer/templates/config.yaml @@ -1,8 +1,14 @@ +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} apiVersion: "config.istio.io/v1alpha2" kind: attributemanifest metadata: name: istioproxy namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: attributes: origin.ip: @@ -21,6 +27,10 @@ spec: valueType: STRING request.path: valueType: STRING + request.url_path: + valueType: STRING + request.query_params: + valueType: STRING_MAP request.reason: valueType: STRING request.referer: @@ -28,7 +38,7 @@ spec: request.scheme: valueType: STRING request.total_size: - valueType: INT64 + valueType: INT64 request.size: valueType: INT64 request.time: @@ -42,11 +52,15 @@ spec: response.headers: valueType: STRING_MAP response.total_size: - valueType: INT64 + valueType: INT64 response.size: valueType: INT64 response.time: valueType: TIMESTAMP + response.grpc_status: + valueType: STRING + response.grpc_message: + valueType: STRING source.uid: valueType: STRING source.user: # DEPRECATED @@ -79,6 +93,8 @@ spec: valueType: STRING context.protocol: valueType: STRING + context.proxy_error_code: + valueType: STRING context.timestamp: valueType: TIMESTAMP context.time: @@ -110,6 +126,18 @@ spec: valueType: STRING request.api_key: valueType: STRING + rbac.permissive.response_code: + valueType: STRING + rbac.permissive.effective_policy_id: + valueType: STRING + check.error_code: + valueType: INT64 + check.error_message: + valueType: STRING + check.cache_hit: + valueType: BOOL + quota.cache_hit: + valueType: BOOL --- apiVersion: "config.istio.io/v1alpha2" @@ -117,6 +145,11 @@ kind: attributemanifest metadata: name: kubernetes namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: attributes: source.ip: @@ -131,8 +164,6 @@ spec: valueType: STRING source.owner: valueType: STRING - source.service: # DEPRECATED - valueType: STRING source.serviceAccount: valueType: STRING source.services: @@ -157,8 +188,6 @@ spec: valueType: STRING destination.namespace: valueType: STRING - destination.service: # DEPRECATED - valueType: STRING destination.service.uid: valueType: STRING destination.service.name: @@ -176,463 +205,720 @@ spec: destination.workload.namespace: valueType: STRING --- +{{- if and .Values.adapters.stdio.enabled .Values.telemetry.enabled }} apiVersion: "config.istio.io/v1alpha2" -kind: stdio +kind: handler metadata: - name: handler + name: stdio namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - outputAsJson: true + compiledAdapter: stdio + params: + outputAsJson: {{ .Values.adapters.stdio.outputAsJson }} --- apiVersion: "config.istio.io/v1alpha2" -kind: logentry +kind: instance metadata: name: accesslog namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - severity: '"Info"' - timestamp: request.time - variables: - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - apiClaims: request.auth.raw_claims | "" - apiKey: request.api_key | request.headers["x-api-key"] | "" - protocol: request.scheme | context.protocol | "http" - method: request.method | "" - url: request.path | "" - responseCode: response.code | 0 - responseSize: response.size | 0 - requestSize: request.size | 0 - requestId: request.headers["x-request-id"] | "" - clientTraceId: request.headers["x-client-trace-id"] | "" - latency: response.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - requestedServerName: connection.requested_server_name | "" - userAgent: request.useragent | "" - responseTimestamp: response.time - receivedBytes: request.total_size | 0 - sentBytes: response.total_size | 0 - referer: request.referer | "" - httpAuthority: request.headers[":authority"] | request.host | "" - xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - monitored_resource_type: '"global"' + compiledTemplate: logentry + params: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseFlags: context.proxy_error_code | "" + responseSize: response.size | 0 + permissiveResponseCode: rbac.permissive.response_code | "none" + permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + grpcStatus: response.grpc_status | "" + grpcMessage: response.grpc_message | "" + monitored_resource_type: '"global"' --- apiVersion: "config.istio.io/v1alpha2" -kind: logentry +kind: instance metadata: name: tcpaccesslog namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - severity: '"Info"' - timestamp: context.time | timestamp("2017-01-01T00:00:00Z") - variables: - connectionEvent: connection.event | "" - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - protocol: context.protocol | "tcp" - connectionDuration: connection.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - requestedServerName: connection.requested_server_name | "" - receivedBytes: connection.received.bytes | 0 - sentBytes: connection.sent.bytes | 0 - totalReceivedBytes: connection.received.bytes_total | 0 - totalSentBytes: connection.sent.bytes_total | 0 - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - monitored_resource_type: '"global"' + compiledTemplate: logentry + params: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + responseFlags: context.proxy_error_code | "" + monitored_resource_type: '"global"' --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: stdio namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: match: context.protocol == "http" || context.protocol == "grpc" actions: - - handler: handler.stdio + - handler: stdio instances: - - accesslog.logentry + - accesslog --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: stdiotcp namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: match: context.protocol == "tcp" actions: - - handler: handler.stdio + - handler: stdio instances: - - tcpaccesslog.logentry + - tcpaccesslog +{{- end }} --- +{{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }} apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: requestcount namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: requestduration namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: response.duration | "0ms" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: requestsize namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: request.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: responsesize namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: response.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: tcpbytesent namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: connection.sent.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: metric +kind: instance metadata: name: tcpbytereceived namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - value: connection.received.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' + compiledTemplate: metric + params: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" -kind: prometheus +kind: instance metadata: - name: handler + name: tcpconnectionsopened namespace: {{ .Release.Namespace }} spec: - metrics: - - name: requests_total - instance_name: requestcount.metric.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - - name: request_duration_seconds - instance_name: requestduration.metric.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - explicit_buckets: - bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - - name: request_bytes - instance_name: requestsize.metric.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: response_bytes - instance_name: responsesize.metric.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: tcp_sent_bytes_total - instance_name: tcpbytesent.metric.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - name: tcp_received_bytes_total - instance_name: tcpbytereceived.metric.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: tcpconnectionsclosed + namespace: {{ .Release.Namespace }} +spec: + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledAdapter: prometheus + params: + metricsExpirationPolicy: + metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}" + metrics: + - name: requests_total + instance_name: requestcount.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_opened_total + instance_name: tcpconnectionsopened.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_closed_total + instance_name: tcpconnectionsclosed.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promhttp namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - match: context.protocol == "http" || context.protocol == "grpc" + match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) actions: - - handler: handler.prometheus + - handler: prometheus instances: - - requestcount.metric - - requestduration.metric - - requestsize.metric - - responsesize.metric + - requestcount + - requestduration + - requestsize + - responsesize --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promtcp namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: match: context.protocol == "tcp" actions: - - handler: handler.prometheus + - handler: prometheus instances: - - tcpbytesent.metric - - tcpbytereceived.metric + - tcpbytesent + - tcpbytereceived +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionopen + namespace: {{ .Release.Namespace }} +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "open") + actions: + - handler: prometheus + instances: + - tcpconnectionsopened --- - apiVersion: "config.istio.io/v1alpha2" -kind: kubernetesenv +kind: rule metadata: - name: handler + name: promtcpconnectionclosed namespace: {{ .Release.Namespace }} spec: - # when running from mixer root, use the following config after adding a - # symbolic link to a kubernetes config file via: - # - # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig - # - # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + match: context.protocol == "tcp" && ((connection.event | "na") == "close") + actions: + - handler: prometheus + instances: + - tcpconnectionsclosed +{{- end }} +--- +{{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }} +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: kubernetesenv + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledAdapter: kubernetesenv + params: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" --- apiVersion: "config.istio.io/v1alpha2" @@ -640,36 +926,53 @@ kind: rule metadata: name: kubeattrgenrulerule namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: actions: - - handler: handler.kubernetesenv + - handler: kubernetesenv instances: - - attributes.kubernetes + - attributes --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: tcpkubeattrgenrulerule namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: match: context.protocol == "tcp" actions: - - handler: handler.kubernetesenv + - handler: kubernetesenv instances: - - attributes.kubernetes + - attributes --- apiVersion: "config.istio.io/v1alpha2" -kind: kubernetes +kind: instance metadata: name: attributes namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - # Pass the required attribute data to the adapter - source_uid: source.uid | "" - source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr - destination_uid: destination.uid | "" - destination_port: destination.port | 0 - attribute_bindings: + compiledTemplate: kubernetes + params: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attributeBindings: # Fill the new attributes from the adapter produced output. # $out refers to an instance of OutputTemplate message source.ip: $out.source_pod_ip | ip("0.0.0.0") @@ -693,8 +996,9 @@ spec: destination.workload.uid: $out.destination_workload_uid | "unknown" destination.workload.name: $out.destination_workload_name | "unknown" destination.workload.namespace: $out.destination_workload_namespace | "unknown" - +{{- end }} --- +{{- if .Values.policy.enabled }} # Configuration needed by Mixer. # Mixer cluster is delivered via CDS # Specify mixer cluster settings @@ -703,8 +1007,17 @@ kind: DestinationRule metadata: name: istio-policy namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - host: istio-policy.{{ .Release.Namespace }}.svc.cluster.local + host: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} trafficPolicy: {{- if .Values.global.controlPlaneSecurityEnabled }} portLevelSettings: @@ -717,14 +1030,25 @@ spec: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 +{{- end }} --- +{{- if .Values.telemetry.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: istio-telemetry namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - host: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local + host: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} trafficPolicy: {{- if .Values.global.controlPlaneSecurityEnabled }} portLevelSettings: @@ -737,4 +1061,6 @@ spec: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 +{{- end }} --- +{{- end }} diff --git a/istio/charts/mixer/templates/configmap.yaml b/istio/charts/mixer/templates/configmap.yaml deleted file mode 100644 index ba13dcd..0000000 --- a/istio/charts/mixer/templates/configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-statsd-prom-bridge - namespace: {{ .Release.Namespace }} - labels: - app: istio-statsd-prom-bridge - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: mixer -data: - mapping.conf: |- diff --git a/istio/charts/mixer/templates/deployment.yaml b/istio/charts/mixer/templates/deployment.yaml index eb055f3..cb48b03 100644 --- a/istio/charts/mixer/templates/deployment.yaml +++ b/istio/charts/mixer/templates/deployment.yaml @@ -9,10 +9,30 @@ secret: secretName: istio.istio-mixer-service-account optional: true + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds/uds_path + type: Socket + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} - name: uds-socket emptyDir: {} + - name: policy-adapter-secret + secret: + secretName: policy-adapter-secret + optional: true affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} containers: - name: mixer {{- if contains "/" .Values.image }} @@ -22,37 +42,82 @@ {{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: - - containerPort: 9093 + - containerPort: {{ .Values.global.monitoringPort }} - containerPort: 42422 args: + - --monitoringPort={{ .Values.global.monitoringPort }} - --address - unix:///sock/mixer.socket +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} +{{- if $.Values.global.useMCP }} + {{- if $.Values.global.controlPlaneSecurityEnabled}} + - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- else }} + - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- end }} +{{- else }} - --configStoreURL=k8s:// +{{- end }} - --configDefaultNamespace={{ $.Release.Namespace }} - - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + {{- if $.Values.adapters.useAdapterCRDs }} + - --useAdapterCRDs=true + {{- else }} + - --useAdapterCRDs=false + {{- end }} + - --useTemplateCRDs=false + {{- if $.Values.global.tracer.zipkin.address }} + - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans + {{- else }} + - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans + {{- end }} + {{- if .Values.env }} + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} resources: -{{- if .Values.resources }} +{{- if .Values.policy.resources }} +{{ toYaml .Values.policy.resources | indent 10 }} +{{- else if .Values.resources }} {{ toYaml .Values.resources | indent 10 }} {{- else }} {{ toYaml .Values.global.defaultResources | indent 10 }} {{- end }} volumeMounts: +{{- if $.Values.global.useMCP }} + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- end }} - name: uds-socket mountPath: /sock livenessProbe: httpGet: path: /version - port: 9093 + port: {{ .Values.global.monitoringPort }} initialDelaySeconds: 5 periodSeconds: 5 - name: istio-proxy - image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}" +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: - containerPort: 9091 - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom args: - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }} - --serviceCluster - istio-policy - --templateFile @@ -63,6 +128,9 @@ {{- else }} - --controlPlaneAuthPolicy - NONE + {{- end }} + {{- if $.Values.global.trustDomain }} + - --trust-domain={{ $.Values.global.trustDomain }} {{- end }} env: - name: POD_NAME @@ -90,8 +158,20 @@ - name: istio-certs mountPath: /etc/certs readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds/uds_path + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} - name: uds-socket mountPath: /sock + - name: policy-adapter-secret + mountPath: /var/run/secrets/istio.io/policy/adapter + readOnly: true {{- end }} {{- define "telemetry_container" }} @@ -102,12 +182,30 @@ secret: secretName: istio.istio-mixer-service-account optional: true + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds/uds_path + type: Socket + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} - name: uds-socket emptyDir: {} - {{- if $.Values.nodeSelector }} - nodeSelector: -{{ toYaml $.Values.nodeSelector | indent 8 }} - {{- end }} + - name: telemetry-adapter-secret + secret: + secretName: telemetry-adapter-secret + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} containers: - name: mixer {{- if contains "/" .Values.image }} @@ -117,37 +215,91 @@ {{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: - - containerPort: 9093 + - containerPort: {{ .Values.global.monitoringPort }} - containerPort: 42422 args: + - --monitoringPort={{ .Values.global.monitoringPort }} - --address - unix:///sock/mixer.socket +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} +{{- if $.Values.global.useMCP }} + {{- if $.Values.global.controlPlaneSecurityEnabled}} + - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901 + - --certFile=/etc/certs/cert-chain.pem + - --keyFile=/etc/certs/key.pem + - --caCertFile=/etc/certs/root-cert.pem + {{- else }} + - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- end }} +{{- else }} - --configStoreURL=k8s:// +{{- end }} - --configDefaultNamespace={{ $.Release.Namespace }} - - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + {{- if $.Values.adapters.useAdapterCRDs }} + - --useAdapterCRDs=true + {{- else }} + - --useAdapterCRDs=false + {{- end }} + {{- if $.Values.global.tracer.zipkin.address }} + - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans + {{- else }} + - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans + {{- end }} + - --averageLatencyThreshold + - {{ $.Values.telemetry.loadshedding.latencyThreshold }} + - --loadsheddingMode + - {{ $.Values.telemetry.loadshedding.mode }} + {{- if .Values.env }} + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} resources: -{{- if .Values.resources }} +{{- if .Values.telemetry.resources }} +{{ toYaml .Values.telemetry.resources | indent 10 }} +{{- else if .Values.resources }} {{ toYaml .Values.resources | indent 10 }} {{- else }} {{ toYaml .Values.global.defaultResources | indent 10 }} {{- end }} volumeMounts: +{{- if $.Values.global.useMCP }} + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- end }} + - name: telemetry-adapter-secret + mountPath: /var/run/secrets/istio.io/telemetry/adapter + readOnly: true - name: uds-socket mountPath: /sock livenessProbe: httpGet: path: /version - port: 9093 + port: {{ .Values.global.monitoringPort }} initialDelaySeconds: 5 periodSeconds: 5 - name: istio-proxy - image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}" +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} imagePullPolicy: {{ $.Values.global.imagePullPolicy }} ports: - containerPort: 9091 - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom args: - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - istio-telemetry - --templateFile @@ -185,38 +337,71 @@ - name: istio-certs mountPath: /etc/certs readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds/uds_path + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} - name: uds-socket mountPath: /sock {{- end }} -{{- $mixers := list "policy" "telemetry" }} -{{- range $idx, $mname := $mixers }} -apiVersion: extensions/v1beta1 +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} +apiVersion: apps/v1 kind: Deployment metadata: - name: istio-{{ $mname }} + name: istio-{{ $key }} namespace: {{ $.Release.Namespace }} labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + app: istio-mixer + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} istio: mixer spec: - replicas: {{ $.Values.replicaCount }} +{{- if not $spec.autoscaleEnabled }} +{{- if $spec.replicaCount }} + replicas: {{ $spec.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: {{ $key }} template: metadata: labels: - app: {{ $mname }} + app: {{ $key }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} istio: mixer - istio-mixer-type: {{ $mname }} + istio-mixer-type: {{ $key }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" -{{- if eq $mname "policy"}} +{{- with $.Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- if eq $key "policy"}} {{- template "policy_container" $ }} {{- else }} {{- template "telemetry_container" $ }} {{- end }} --- +{{- end }} +{{- end }} {{- end }} {{/* range */}} diff --git a/istio/charts/mixer/templates/service.yaml b/istio/charts/mixer/templates/service.yaml index f633c66..79cc4a5 100644 --- a/istio/charts/mixer/templates/service.yaml +++ b/istio/charts/mixer/templates/service.yaml @@ -1,12 +1,17 @@ -{{ $mixers := list "policy" "telemetry" }} -{{- range $idx, $mname := $mixers }} +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} apiVersion: v1 kind: Service metadata: - name: istio-{{ $mname }} + name: istio-{{ $key }} namespace: {{ $.Release.Namespace }} + annotations: + networking.istio.io/exportTo: "*" labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + app: {{ template "mixer.name" $ }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} release: {{ $.Release.Name }} istio: mixer spec: @@ -16,13 +21,19 @@ spec: - name: grpc-mixer-mtls port: 15004 - name: http-monitoring - port: 9093 -{{- if eq $mname "telemetry" }} + port: {{ $.Values.global.monitoringPort }} +{{- if eq $key "telemetry" }} - name: prometheus port: 42422 +{{- if $spec.sessionAffinityEnabled }} + sessionAffinity: ClientIP +{{- end }} {{- end }} selector: istio: mixer - istio-mixer-type: {{ $mname }} + istio-mixer-type: {{ $key }} --- {{- end }} +{{- end }} +{{- end }} + diff --git a/istio/charts/mixer/templates/serviceaccount.yaml b/istio/charts/mixer/templates/serviceaccount.yaml index 43a57c3..9d3da7d 100644 --- a/istio/charts/mixer/templates/serviceaccount.yaml +++ b/istio/charts/mixer/templates/serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} apiVersion: v1 kind: ServiceAccount {{- if .Values.global.imagePullSecrets }} @@ -11,6 +12,7 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "mixer.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "mixer.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- end }} diff --git a/istio/charts/mixer/templates/statsdtoprom.yaml b/istio/charts/mixer/templates/statsdtoprom.yaml deleted file mode 100644 index 7ad3ba3..0000000 --- a/istio/charts/mixer/templates/statsdtoprom.yaml +++ /dev/null @@ -1,69 +0,0 @@ - -{{- $statsdname := "statsd-prom-bridge" }} ---- -apiVersion: v1 -kind: Service -metadata: - name: istio-{{ $statsdname }} - namespace: {{ .Release.Namespace }} - labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} - release: {{ $.Release.Name }} - istio: {{ $statsdname }} -spec: - ports: - - name: statsd-prom - port: 9102 - - name: statsd-udp - port: 9125 - protocol: UDP - selector: - istio: {{ $statsdname }} - ---- - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: istio-{{ $statsdname }} - namespace: {{ .Release.Namespace }} - labels: - chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} - release: {{ $.Release.Name }} - istio: mixer -spec: - template: - metadata: - labels: - istio: {{ $statsdname }} - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-mixer-service-account - volumes: - - name: config-volume - configMap: - name: istio-statsd-prom-bridge - {{- if $.Values.nodeSelector }} - nodeSelector: -{{ toYaml $.Values.nodeSelector | indent 8 }} - {{- end }} - containers: - - name: {{ $statsdname }} - image: "{{ $.Values.prometheusStatsdExporter.hub }}/statsd-exporter:{{ $.Values.prometheusStatsdExporter.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 9102 - - containerPort: 9125 - protocol: UDP - args: - - '-statsd.mapping-config=/etc/statsd/mapping.conf' - resources: -{{- if .Values.prometheusStatsdExporter.resources }} -{{ toYaml .Values.prometheusStatsdExporter.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - volumeMounts: - - name: config-volume - mountPath: /etc/statsd diff --git a/istio/charts/pilot/Chart.yaml b/istio/charts/pilot/Chart.yaml index 54e24d3..4ce4438 100644 --- a/istio/charts/pilot/Chart.yaml +++ b/istio/charts/pilot/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: pilot -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for pilot deployment keywords: diff --git a/istio/charts/pilot/templates/autoscale.yaml b/istio/charts/pilot/templates/autoscale.yaml index 23ad012..1a99451 100644 --- a/istio/charts/pilot/templates/autoscale.yaml +++ b/istio/charts/pilot/templates/autoscale.yaml @@ -1,19 +1,25 @@ -{{- if .Values.autoscaleMin }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: istio-pilot + name: istio-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1beta1 - kind: Deployment - name: istio-pilot - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }} + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }} --- {{- end }} diff --git a/istio/charts/pilot/templates/clusterrole.yaml b/istio/charts/pilot/templates/clusterrole.yaml index f901440..0435c3e 100644 --- a/istio/charts/pilot/templates/clusterrole.yaml +++ b/istio/charts/pilot/templates/clusterrole.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-pilot-{{ .Release.Namespace }} labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: @@ -24,14 +24,11 @@ rules: resources: ["customresourcedefinitions"] verbs: ["*"] - apiGroups: ["extensions"] - resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"] + resources: ["ingresses", "ingresses/status"] verbs: ["*"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: [""] - resources: ["endpoints", "pods", "services"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["namespaces", "nodes", "secrets"] + resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] verbs: ["get", "list", "watch"] diff --git a/istio/charts/pilot/templates/clusterrolebinding.yaml b/istio/charts/pilot/templates/clusterrolebinding.yaml index c6a7216..ef9281c 100644 --- a/istio/charts/pilot/templates/clusterrolebinding.yaml +++ b/istio/charts/pilot/templates/clusterrolebinding.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-pilot-{{ .Release.Namespace }} labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: diff --git a/istio/charts/pilot/templates/deployment.yaml b/istio/charts/pilot/templates/deployment.yaml index 55d8a68..22352ae 100644 --- a/istio/charts/pilot/templates/deployment.yaml +++ b/istio/charts/pilot/templates/deployment.yaml @@ -1,27 +1,42 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: istio-pilot namespace: {{ .Release.Namespace }} # TODO: default template doesn't have this, which one is right ? labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: pilot annotations: checksum/config-volume: {{ template "istio.configmap.checksum" . }} spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} replicas: {{ .Values.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: pilot template: metadata: labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: pilot - app: pilot annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-pilot-service-account {{- if .Values.global.priorityClassName }} @@ -37,14 +52,30 @@ spec: imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: - "discovery" + - --monitoringAddr=:{{ .Values.global.monitoringPort }} +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} + - --domain + - {{ .Values.global.proxy.clusterDomain }} {{- if .Values.global.oneNamespace }} - "-a" - {{ .Release.Namespace }} {{- end }} -{{- if not .Values.sidecar }} +{{- if $.Values.global.controlPlaneSecurityEnabled}} + {{- if not .Values.sidecar }} - --secureGrpcAddr - ":15011" + {{- end }} +{{- else }} + - --secureGrpcAddr + - "" {{- end }} +{{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" ports: - containerPort: 8080 - containerPort: 15010 @@ -69,8 +100,6 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: PILOT_CACHE_SQUASH - value: "5" {{- if .Values.env }} {{- range $key, $val := .Values.env }} - name: {{ $key }} @@ -81,6 +110,8 @@ spec: - name: PILOT_TRACE_SAMPLING value: "{{ .Values.traceSampling }}" {{- end }} + - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY + value: "1" resources: {{- if .Values.resources }} {{ toYaml .Values.resources | indent 12 }} @@ -95,7 +126,11 @@ spec: readOnly: true {{- if .Values.sidecar }} - name: istio-proxy - image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}" +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - containerPort: 15003 @@ -104,6 +139,8 @@ spec: - containerPort: 15011 args: - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --serviceCluster - istio-pilot - --templateFile @@ -114,6 +151,9 @@ spec: {{- else }} - --controlPlaneAuthPolicy - NONE + {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} {{- end }} env: - name: POD_NAME @@ -141,14 +181,39 @@ spec: - name: istio-certs mountPath: /etc/certs readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds/uds_path + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} {{- end }} volumes: + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds/uds_path + type: Socket + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} - name: config-volume configMap: name: istio - name: istio-certs secret: secretName: istio.istio-pilot-service-account - optional: true + optional: true affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/pilot/templates/gateway.yaml b/istio/charts/pilot/templates/gateway.yaml deleted file mode 100644 index 048b3e7..0000000 --- a/istio/charts/pilot/templates/gateway.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-autogenerated-k8s-ingress - namespace: istio-system -spec: - selector: - istio: {{ .Values.global.k8sIngressSelector }} - servers: - - port: - number: 80 - protocol: HTTP2 - name: http - hosts: - - "*" -{{ if .Values.global.k8sIngressHttps }} - - port: - number: 443 - protocol: HTTPS - name: https-default - tls: - mode: SIMPLE - serverCertificate: /etc/istio/ingress-certs/tls.crt - privateKey: /etc/istio/ingress-certs/tls.key - hosts: - - "*" -{{ end }} ---- -{{- if .Values.global.meshExpansion }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: meshexpansion-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 15011 - protocol: TCP - name: tcp-pilot - hosts: - - "*" - - port: - number: 8060 - protocol: TCP - name: tcp-citadel - hosts: - - "*" ---- -{{- end }} - -{{- if .Values.global.meshExpansionILB }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: meshexpansion-ilb-gateway -spec: - selector: - istio: ilbgateway - servers: - - port: - number: 15011 - protocol: TCP - name: tcp-pilot - hosts: - - "*" - - port: - number: 8060 - protocol: TCP - name: tcp-citadel - hosts: - - "*" -{{- end }} diff --git a/istio/charts/pilot/templates/meshexpansion.yaml b/istio/charts/pilot/templates/meshexpansion.yaml index 88e604d..4f3d595 100644 --- a/istio/charts/pilot/templates/meshexpansion.yaml +++ b/istio/charts/pilot/templates/meshexpansion.yaml @@ -1,59 +1,91 @@ -{{- if .Values.global.meshExpansion }} - +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: meshexpansion-pilot + name: meshexpansion-ilb-vs-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: hosts: - - "pilot.istio-system" + - istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} gateways: - - meshexpansion-gateway + - meshexpansion-ilb-gateway tcp: - match: - port: 15011 route: - destination: - host: istio-pilot.istio-system.svc.cluster.local + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} port: number: 15011 - - -{{- end }} - - -{{- if .Values.global.meshExpansionILB }} + - match: + - port: 15010 + route: + - destination: + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15010 + - match: + - port: 5353 + route: + - destination: + host: kube-dns.kube-system.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 53 --- +{{- else }} + apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: ilb-meshexpansion-pilot + name: meshexpansion-vs-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: hosts: - - "meshexpansionilb.istio-system" + - istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} gateways: - - meshexpansion-ilb-gateway + - meshexpansion-gateway tcp: - match: - port: 15011 route: - destination: - host: istio-pilot.istio-system.svc.cluster.local + host: istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} port: number: 15011 - - match: - - port: 15010 - route: - - destination: - host: istio-pilot.istio-system.svc.cluster.local - port: - number: 15010 - - match: - - port: 5353 - route: - - destination: - host: kube-dns.kube-system.svc.cluster.local - port: - number: 53 +--- +{{- end }} +{{- if .Values.global.controlPlaneSecurityEnabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15011 + tls: + mode: DISABLE +--- {{- end }} +{{- end }} + diff --git a/istio/charts/pilot/templates/service.yaml b/istio/charts/pilot/templates/service.yaml index e43511f..a61d930 100644 --- a/istio/charts/pilot/templates/service.yaml +++ b/istio/charts/pilot/templates/service.yaml @@ -4,10 +4,11 @@ metadata: name: istio-pilot namespace: {{ .Release.Namespace }} labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: pilot spec: ports: - port: 15010 @@ -16,7 +17,7 @@ spec: name: https-xds # mTLS - port: 8080 name: http-legacy-discovery # direct - - port: 9093 + - port: {{ .Values.global.monitoringPort }} name: http-monitoring selector: istio: pilot diff --git a/istio/charts/pilot/templates/serviceaccount.yaml b/istio/charts/pilot/templates/serviceaccount.yaml index c7125b9..7ec2a66 100644 --- a/istio/charts/pilot/templates/serviceaccount.yaml +++ b/istio/charts/pilot/templates/serviceaccount.yaml @@ -10,7 +10,7 @@ metadata: name: istio-pilot-service-account namespace: {{ .Release.Namespace }} labels: - app: istio-pilot - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/prometheus/Chart.yaml b/istio/charts/prometheus/Chart.yaml index 2d6804e..6431a43 100644 --- a/istio/charts/prometheus/Chart.yaml +++ b/istio/charts/prometheus/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: prometheus -version: 1.0.1 -appVersion: 2.3.1 +version: 1.1.0 +appVersion: 2.8.0 tillerVersion: ">=2.7.2" diff --git a/istio/charts/prometheus/templates/_helpers.tpl b/istio/charts/prometheus/templates/_helpers.tpl index 52a2ad3..0393883 100644 --- a/istio/charts/prometheus/templates/_helpers.tpl +++ b/istio/charts/prometheus/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/prometheus/templates/clusterrole.yaml b/istio/charts/prometheus/templates/clusterrole.yaml index 7d966f0..06fdfaf 100644 --- a/istio/charts/prometheus/templates/clusterrole.yaml +++ b/istio/charts/prometheus/templates/clusterrole.yaml @@ -1,7 +1,12 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: prometheus-{{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} rules: - apiGroups: [""] resources: diff --git a/istio/charts/prometheus/templates/clusterrolebindings.yaml b/istio/charts/prometheus/templates/clusterrolebindings.yaml index 6114d6b..295e0df 100644 --- a/istio/charts/prometheus/templates/clusterrolebindings.yaml +++ b/istio/charts/prometheus/templates/clusterrolebindings.yaml @@ -1,7 +1,12 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: prometheus-{{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/istio/charts/prometheus/templates/configmap.yaml b/istio/charts/prometheus/templates/configmap.yaml index 63bd4cd..e00563d 100644 --- a/istio/charts/prometheus/templates/configmap.yaml +++ b/istio/charts/prometheus/templates/configmap.yaml @@ -5,19 +5,16 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: prometheus - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "prometheus.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} data: prometheus.yml: |- global: - scrape_interval: 15s + scrape_interval: {{ .Values.scrapeInterval }} scrape_configs: - job_name: 'istio-mesh' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - kubernetes_sd_configs: - role: endpoints namespaces: @@ -29,29 +26,63 @@ data: action: keep regex: istio-telemetry;prometheus - - job_name: 'envoy' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - {{ .Release.Namespace }} + - role: pod relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: [__meta_kubernetes_pod_container_port_name] action: keep - regex: istio-statsd-prom-bridge;statsd-prom + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name - - job_name: 'istio-policy' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. + metric_relabel_configs: + # Exclude some of the envoy metrics that have massive cardinality + # This list may need to be pruned further moving forward, as informed + # by performance and scalability testing. + - source_labels: [ cluster_name ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ tcp_prefix ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ listener_address ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_listener_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tls.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tcp_downstream.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_http_(stats|admin).*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' + action: drop + - job_name: 'istio-policy' kubernetes_sd_configs: - role: endpoints namespaces: @@ -65,11 +96,6 @@ data: regex: istio-policy;http-monitoring - job_name: 'istio-telemetry' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - kubernetes_sd_configs: - role: endpoints namespaces: @@ -82,11 +108,6 @@ data: regex: istio-telemetry;http-monitoring - job_name: 'pilot' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - kubernetes_sd_configs: - role: endpoints namespaces: @@ -99,11 +120,6 @@ data: regex: istio-pilot;http-monitoring - job_name: 'galley' - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - kubernetes_sd_configs: - role: endpoints namespaces: @@ -115,6 +131,18 @@ data: action: keep regex: istio-galley;http-monitoring + - job_name: 'citadel' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-citadel;http-monitoring + # scrape config for API servers - job_name: 'kubernetes-apiservers' kubernetes_sd_configs: @@ -210,19 +238,66 @@ data: action: replace target_label: kubernetes_name - # Example scrape config for pods - job_name: 'kubernetes-pods' kubernetes_sd_configs: - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: keep + regex: ((;.*)|(.*;http)) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] action: keep regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: drop + regex: (http) - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] action: replace regex: ([^:]+)(?::\d+)?;(\d+) @@ -235,4 +310,4 @@ data: target_label: namespace - source_labels: [__meta_kubernetes_pod_name] action: replace - target_label: pod_name + target_label: pod_name \ No newline at end of file diff --git a/istio/charts/prometheus/templates/deployment.yaml b/istio/charts/prometheus/templates/deployment.yaml index 34cb5f9..831557e 100644 --- a/istio/charts/prometheus/templates/deployment.yaml +++ b/istio/charts/prometheus/templates/deployment.yaml @@ -1,14 +1,14 @@ # TODO: the original template has service account, roles, etc -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: prometheus namespace: {{ .Release.Namespace }} labels: app: prometheus - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "prometheus.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} selector: @@ -18,20 +18,32 @@ spec: metadata: labels: app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: prometheus {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.security.enabled }} + initContainers: + - name: prom-init + image: "busybox:1.30.1" + command: ['sh', '-c', 'counter=0; until [ "$counter" -ge 30 ]; do if [ -f /etc/istio-certs/key.pem ]; then exit 0; else echo waiting for istio certs && sleep 1 && counter=$((counter+1)); fi; done; exit 1;'] + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - mountPath: /etc/istio-certs + name: istio-certs {{- end }} containers: - name: prometheus image: "{{ .Values.hub }}/prometheus:{{ .Values.tag }}" imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: - - '--storage.tsdb.retention=6h' + - '--storage.tsdb.retention={{ .Values.retention }}' - '--config.file=/etc/prometheus/prometheus.yml' ports: - containerPort: 9090 @@ -53,9 +65,17 @@ spec: volumeMounts: - name: config-volume mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs volumes: - name: config-volume configMap: name: prometheus + - name: istio-certs + secret: + defaultMode: 420 + optional: true + secretName: istio.default affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/prometheus/templates/service.yaml b/istio/charts/prometheus/templates/service.yaml index a9eec0f..d92525d 100644 --- a/istio/charts/prometheus/templates/service.yaml +++ b/istio/charts/prometheus/templates/service.yaml @@ -6,10 +6,13 @@ metadata: annotations: prometheus.io/scrape: 'true' {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: - name: prometheus + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: selector: app: prometheus @@ -27,7 +30,10 @@ metadata: name: prometheus-nodeport namespace: {{ .Release.Namespace }} labels: - name: prometheus + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: type: NodePort ports: diff --git a/istio/charts/prometheus/templates/serviceaccount.yaml b/istio/charts/prometheus/templates/serviceaccount.yaml index cf083b7..7c2fab3 100644 --- a/istio/charts/prometheus/templates/serviceaccount.yaml +++ b/istio/charts/prometheus/templates/serviceaccount.yaml @@ -9,3 +9,8 @@ imagePullSecrets: metadata: name: prometheus namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio/charts/security/Chart.yaml b/istio/charts/security/Chart.yaml index 63c834f..6cafffa 100644 --- a/istio/charts/security/Chart.yaml +++ b/istio/charts/security/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: security -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for istio authentication keywords: diff --git a/istio/charts/security/templates/_helpers.tpl b/istio/charts/security/templates/_helpers.tpl index 7564a1b..7f36f9d 100644 --- a/istio/charts/security/templates/_helpers.tpl +++ b/istio/charts/security/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "security.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "security.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/security/templates/cleanup-secrets.yaml b/istio/charts/security/templates/cleanup-secrets.yaml index ae93b9f..be6f26e 100644 --- a/istio/charts/security/templates/cleanup-secrets.yaml +++ b/istio/charts/security/templates/cleanup-secrets.yaml @@ -9,6 +9,12 @@ apiVersion: v1 kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} metadata: name: istio-cleanup-secrets-service-account namespace: {{ .Release.Namespace }} @@ -18,11 +24,17 @@ metadata: "helm.sh/hook-weight": "1" labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} +- name: {{ . }} +{{- end }} +{{- end }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-cleanup-secrets-{{ .Release.Namespace }} @@ -32,7 +44,7 @@ metadata: "helm.sh/hook-weight": "1" labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: @@ -40,7 +52,7 @@ rules: resources: ["secrets"] verbs: ["list", "delete"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-cleanup-secrets-{{ .Release.Namespace }} @@ -50,7 +62,7 @@ metadata: "helm.sh/hook-weight": "2" labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: @@ -65,7 +77,7 @@ subjects: apiVersion: batch/v1 kind: Job metadata: - name: istio-cleanup-secrets + name: istio-cleanup-secrets-{{ .Values.global.tag | printf "%v" | trunc 32 }} namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": post-delete @@ -73,21 +85,24 @@ metadata: "helm.sh/hook-weight": "3" labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: template: metadata: name: istio-cleanup-secrets labels: app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: serviceAccountName: istio-cleanup-secrets-service-account containers: - - name: hyperkube - image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: IfNotPresent command: - /bin/bash - -c @@ -98,3 +113,6 @@ spec: kubectl delete secret $name -n $ns; done restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/security/templates/clusterrole.yaml b/istio/charts/security/templates/clusterrole.yaml index d7879a9..cdeb0c0 100644 --- a/istio/charts/security/templates/clusterrole.yaml +++ b/istio/charts/security/templates/clusterrole.yaml @@ -1,19 +1,22 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-citadel-{{ .Release.Namespace }} labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "update"] - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "watch", "list", "update", "delete"] - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["services"] + resources: ["serviceaccounts", "services"] verbs: ["get", "watch", "list"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] diff --git a/istio/charts/security/templates/clusterrolebinding.yaml b/istio/charts/security/templates/clusterrolebinding.yaml index 501f8ad..0a15799 100644 --- a/istio/charts/security/templates/clusterrolebinding.yaml +++ b/istio/charts/security/templates/clusterrolebinding.yaml @@ -1,10 +1,10 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-citadel-{{ .Release.Namespace }} labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: diff --git a/istio/charts/security/templates/configmap.yaml b/istio/charts/security/templates/configmap.yaml index 1e64ed7..95854bf 100644 --- a/istio/charts/security/templates/configmap.yaml +++ b/istio/charts/security/templates/configmap.yaml @@ -1,18 +1,20 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-security-custom-resources - namespace: {{ .Release.Namespace }} - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: security -data: - custom-resources.yaml: |- - {{- if .Values.global.mtls.enabled }} - {{- include "security-default.yaml.tpl" . | indent 4}} - {{- end }} - run.sh: |- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel +data: + custom-resources.yaml: |- + {{- if .Values.global.mtls.enabled }} + {{- include "security-default.yaml.tpl" . | indent 4}} + {{- else }} + {{- include "security-permissive.yaml.tpl" . | indent 4}} + {{- end }} + run.sh: |- {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/istio/charts/security/templates/create-custom-resources-job.yaml b/istio/charts/security/templates/create-custom-resources-job.yaml index 9d2d442..4daacdc 100644 --- a/istio/charts/security/templates/create-custom-resources-job.yaml +++ b/istio/charts/security/templates/create-custom-resources-job.yaml @@ -1,89 +1,94 @@ -{{- if .Values.global.mtls.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-security-post-install-account - namespace: {{ .Release.Namespace }} - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} +{{- if .Values.createMeshPolicy }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: istio-security-post-install-{{ .Release.Namespace }} - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["authentication.istio.io"] # needed to create default authn policy - resources: ["*"] - verbs: ["*"] -- apiGroups: ["networking.istio.io"] # needed to create security destination rules - resources: ["*"] - verbs: ["*"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get"] -- apiGroups: ["extensions"] - resources: ["deployments", "replicasets"] - verbs: ["get", "list", "watch"] +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: istio-security-post-install-role-binding-{{ .Release.Namespace }} - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-security-post-install-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-security-post-install-account - namespace: {{ .Release.Namespace }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: {{ .Release.Namespace }} --- - apiVersion: batch/v1 -kind: Job -metadata: - name: istio-security-post-install - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - name: istio-security-post-install - labels: - app: istio-security - release: {{ .Release.Name }} - spec: - serviceAccountName: istio-security-post-install-account - containers: - - name: hyperkube - image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" - command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] - volumeMounts: - - mountPath: "/tmp/security" - name: tmp-configmap-security - volumes: - - name: tmp-configmap-security - configMap: - name: istio-security-custom-resources - restartPolicy: OnFailure +kind: Job +metadata: + name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: IfNotPresent + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} {{- end }} diff --git a/istio/charts/security/templates/deployment.yaml b/istio/charts/security/templates/deployment.yaml index 8913143..6488b92 100644 --- a/istio/charts/security/templates/deployment.yaml +++ b/istio/charts/security/templates/deployment.yaml @@ -1,24 +1,34 @@ # istio CA watching all namespaces -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: istio-citadel namespace: {{ .Release.Namespace }} labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: citadel spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: citadel + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 template: metadata: labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: citadel annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-citadel-service-account {{- if .Values.global.priorityClassName }} @@ -26,14 +36,18 @@ spec: {{- end }} containers: - name: citadel +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: - --append-dns-names=true - --grpc-port=8060 - - --grpc-hostname=citadel - --citadel-storage-namespace={{ .Release.Namespace }} - - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }},istio-ingressgateway-service-account.{{ .Release.Namespace }}:istio-ingressgateway.{{ .Release.Namespace }} + - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }} + - --monitoring-port={{ .Values.global.monitoringPort }} {{- if .Values.selfSigned }} - --self-signed-ca=true {{- else }} @@ -43,6 +57,9 @@ spec: - --root-cert=/etc/cacerts/root-cert.pem - --cert-chain=/etc/cacerts/cert-chain.pem {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} resources: {{- if .Values.resources }} {{ toYaml .Values.resources | indent 12 }} @@ -62,3 +79,4 @@ spec: {{- end }} affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/security/templates/enable-mesh-mtls.yaml b/istio/charts/security/templates/enable-mesh-mtls.yaml index 7eddaa6..75e4a18 100644 --- a/istio/charts/security/templates/enable-mesh-mtls.yaml +++ b/istio/charts/security/templates/enable-mesh-mtls.yaml @@ -1,4 +1,4 @@ -{{ define "security-default.yaml.tpl" }} +{{- define "security-default.yaml.tpl" }} # These policy and destination rules effectively enable mTLS for all services in the mesh. For now, # they are added to Istio installation yaml for backward compatible. In future, they should be in # a separated yaml file so that customer can enable mTLS independent from installation. @@ -9,10 +9,10 @@ kind: "MeshPolicy" metadata: name: "default" labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: peers: - mtls: {} @@ -23,30 +23,40 @@ apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: "default" + namespace: {{ .Release.Namespace }} labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: host: "*.local" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} trafficPolicy: tls: mode: ISTIO_MUTUAL --- -# Destination rule to dislabe (m)TLS when talking to API server, as API server doesn't have sidecar. -# Customer should add similar destination rules for other services that dont' have sidecar. +# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar. +# Customer should add similar destination rules for other services that don't have sidecar. apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: "api-server" + namespace: {{ .Release.Namespace }} labels: - app: istio-security - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: - host: "kubernetes.default.svc.cluster.local" + host: "kubernetes.default.svc.{{ .Values.global.proxy.clusterDomain }}" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} trafficPolicy: tls: mode: DISABLE diff --git a/istio/charts/security/templates/meshexpansion.yaml b/istio/charts/security/templates/meshexpansion.yaml index fcf677f..581ce96 100644 --- a/istio/charts/security/templates/meshexpansion.yaml +++ b/istio/charts/security/templates/meshexpansion.yaml @@ -1,45 +1,56 @@ -{{- if .Values.global.meshExpansion }} - +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: meshexpansion-citadel + name: meshexpansion-vs-citadel-ilb + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel spec: hosts: - - "istio-citadel.istio-system" + - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} gateways: - - meshexpansion-gateway + - meshexpansion-ilb-gateway tcp: - match: - port: 8060 route: - destination: - host: istio-citadel.istio-system.svc.cluster.local + host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} port: number: 8060 - -{{- end }} - --- - -{{- if .Values.global.meshExpansionILB }} +{{- else }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: meshexpansion-ilb-citadel + name: meshexpansion-vs-citadel + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel spec: hosts: - - "istio-citadel.istio-system" + - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} gateways: - - meshexpansion-ilb-gateway + - meshexpansion-gateway tcp: - match: - port: 8060 route: - destination: - host: istio-citadel.istio-system.svc.cluster.local + host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} port: number: 8060 - +--- +{{- end }} {{- end }} diff --git a/istio/charts/security/templates/service.yaml b/istio/charts/security/templates/service.yaml index 902c138..efea175 100644 --- a/istio/charts/security/templates/service.yaml +++ b/istio/charts/security/templates/service.yaml @@ -6,7 +6,11 @@ metadata: name: istio-citadel namespace: {{ .Release.Namespace }} labels: - app: istio-citadel + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel spec: ports: - name: grpc-citadel @@ -14,6 +18,6 @@ spec: targetPort: 8060 protocol: TCP - name: http-monitoring - port: 9093 + port: {{ .Values.global.monitoringPort }} selector: istio: citadel diff --git a/istio/charts/security/templates/serviceaccount.yaml b/istio/charts/security/templates/serviceaccount.yaml index 58501af..d07d566 100644 --- a/istio/charts/security/templates/serviceaccount.yaml +++ b/istio/charts/security/templates/serviceaccount.yaml @@ -11,6 +11,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "security.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "security.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} diff --git a/istio/charts/servicegraph/Chart.yaml b/istio/charts/servicegraph/Chart.yaml index 8138dfc..66b2a1e 100644 --- a/istio/charts/servicegraph/Chart.yaml +++ b/istio/charts/servicegraph/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: servicegraph -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" diff --git a/istio/charts/servicegraph/templates/_helpers.tpl b/istio/charts/servicegraph/templates/_helpers.tpl index c63ede3..f1330ae 100644 --- a/istio/charts/servicegraph/templates/_helpers.tpl +++ b/istio/charts/servicegraph/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "servicegraph.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "servicegraph.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/servicegraph/templates/deployment.yaml b/istio/charts/servicegraph/templates/deployment.yaml index 7fbe843..1073a9a 100644 --- a/istio/charts/servicegraph/templates/deployment.yaml +++ b/istio/charts/servicegraph/templates/deployment.yaml @@ -1,42 +1,57 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: servicegraph namespace: {{ .Release.Namespace }} labels: - app: {{ template "servicegraph.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: servicegraph + chart: {{ template "servicegraph.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: servicegraph template: metadata: labels: app: servicegraph + chart: {{ template "servicegraph.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} {{- end }} containers: - name: servicegraph +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} ports: - - containerPort: {{ .Values.service.internalPort }} + - containerPort: 8088 args: - - --prometheusAddr=http://prometheus:9090 + - --prometheusAddr={{- .Values.prometheusAddr }} livenessProbe: httpGet: path: /graph - port: {{ .Values.service.internalPort }} + port: 8088 readinessProbe: httpGet: path: /graph - port: {{ .Values.service.internalPort }} + port: 8088 resources: {{- if .Values.resources }} {{ toYaml .Values.resources | indent 12 }} @@ -45,3 +60,4 @@ spec: {{- end }} affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/servicegraph/templates/ingress.yaml b/istio/charts/servicegraph/templates/ingress.yaml index 145a9cb..12972b7 100644 --- a/istio/charts/servicegraph/templates/ingress.yaml +++ b/istio/charts/servicegraph/templates/ingress.yaml @@ -1,5 +1,4 @@ {{- if .Values.ingress.enabled -}} -{{- $serviceName := include "servicegraph.fullname" . -}} {{- $servicePort := .Values.service.externalPort -}} apiVersion: extensions/v1beta1 kind: Ingress @@ -7,10 +6,10 @@ metadata: name: {{ template "servicegraph.fullname" . }} namespace: {{ .Release.Namespace }} labels: - app: {{ template "servicegraph.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: servicegraph + chart: {{ template "servicegraph.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: {{- range $key, $value := .Values.ingress.annotations }} {{ $key }}: {{ $value | quote }} @@ -23,7 +22,7 @@ spec: paths: - path: / backend: - serviceName: {{ $serviceName }} + serviceName: servicegraph servicePort: {{ $servicePort }} {{- end -}} {{- if .Values.ingress.tls }} diff --git a/istio/charts/servicegraph/templates/service.yaml b/istio/charts/servicegraph/templates/service.yaml index f3d2012..974da15 100644 --- a/istio/charts/servicegraph/templates/service.yaml +++ b/istio/charts/servicegraph/templates/service.yaml @@ -5,19 +5,28 @@ metadata: namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: app: servicegraph - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "servicegraph.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} + targetPort: 8088 protocol: TCP name: {{ .Values.service.name }} selector: app: servicegraph +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} + {{if .Values.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{range $rangeList := .Values.service.loadBalancerSourceRanges}} + - {{ $rangeList }} + {{end}} + {{end}} \ No newline at end of file diff --git a/istio/charts/sidecarInjectorWebhook/Chart.yaml b/istio/charts/sidecarInjectorWebhook/Chart.yaml index 9672be3..8788029 100644 --- a/istio/charts/sidecarInjectorWebhook/Chart.yaml +++ b/istio/charts/sidecarInjectorWebhook/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: sidecarInjectorWebhook -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0 +appVersion: 1.1.0 tillerVersion: ">=2.7.2" description: Helm chart for sidecar injector webhook deployment keywords: diff --git a/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl b/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl index 8ed67e2..f3b9fb1 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl +++ b/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl @@ -9,8 +9,24 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "sidecar-injector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sidecar-injector.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml b/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml index b36fdb0..27f9acb 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml @@ -1,14 +1,15 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-sidecar-injector-{{ .Release.Namespace }} labels: - app: istio-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + istio: sidecar-injector rules: -- apiGroups: ["*"] +- apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] diff --git a/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml b/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml index 10b0d71..748a932 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml @@ -1,12 +1,13 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} labels: - app: istio-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + istio: sidecar-injector roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml b/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml index 37751d4..fa153f7 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml @@ -1,31 +1,45 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: istio-sidecar-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "sidecar-injector.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: sidecar-injector spec: replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: sidecar-injector + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 template: metadata: labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: sidecar-injector annotations: sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: istio-sidecar-injector-service-account - {{- if .Values.global.priorityClassName }} +{{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} containers: - name: sidecar-injector-webhook +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} args: - --caCertFile=/etc/istio/certs/root-cert.pem @@ -84,3 +98,4 @@ spec: path: config affinity: {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml b/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml index e7f7519..a30dd38 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -2,12 +2,11 @@ apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector - namespace: {{ .Release.Namespace }} labels: - app: istio-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} webhooks: - name: sidecar-injector.istio.io clientConfig: @@ -25,6 +24,10 @@ webhooks: namespaceSelector: {{- if .Values.enableNamespacesByDefault }} matchExpressions: + - key: name + operator: NotIn + values: + - {{ .Release.Namespace }} - key: istio-injection operator: NotIn values: diff --git a/istio/charts/sidecarInjectorWebhook/templates/service.yaml b/istio/charts/sidecarInjectorWebhook/templates/service.yaml index b24900b..a68557a 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/service.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/service.yaml @@ -4,6 +4,10 @@ metadata: name: istio-sidecar-injector namespace: {{ .Release.Namespace }} labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: sidecar-injector spec: ports: diff --git a/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml b/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml index 8beb35b..d4020b5 100644 --- a/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +++ b/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml @@ -10,7 +10,8 @@ metadata: name: istio-sidecar-injector-service-account namespace: {{ .Release.Namespace }} labels: - app: istio-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + istio: sidecar-injector diff --git a/istio/charts/telemetry-gateway/Chart.yaml b/istio/charts/telemetry-gateway/Chart.yaml deleted file mode 100644 index 2511a2b..0000000 --- a/istio/charts/telemetry-gateway/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -name: telemetry-gateway -version: 1.0.1 -appVersion: 1.0.1 -tillerVersion: ">=2.7.2" -description: Helm chart for configuring a gateway for Istio telemetry addons -icon: https://istio.io/favicons/android-192x192.png diff --git a/istio/charts/telemetry-gateway/templates/gateway.yaml b/istio/charts/telemetry-gateway/templates/gateway.yaml deleted file mode 100644 index 3a8e5e0..0000000 --- a/istio/charts/telemetry-gateway/templates/gateway.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{- if or (.Values.prometheusEnabled) (.Values.grafanaEnabled) }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-telemetry-gateway - namespace: {{ .Release.Namespace }} -spec: - selector: - istio: {{ .Values.gatewayName }} - servers: - {{- if .Values.prometheusEnabled }} - - port: - number: 15030 - name: http2-prometheus - protocol: HTTP2 - hosts: - - "*" - {{- end }} - {{- if .Values.grafanaEnabled }} - - port: - number: 15031 - name: http2-grafana - protocol: HTTP2 - hosts: - - "*" - {{- end }} -{{- if .Values.grafanaEnabled }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: grafana - namespace: {{ .Release.Namespace }} -spec: - host: grafana.{{ .Release.Namespace }}.svc.cluster.local - trafficPolicy: - tls: - mode: DISABLE -{{- end }} -{{- if .Values.prometheusEnabled }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} -spec: - host: prometheus.{{ .Release.Namespace }}.svc.cluster.local - trafficPolicy: - tls: - mode: DISABLE -{{- end }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: telemetry-virtual-service - namespace: {{ .Release.Namespace }} -spec: - hosts: - - "*" - gateways: - - istio-telemetry-gateway - http: - {{- if .Values.prometheusEnabled }} - - match: - - port: 15030 - route: - - destination: - host: prometheus.{{ .Release.Namespace }}.svc.cluster.local - port: - number: 9090 - {{- end }} - {{- if .Values.grafanaEnabled }} - - match: - - port: 15031 - route: - - destination: - host: grafana.{{ .Release.Namespace }}.svc.cluster.local - port: - number: 3000 - {{- end }} ---- -{{- end }} diff --git a/istio/charts/tracing/Chart.yaml b/istio/charts/tracing/Chart.yaml index 736bd3a..c95789e 100644 --- a/istio/charts/tracing/Chart.yaml +++ b/istio/charts/tracing/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 description: A Helm chart for Kubernetes name: tracing -version: 1.0.1 +version: 1.1.0 appVersion: 1.5.1 tillerVersion: ">=2.7.2" diff --git a/istio/charts/tracing/templates/_helpers.tpl b/istio/charts/tracing/templates/_helpers.tpl index 9fba8d5..e246b59 100644 --- a/istio/charts/tracing/templates/_helpers.tpl +++ b/istio/charts/tracing/templates/_helpers.tpl @@ -2,15 +2,31 @@ {{/* Expand the name of the chart. */}} -{{- define "zipkin.name" -}} +{{- define "tracing.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} -{{- define "zipkin.fullname" -}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tracing.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/tracing/templates/deployment.yaml b/istio/charts/tracing/templates/deployment.yaml deleted file mode 100644 index 166377c..0000000 --- a/istio/charts/tracing/templates/deployment.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: istio-tracing - namespace: {{ .Release.Namespace }} - labels: - app: istio-tracing - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: jaeger - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: jaeger - image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.jaeger.ui.port }} - - containerPort: 5775 - protocol: UDP - - containerPort: 6831 - protocol: UDP - - containerPort: 6832 - protocol: UDP - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: COLLECTOR_ZIPKIN_HTTP_PORT - value: "{{ .Values.service.internalPort }}" - - name: MEMORY_MAX_TRACES - value: "{{ .Values.jaeger.memory.max_traces }}" - livenessProbe: - httpGet: - path: / - port: {{ .Values.jaeger.ui.port }} - readinessProbe: - httpGet: - path: / - port: {{ .Values.jaeger.ui.port }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - affinity: - {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio/charts/tracing/templates/ingress-jaeger.yaml b/istio/charts/tracing/templates/ingress-jaeger.yaml deleted file mode 100644 index 1647e8a..0000000 --- a/istio/charts/tracing/templates/ingress-jaeger.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{ if (.Values.jaeger.ingress.enabled) and eq .Values.provider "jaeger" }} -{{- $servicePort := .Values.jaeger.ui.port -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: jaeger-query - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - {{- range $key, $value := .Values.jaeger.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: - {{- range $host := .Values.jaeger.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: / - backend: - serviceName: jaeger-query - servicePort: {{ $servicePort }} - {{- end -}} - {{- if .Values.jaeger.ingress.tls }} - tls: -{{ toYaml .Values.jaeger.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/istio/charts/tracing/templates/ingress.yaml b/istio/charts/tracing/templates/ingress.yaml index 77d53ca..72f3621 100644 --- a/istio/charts/tracing/templates/ingress.yaml +++ b/istio/charts/tracing/templates/ingress.yaml @@ -1,32 +1,40 @@ {{- if .Values.ingress.enabled -}} -{{- $serviceName := "zipkin" -}} -{{- $servicePort := .Values.service.externalPort -}} apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: {{ template "zipkin.fullname" . }} + name: {{ template "tracing.fullname" . }} namespace: {{ .Release.Namespace }} labels: - app: {{ template "zipkin.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} annotations: {{- range $key, $value := .Values.ingress.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: rules: +{{- if .Values.ingress.hosts }} {{- range $host := .Values.ingress.hosts }} - host: {{ $host }} http: paths: - - path: / + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} /{{ $.Values.provider }} {{ end }} backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} + serviceName: tracing + servicePort: 80 + {{- end -}} - {{- if .Values.ingress.tls }} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + backend: + serviceName: tracing + servicePort: 80 +{{- end }} + {{- if .Values.ingress.tls }} tls: {{ toYaml .Values.ingress.tls | indent 4 }} {{- end -}} diff --git a/istio/charts/tracing/templates/service-jaeger.yaml b/istio/charts/tracing/templates/service-jaeger.yaml index 43b4c3a..23979ba 100644 --- a/istio/charts/tracing/templates/service-jaeger.yaml +++ b/istio/charts/tracing/templates/service-jaeger.yaml @@ -2,6 +2,14 @@ apiVersion: v1 kind: List +metadata: + name: jaeger-services + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} items: - apiVersion: v1 kind: Service @@ -10,20 +18,20 @@ items: namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: app: jaeger jaeger-infra: jaeger-service - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - name: query-http - port: {{ .Values.jaeger.ui.port }} + port: 16686 protocol: TCP - targetPort: {{ .Values.jaeger.ui.port }} + targetPort: 16686 selector: app: jaeger - apiVersion: v1 @@ -34,9 +42,9 @@ items: labels: app: jaeger jaeger-infra: collector-service - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - name: jaeger-collector-tchannel @@ -58,9 +66,9 @@ items: labels: app: jaeger jaeger-infra: agent-service - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - name: agent-zipkin-thrift diff --git a/istio/charts/tracing/templates/service.yaml b/istio/charts/tracing/templates/service.yaml index 6a3cadc..fe94067 100644 --- a/istio/charts/tracing/templates/service.yaml +++ b/istio/charts/tracing/templates/service.yaml @@ -1,5 +1,13 @@ apiVersion: v1 kind: List +metadata: + name: tracing-services + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} items: - apiVersion: v1 kind: Service @@ -7,19 +15,19 @@ items: name: zipkin namespace: {{ .Release.Namespace }} labels: - app: jaeger - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} + targetPort: 9411 protocol: TCP name: {{ .Values.service.name }} selector: - app: jaeger + app: {{ .Values.provider }} - apiVersion: v1 kind: Service metadata: @@ -27,18 +35,22 @@ items: namespace: {{ .Release.Namespace }} annotations: {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val }} + {{ $key }}: {{ $val | quote }} {{- end }} labels: - app: jaeger - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} spec: ports: - name: http-query port: 80 protocol: TCP - targetPort: {{ .Values.jaeger.ui.port }} +{{ if eq .Values.provider "jaeger" }} + targetPort: 16686 +{{ else }} + targetPort: 9411 +{{ end}} selector: - app: jaeger + app: {{ .Values.provider }} diff --git a/istio/requirements.yaml b/istio/requirements.yaml index 8586760..c8e36b0 100644 --- a/istio/requirements.yaml +++ b/istio/requirements.yaml @@ -1,40 +1,43 @@ dependencies: - name: sidecarInjectorWebhook - version: 1.0.1 + version: 1.1.0 condition: sidecarInjectorWebhook.enabled - name: security - version: 1.0.1 + version: 1.1.0 condition: security.enabled - - name: ingress - version: 1.0.1 - condition: ingress.enabled - name: gateways - version: 1.0.1 + version: 1.1.0 condition: gateways.enabled - name: mixer - version: 1.0.1 - condition: mixer.enabled + version: 1.1.0 + condition: or mixer.policy.enabled mixer.telemetry.enabled + - name: nodeagent + version: 1.1.0 + condition: nodeagent.enabled - name: pilot - version: 1.0.1 + version: 1.1.0 condition: pilot.enabled - name: grafana - version: 1.0.1 + version: 1.1.0 condition: grafana.enabled - name: prometheus - version: 1.0.1 + version: 1.1.0 condition: prometheus.enabled - name: servicegraph - version: 1.0.1 + version: 1.1.0 condition: servicegraph.enabled - name: tracing - version: 1.0.1 + version: 1.1.0 condition: tracing.enabled - name: galley - version: 1.0.1 + version: 1.1.0 condition: galley.enabled - name: kiali - version: 1.0.1 + version: 1.1.0 condition: kiali.enabled + - name: istiocoredns + version: 1.1.0 + condition: istiocoredns.enabled - name: certmanager - version: 1.0.1 + version: 1.1.0 condition: certmanager.enabled diff --git a/istio/templates/_affinity.tpl b/istio/templates/_affinity.tpl index 0a702d4..3c495d3 100644 --- a/istio/templates/_affinity.tpl +++ b/istio/templates/_affinity.tpl @@ -19,6 +19,13 @@ - {{ $key }} {{- end }} {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val }} + {{- end }} {{- end }} {{- define "nodeAffinityPreferredDuringScheduling" }} @@ -33,4 +40,54 @@ - {{ $key }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.value }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/istio/templates/_helpers.tpl b/istio/templates/_helpers.tpl index b85468d..6315852 100644 --- a/istio/templates/_helpers.tpl +++ b/istio/templates/_helpers.tpl @@ -9,11 +9,27 @@ Expand the name of the chart. {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. */}} {{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{/* Create a fully qualified configmap name. diff --git a/istio/templates/configmap.yaml b/istio/templates/configmap.yaml index e2ec864..02591ec 100644 --- a/istio/templates/configmap.yaml +++ b/istio/templates/configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.pilot.enabled }} +{{- if or .Values.pilot.enabled .Values.global.istioRemote }} apiVersion: v1 kind: ConfigMap metadata: @@ -6,48 +6,157 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "istio.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} data: mesh: |- # Set the following variable to true to disable policy checks by the Mixer. # Note that metrics will still be reported to the Mixer. + {{- if .Values.mixer.policy.enabled }} disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} + {{- else }} + disablePolicyChecks: true + {{- end }} # Set enableTracing to false to disable request tracing. enableTracing: {{ .Values.global.enableTracing }} # Set accessLogFile to empty string to disable access log. accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" - # - # Deprecated: mixer is using EDS - {{- if .Values.mixer.enabled }} + + # If accessLogEncoding is TEXT, value will be used directly as the log format + # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" + # If AccessLogEncoding is JSON, value will be parsed as map[string]string + # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' + # Leave empty to use default log format + accessLogFormat: {{ .Values.global.proxy.accessLogFormat | quote }} + + # Set accessLogEncoding to JSON or TEXT to configure sidecar access log + accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}' + + {{- if .Values.global.istioRemote }} + + {{- if .Values.global.remotePolicyAddress }} + {{- if .Values.global.createRemoteSvcEndpoints }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 + {{- else }} + mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004 + {{- end }} + {{- end }} + {{- if .Values.global.remoteTelemetryAddress }} + {{- if .Values.global.createRemoteSvcEndpoints }} + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}:15004 + {{- else }} + mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 + {{- end }} + {{- end }} + + {{- else }} + + {{- if .Values.mixer.policy.enabled }} + {{- if .Values.global.controlPlaneSecurityEnabled }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 + {{- else }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 + {{- end }} + {{- end }} + {{- if .Values.mixer.telemetry.enabled }} {{- if .Values.global.controlPlaneSecurityEnabled }} - mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:15004 - mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:15004 + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 {{- else }} - mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:9091 - mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 {{- end }} {{- end }} + + {{- end }} + + {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} + {{- end }} - {{- if .Values.ingress.enabled }} - # This is the k8s ingress service name, update if you used a different name - ingressService: istio-{{ .Values.global.k8sIngressSelector }} + {{- if .Values.gateways.enabled }} + # Let Pilot give ingresses the public IP of the Istio ingressgateway + ingressService: istio-ingressgateway {{- end }} + # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS + connectTimeout: 10s + + # DNS refresh rate for Envoy clusters of type STRICT_DNS + dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }} + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. - sdsUdsPath: "" - - # How frequently should Envoy fetch key/cert from NodeAgent. - sdsRefreshDelay: 15s + sdsUdsPath: {{ .Values.global.sds.udsPath }} + + # This flag is used by secret discovery service(SDS). + # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which + # will be used to generate key/cert eventually. This isn't supported for non-k8s case. + enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }} + + # This flag is used by secret discovery service(SDS). + # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + # and pass to sds server, which will be used to request key/cert eventually. + # this flag is ignored if enableSdsTokenMount is set. + # This isn't supported for non-k8s case. + sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }} + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: {{ .Values.global.trustDomain }} + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + outboundTrafficPolicy: + mode: {{ .Values.global.outboundTrafficPolicy.mode }} + + localityLbSetting: +{{ toYaml .Values.global.localityLbSetting | indent 6 }} + + # The namespace to treat as the administrative root namespace for istio + # configuration. + {{- if .Values.global.configRootNamespace }} + rootNamespace: {{ .Values.global.configRootNamespace }} + {{- else }} + rootNamespace: {{ .Release.Namespace }} + {{- end }} + + {{- if .Values.global.defaultConfigVisibilitySettings }} + defaultServiceExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + defaultVirtualServiceExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + defaultDestinationRuleExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + {{- end }} + + {{- if $.Values.global.useMCP }} + configSources: + - address: istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- if $.Values.global.controlPlaneSecurityEnabled}} + tlsSettings: + mode: ISTIO_MUTUAL + {{- end }} + {{- end }} - # defaultConfig: # - # TCP connection timeout between Envoy & the application, and between Envoys. + # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters + # defined in Envoy's configuration file connectTimeout: 10s # ### ADVANCED SETTINGS ############# @@ -86,28 +195,79 @@ data: # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: {{ .Values.global.proxy.concurrency }} # - # Zipkin trace collector - zipkinAddress: zipkin.{{ .Release.Namespace }}:9411 + {{- if eq .Values.global.proxy.tracer "lightstep" }} + tracing: + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + # Whether communication with the Satellite pool should be secure + secure: {{ .Values.global.tracer.lightstep.secure }} + # Path to the file containing the cacert to use when verifying TLS + cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + tracing: + zipkin: + # Address of the Zipkin collector + {{- if .Values.global.tracer.zipkin.address }} + address: {{ .Values.global.tracer.zipkin.address }} + {{- else if .Values.global.remoteZipkinAddress }} + address: {{ .Values.global.remoteZipkinAddress }}:9411 + {{- else }} + address: zipkin.{{ .Release.Namespace }}:9411 + {{- end }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + tracing: + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address }} + {{- end }} {{- if .Values.global.proxy.envoyStatsd.enabled }} # # Statsd metrics collector converts statsd metrics into Prometheus metrics. - statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}.{{ .Release.Namespace }}:{{ .Values.global.proxy.envoyStatsd.port }} + statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} {{- end }} + {{- if .Values.global.proxy.envoyMetricsService.enabled }} + # + # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API. + envoyMetricsServiceAddress: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }} + {{- end}} + + {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }} + {{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }} {{- if .Values.global.controlPlaneSecurityEnabled }} # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running - discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15005 + {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + discoveryAddress: {{ $defPilotHostname }}:15011 + {{- else }} + discoveryAddress: {{ $pilotAddress }}:15011 + {{- end }} {{- else }} # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running - discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15007 + {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + discoveryAddress: {{ $defPilotHostname }}:15010 + {{- else }} + discoveryAddress: {{ $pilotAddress }}:15010 + {{- end }} {{- end }} + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | indent 6 }} + {{- else }} + networks: {} + {{- end }} {{- end }} diff --git a/istio/templates/crds.yaml b/istio/templates/crds.yaml deleted file mode 100644 index acdf539..0000000 --- a/istio/templates/crds.yaml +++ /dev/null @@ -1,1116 +0,0 @@ -# {{ if or .Values.global.crds (semverCompare ">=2.10.0-0" .Capabilities.TillerVersion.SemVer) }} -# these CRDs only make sense when pilot is enabled -# {{- if .Values.pilot.enabled }} -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: virtualservices.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - singular: virtualservice - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: destinationrules.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - singular: destinationrule - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceentries.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - singular: serviceentry - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: gateways.networking.istio.io - annotations: - "helm.sh/hook": crd-install - "helm.sh/hook-weight": "-5" - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: Gateway - plural: gateways - singular: gateway - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: envoyfilters.networking.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: istio-pilot -spec: - group: networking.istio.io - names: - kind: EnvoyFilter - plural: envoyfilters - singular: envoyfilter - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -# {{- end }} - -# these CRDs only make sense when security is enabled -# {{- if .Values.security.enabled }} -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: policies.authentication.istio.io -spec: - group: authentication.istio.io - names: - kind: Policy - plural: policies - singular: policy - categories: - - istio-io - - authentication-istio-io - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: meshpolicies.authentication.istio.io -spec: - group: authentication.istio.io - names: - kind: MeshPolicy - listKind: MeshPolicyList - plural: meshpolicies - singular: meshpolicy - categories: - - istio-io - - authentication-istio-io - scope: Cluster - version: v1alpha1 ---- -# {{- end }} - -# {{- if .Values.mixer.enabled }} -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - kind: HTTPAPISpecBinding - plural: httpapispecbindings - singular: httpapispecbinding - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - kind: HTTPAPISpec - plural: httpapispecs - singular: httpapispec - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - kind: QuotaSpecBinding - plural: quotaspecbindings - singular: quotaspecbinding - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - annotations: - "helm.sh/hook": crd-install - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - kind: QuotaSpec - plural: quotaspecs - singular: quotaspec - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- - -# Mixer CRDs -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: rules.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: core -spec: - group: config.istio.io - names: - kind: rule - plural: rules - singular: rule - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: attributemanifests.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: core -spec: - group: config.istio.io - names: - kind: attributemanifest - plural: attributemanifests - singular: attributemanifest - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: bypasses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: bypass - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: bypass - plural: bypasses - singular: bypass - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: circonuses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: circonus - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: circonus - plural: circonuses - singular: circonus - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: deniers.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: denier - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: denier - plural: deniers - singular: denier - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: fluentds.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: fluentd - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: fluentd - plural: fluentds - singular: fluentd - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: kubernetesenvs.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: kubernetesenv - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: kubernetesenv - plural: kubernetesenvs - singular: kubernetesenv - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: listcheckers.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: listchecker - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: listchecker - plural: listcheckers - singular: listchecker - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: memquotas.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: memquota - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: memquota - plural: memquotas - singular: memquota - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: noops.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: noop - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: noop - plural: noops - singular: noop - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: opas.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: opa - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: opa - plural: opas - singular: opa - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: prometheuses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: prometheus - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: prometheus - plural: prometheuses - singular: prometheus - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: rbacs.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: rbac - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: rbac - plural: rbacs - singular: rbac - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: redisquotas.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - package: redisquota - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: redisquota - plural: redisquotas - singular: redisquota - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: servicecontrols.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: servicecontrol - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: servicecontrol - plural: servicecontrols - singular: servicecontrol - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 - ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: signalfxs.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: signalfx - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: signalfx - plural: signalfxs - singular: signalfx - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: solarwindses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: solarwinds - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: solarwinds - plural: solarwindses - singular: solarwinds - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: stackdrivers.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: stackdriver - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: stackdriver - plural: stackdrivers - singular: stackdriver - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: statsds.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: statsd - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: statsd - plural: statsds - singular: statsd - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: stdios.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: stdio - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: stdio - plural: stdios - singular: stdio - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: apikeys.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: apikey - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: apikey - plural: apikeys - singular: apikey - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: authorizations.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: authorization - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: authorization - plural: authorizations - singular: authorization - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: checknothings.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: checknothing - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: checknothing - plural: checknothings - singular: checknothing - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: kuberneteses.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: adapter.template.kubernetes - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: kubernetes - plural: kuberneteses - singular: kubernetes - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: listentries.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: listentry - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: listentry - plural: listentries - singular: listentry - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: logentries.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: logentry - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: logentry - plural: logentries - singular: logentry - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: edges.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: edge - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: edge - plural: edges - singular: edge - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: metrics.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: metric - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: metric - plural: metrics - singular: metric - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: quotas.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: quota - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: quota - plural: quotas - singular: quota - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: reportnothings.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: reportnothing - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: reportnothing - plural: reportnothings - singular: reportnothing - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: servicecontrolreports.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: servicecontrolreport - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: servicecontrolreport - plural: servicecontrolreports - singular: servicecontrolreport - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: tracespans.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: tracespan - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: tracespan - plural: tracespans - singular: tracespan - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: rbacconfigs.rbac.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: rbac -spec: - group: rbac.istio.io - names: - kind: RbacConfig - plural: rbacconfigs - singular: rbacconfig - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: serviceroles.rbac.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: rbac -spec: - group: rbac.istio.io - names: - kind: ServiceRole - plural: serviceroles - singular: servicerole - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: servicerolebindings.rbac.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: istio.io.mixer - istio: rbac -spec: - group: rbac.istio.io - names: - kind: ServiceRoleBinding - plural: servicerolebindings - singular: servicerolebinding - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: adapters.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: adapter - istio: mixer-adapter -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: instances.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: instance - istio: mixer-instance -spec: - group: config.istio.io - names: - kind: instance - plural: instances - singular: instance - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: templates.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: template - istio: mixer-template -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: handlers.config.istio.io - annotations: - "helm.sh/hook": crd-install - labels: - app: mixer - package: handler - istio: mixer-handler -spec: - group: config.istio.io - names: - kind: handler - plural: handlers - singular: handler - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -# {{- end }} -# {{ end }} \ No newline at end of file diff --git a/istio/templates/install-custom-resources.sh.tpl b/istio/templates/install-custom-resources.sh.tpl index 6123902..a5525a1 100644 --- a/istio/templates/install-custom-resources.sh.tpl +++ b/istio/templates/install-custom-resources.sh.tpl @@ -10,17 +10,17 @@ fi pathToResourceYAML=${1} -/kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null +kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null if [ "$?" -eq 0 ]; then echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" while true; do - /kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null + kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null if [ "$?" -eq 0 ]; then break fi sleep 1 done - /kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley + kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley if [ "$?" -ne 0 ]; then echo "istio-galley deployment rollout status check failed" exit 1 @@ -28,5 +28,5 @@ if [ "$?" -eq 0 ]; then echo "istio-galley deployment ready for configuration validation" fi sleep 5 -/kubectl apply -f ${pathToResourceYAML} +kubectl apply -f ${pathToResourceYAML} {{ end }} diff --git a/istio/templates/sidecar-injector-configmap.yaml b/istio/templates/sidecar-injector-configmap.yaml index 0b28252..f1a00aa 100644 --- a/istio/templates/sidecar-injector-configmap.yaml +++ b/istio/templates/sidecar-injector-configmap.yaml @@ -6,15 +6,19 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "istio.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} + chart: {{ template "istio.chart" . }} heritage: {{ .Release.Service }} + release: {{ .Release.Name }} istio: sidecar-injector data: config: |- policy: {{ .Values.global.proxy.autoInject }} template: |- + rewriteAppHTTPProbe: {{ .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe }} +{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }} initContainers: + {{ "[[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"NONE\" ]]" }} +{{- if not .Values.istio_cni.enabled }} - name: istio-init {{- if contains "/" .Values.global.proxy_init.image }} image: "{{ .Values.global.proxy_init.image }}" @@ -27,87 +31,115 @@ data: - "-u" - 1337 - "-m" - - {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }} - "-i" - {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\") -]]" }} - {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\" ]]\"" }} - {{ "[[ else -]]" }} - - "{{ .Values.global.proxy.includeIPRanges }}" - {{ "[[ end -]]" }} + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }} - "-x" - {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\") -]]" }} - {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\" ]]\"" }} - {{ "[[ else -]]" }} - - "{{ .Values.global.proxy.excludeIPRanges }}" - {{ "[[ end -]]" }} + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }} - "-b" - {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\") -]]" }} - {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\" ]]\"" }} - {{ "[[ else -]]" }} - - {{ "[[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]" }} + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }} - "-d" - {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\") -]]" }} - {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\" ]]\"" }} - {{ "[[ else -]]" }} - - "{{ .Values.global.proxy.excludeInboundPorts }}" + - {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }} + {{ "[[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]" }} + - "-k" + {{ "- \"[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]\"" }} {{ "[[ end -]]" }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: 100m + memory: 50Mi securityContext: + runAsUser: 0 capabilities: add: - NET_ADMIN - {{ if .Values.global.proxy.privileged }} + {{- if .Values.global.proxy.privileged }} privileged: true - {{ end -}} + {{- end }} restartPolicy: Always - {{ if eq .Values.global.proxy.enableCoreDump true }} +{{- end }} + {{ "[[ end -]]" }} + {{- if eq .Values.global.proxy.enableCoreDump true }} - name: enable-core-dump args: - -c - - sysctl -w kernel.core_pattern=/etc/istio/proxy/core.%e.%p.%t && ulimit -c unlimited + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited command: - /bin/sh - image: {{ .Values.global.hub }}/proxy_init:{{ .Values.global.tag }} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} imagePullPolicy: IfNotPresent resources: {} securityContext: privileged: true {{ end }} +{{- end }} containers: - name: istio-proxy - image: {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\") -]]" }} - {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\" ]]\"" }} - {{ "[[ else -]]" }} - {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} - {{ "[[ end -]]" }} +{{- if contains "/" .Values.global.proxy.image }} + image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.proxy.image }}" {{ " ]]" }} +{{- else }} + image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{ " ]]" }} +{{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom args: - proxy - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --configPath - {{ "[[ .ProxyConfig.ConfigPath ]]" }} - --binaryPath - {{ "[[ .ProxyConfig.BinaryPath ]]" }} - --serviceCluster {{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }} - - {{ "[[ index .ObjectMeta.Labels \"app\" ]]" }} + - {{ "[[ index .ObjectMeta.Labels \"app\" ]]." }}$(POD_NAMESPACE) {{ "[[ else -]]" }} - - "istio-proxy" + - {{ "[[ valueOrDefault .DeploymentMeta.Name \"istio-proxy\" ]].[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]]" }} {{ "[[ end -]]" }} - --drainDuration - {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }} - --parentShutdownDuration - {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }} - --discoveryAddress - - {{ "[[ .ProxyConfig.DiscoveryAddress ]]" }} - - --discoveryRefreshDelay - - {{ "[[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]" }} + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]" }} + {{- if eq .Values.global.proxy.tracer "lightstep" }} + - --lightstepAddress + - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAddress ]]" }} + - --lightstepAccessToken + - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken ]]" }} + - --lightstepSecure={{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetSecure ]]" }} + - --lightstepCacertPath + - {{ "[[ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} - --zipkinAddress - - {{ "[[ .ProxyConfig.ZipkinAddress ]]" }} + - {{ "[[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]]" }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + - --datadogAgentAddress + - {{ "[[ .ProxyConfig.GetTracing.GetDatadog.GetAddress ]]" }} + {{- end }} + {{- if $.Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} - --connectTimeout - {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }} {{- if .Values.global.proxy.envoyStatsd.enabled }} - --statsdUdpAddress - {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }} + {{- end }} + {{- if .Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - {{ "[[ .ProxyConfig.EnvoyMetricsServiceAddress ]]" }} {{- end }} - --proxyAdminPort - {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }} @@ -116,7 +148,16 @@ data: - {{ "[[ .ProxyConfig.Concurrency ]]" }} {{ "[[ end -]]" }} - --controlPlaneAuthPolicy - - {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/controlPlaneAuthPolicy\") .ProxyConfig.ControlPlaneAuthPolicy ]]" }} + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }} + {{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} + - --statusPort + - {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} + - --applicationPorts + - {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }} + {{ "[[- end ]]" }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} env: - name: POD_NAME valueFrom: @@ -130,47 +171,151 @@ data: valueFrom: fieldRef: fieldPath: status.podIP + {{ if eq .Values.global.proxy.tracer "datadog" }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{ end }} - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: ISTIO_META_INTERCEPTION_MODE value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ "[[ if .ObjectMeta.Annotations ]]" }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ "[[ toJSON .ObjectMeta.Annotations ]]" }} + {{ "[[ end ]]" }} + {{ "[[ if .ObjectMeta.Labels ]]" }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ "[[ toJSON .ObjectMeta.Labels ]]" }} + {{ "[[ end ]]" }} + {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{ "[[- end ]]" }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: ISTIO_META_SDS_TOKEN_PATH + value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" + {{- end }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} + {{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} + initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }} + periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }} + failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }} + {{ "[[ end -]]" -}} securityContext: - {{ if .Values.global.proxy.privileged }} + {{- if .Values.global.proxy.privileged }} privileged: true - {{ end -}} + {{- end }} + {{- if ne .Values.global.proxy.enableCoreDump true }} readOnlyRootFilesystem: true - {{ "[[ if eq (or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String) \"TPROXY\" -]]" }} + {{- end }} + {{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }} capabilities: add: - NET_ADMIN runAsGroup: 1337 {{ "[[ else -]]" }} + {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }} + runAsGroup: 1337 + {{- end }} runAsUser: 1337 - {{ "[[ end -]]" }} - restartPolicy: Always + {{ "[[- end ]]" }} resources: - {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\") -]]" }} + {{ "[[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }} requests: - cpu: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\" ]]\"" }} - memory: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyMemory\" ]]\"" }} + {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }} + cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }} + {{ "[[ end ]]" }} + {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]]" }} + memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }} + {{ "[[ end ]]" }} {{ "[[ else -]]" }} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 10 }} {{- end }} {{ "[[ end -]]" }} volumeMounts: + {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{ "[[- end ]]" }} - mountPath: /etc/istio/proxy name: istio-envoy + {{- if .Values.global.sds.enabled }} + - mountPath: /var/run/sds/uds_path + name: sds-uds-path + readOnly: true + {{- if .Values.global.sds.useTrustworthyJwt }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.sds.customTokenDirectory }} + - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" + name: custom-sds-token + readOnly: true + {{- end }} + {{- else }} - mountPath: /etc/certs/ name: istio-certs readOnly: true + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - mountPath: {{ "[[ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath ]]" }} + name: lightstep-certs + readOnly: true + {{- end }} + {{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]]" }} + {{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]]" }} + - name: {{ "\"[[ $index ]]\"" }} + {{ "[[ toYaml $value | indent 4 ]]" }} + {{ "[[ end ]]" }} + {{ "[[- end ]]" }} volumes: + {{ "[[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]]" }} + - name: custom-bootstrap-volume + configMap: + name: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]]" }} + {{ "[[- end ]]" }} - emptyDir: medium: Memory name: istio-envoy + {{- if .Values.global.sds.enabled }} + - name: sds-uds-path + hostPath: + path: /var/run/sds/uds_path + type: Socket + {{- if .Values.global.sds.customTokenDirectory }} + - name: custom-sds-token + secret: + secretName: sdstokensecret + {{- end }} + {{- if .Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.trustDomain }} + {{- end }} + {{- else }} - name: istio-certs secret: optional: true @@ -179,4 +324,24 @@ data: {{ "[[ else -]]" }} secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }} {{ "[[ end -]]" }} + {{ "[[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]]" }} + {{ "[[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]]" }} + - name: {{ "\"[[ $index ]]\"" }} + {{ "[[ toYaml $value | indent 2 ]]" }} + {{ "[[ end ]]" }} + {{ "[[ end ]]" }} + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} +{{- end }} +{{- if .Values.global.podDNSSearchNamespaces }} + dnsConfig: + searches: + {{- range .Values.global.podDNSSearchNamespaces }} + - {{ . }} + {{- end }} {{- end }} diff --git a/istio/values-istio-auth-galley.yaml b/istio/values-istio-auth-galley.yaml deleted file mode 100644 index c95b299..0000000 --- a/istio/values-istio-auth-galley.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# This is used to generate istio.yaml -global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are - # propagated, not recommended for tests. - controlPlaneSecurityEnabled: true - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: true - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. - # imagePullSecrets: - # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s - -istiotesting: - oneNameSpace: false - -prometheus: - enabled: true - -galley: - enabled: true diff --git a/istio/values-istio-auth-multicluster.yaml b/istio/values-istio-auth-multicluster.yaml deleted file mode 100644 index 4c79999..0000000 --- a/istio/values-istio-auth-multicluster.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# This is used to generate istio-auth-multicluster.yaml, used for CI/CD. -global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are - # propagated, not recommended for tests. - controlPlaneSecurityEnabled: true - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: true - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. - # imagePullSecrets: - # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s - -# In a multiple cluster environment, citadel uses the same root certificate in all the clusters -security: - selfSigned: false diff --git a/istio/values-istio-auth.yaml b/istio/values-istio-auth.yaml deleted file mode 100644 index 49ad827..0000000 --- a/istio/values-istio-auth.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# This is used to generate istio-auth.yaml for automated CI/CD test, using v1/alpha1 -# or v2/alpha3 with 'gradual migration' (using env variable at inject time). -global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are - # propagated, not recommended for tests. - controlPlaneSecurityEnabled: true - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: true - - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. - # imagePullSecrets: - # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s - diff --git a/istio/values-istio-demo-auth.yaml b/istio/values-istio-demo-auth.yaml index ffb0cd0..296bfb1 100644 --- a/istio/values-istio-demo-auth.yaml +++ b/istio/values-istio-demo-auth.yaml @@ -1,6 +1,8 @@ # This is used to generate istio-auth.yaml for minimal, demo mode with MTLS enabled. # It is shipped with the release, used for bookinfo or quick installation of istio. # Includes components used in the demo, defaults to alpha3 rules. + +# @include global: controlPlaneSecurityEnabled: true @@ -8,26 +10,3 @@ global: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: true - -ingress: - # Ingress is used for migration, for alpha3 we expect ingressgateway - enabled: false - -prometheus: - enabled: true - -sidecarInjectorWebhook: - enabled: true - enableNamespacesByDefault: false - -grafana: - enabled: true - -tracing: - enabled: true - -servicegraph: - enabled: true - -galley: - enabled: true diff --git a/istio/values-istio-demo.yaml b/istio/values-istio-demo.yaml index 1362618..fd20f62 100644 --- a/istio/values-istio-demo.yaml +++ b/istio/values-istio-demo.yaml @@ -2,31 +2,12 @@ # It is shipped with the release, used for bookinfo or quick installation of istio. # Includes components used in the demo, defaults to alpha3 rules. -# If running in minikube you may add: -# --set global.nodePort=true -# --set ingressgateway.service.type=NodePort +# @include +# global: - nodePort: false + controlPlaneSecurityEnabled: false -ingress: - # Ingress is used for migration, for alpha3 we expect ingressgateway - enabled: false - -prometheus: - enabled: true - -sidecarInjectorWebhook: - enabled: true - enableNamespacesByDefault: false - -grafana: - enabled: true - -tracing: - enabled: true - -servicegraph: - enabled: true - -galley: - enabled: true + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false diff --git a/istio/values-istio-galley.yaml b/istio/values-istio-galley.yaml deleted file mode 100644 index 858fbb0..0000000 --- a/istio/values-istio-galley.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# This is used to generate istio.yaml -global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are - # propagated, not recommended for tests. - controlPlaneSecurityEnabled: false - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: false - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. - # imagePullSecrets: - # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s - -istiotesting: - oneNameSpace: false - -prometheus: - enabled: true - -galley: - enabled: true diff --git a/istio/values-istio-gateways.yaml b/istio/values-istio-gateways.yaml deleted file mode 100644 index 5826fc2..0000000 --- a/istio/values-istio-gateways.yaml +++ /dev/null @@ -1,130 +0,0 @@ -# Common settings. -global: - # Include the crd definition when generating the template. - # For 'helm template' and helm install > 2.10 it should be true. - # For helm < 2.9, crds must be installed ahead of time with - # 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml - # and this options must be set off. - crds: false - - # Omit the istio-sidecar-injector configmap when generate a - # standalone gateway. Gateways may be created in namespaces other - # than `istio-system` and we don't want to re-create the injector - # configmap in those. - omitSidecarInjectorConfigMap: true - - # Istio control plane namespace: This specifies where the Istio control - # plane was installed earlier. Modify this if you installed the control - # plane in a different namespace than istio-system. - istioNamespace: istio-system - - proxy: - # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument - # would be :). - # Can also be disabled (e.g. when Mixer is not installed). - envoyStatsd: - enabled: true - host: istio-statsd-prom-bridge.istio-system - port: 9125 - -# -# Gateways Configuration -# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. -# You can add more gateways in addition to the defaults but make sure those are uniquely named -# and that NodePorts are not conflicting. -# Disable specifc gateway by setting the `enabled` to false. -# -gateways: - enabled: true - - custom-gateway: - enabled: true - labels: - app: custom-gateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 1800m - # memory: 256Mi - - loadBalancerIP: "" - serviceAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ports: - ## You can add custom gateway ports - - port: 80 - targetPort: 80 - name: http2 - # nodePort: 31380 - - port: 443 - name: https - # nodePort: 31390 - - port: 31400 - name: tcp - # nodePort: 31400 - # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect - # to pilot/citadel if global.meshExpansion settings are enabled. - - port: 15011 - targetPort: 15011 - name: tcp-pilot-grpc-tls - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - # Telemetry-related ports are enabled in gateway - but will only redirect if - # the gateway configration for the various components are enabled. - - port: 15030 - targetPort: 15030 - name: http2-prometheus - - port: 15031 - targetPort: 15031 - name: http2-grafana - secretVolumes: - - name: customgateway-certs - secretName: istio-customgateway-certs - mountPath: /etc/istio/customgateway-certs - - name: customgateway-ca-certs - secretName: istio-customgateway-ca-certs - mountPath: /etc/istio/customgateway-ca-certs - -# all other components are disabled except the gateways -ingress: - enabled: false - -security: - enabled: false - -sidecarInjectorWebhook: - enabled: false - -galley: - enabled: false - -mixer: - enabled: false - -pilot: - enabled: false - -grafana: - enabled: false - -prometheus: - enabled: false - -servicegraph: - enabled: false - -tracing: - enabled: false - -kiali: - enabled: false - -certmanager: - enabled: false diff --git a/istio/values-istio-multicluster.yaml b/istio/values-istio-multicluster.yaml deleted file mode 100644 index 6974a55..0000000 --- a/istio/values-istio-multicluster.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# This is used to generate istio-multicluster.yaml, used for CI/CD. -global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are - # propagated, not recommended for tests. - controlPlaneSecurityEnabled: false - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: false - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. - # imagePullSecrets: - # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s - -prometheus: - enabled: true - -# In a multiple cluster environment, citadel uses the same root certificate in all the clusters -security: - selfSigned: false diff --git a/istio/values-istio-one-namespace-auth.yaml b/istio/values-istio-one-namespace-auth.yaml deleted file mode 100644 index d0a11d7..0000000 --- a/istio/values-istio-one-namespace-auth.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# This is used to generate istio.yaml used for deprecated CI/CD testing. -global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are - # propagated, not recommended for tests. - controlPlaneSecurityEnabled: true - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: true - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. - # imagePullSecrets: - # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s - -istiotesting: - oneNameSpace: true diff --git a/istio/values-istio-one-namespace.yaml b/istio/values-istio-one-namespace.yaml deleted file mode 100644 index c097b97..0000000 --- a/istio/values-istio-one-namespace.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# This is used to generate istio.yaml used for deprecated CI/CD testing. -global: - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are - # propagated, not recommended for tests. - controlPlaneSecurityEnabled: false - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: false - - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. - # imagePullSecrets: - # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s - -istiotesting: - oneNameSpace: true diff --git a/istio/values-istio.yaml b/istio/values-istio.yaml deleted file mode 100644 index 37eba9c..0000000 --- a/istio/values-istio.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# This is used to generate istio.yaml for automated CI/CD test, using v1/alpha1 -# or v2/alpha3 with 'gradual migration' (using env variable at inject time). -global: - ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. - # imagePullSecrets: - # - name: "private-registry-key" - - # Default is 10s second - refreshInterval: 1s diff --git a/istio/values.yaml b/istio/values.yaml index eab4f0d..81fe156 100644 --- a/istio/values.yaml +++ b/istio/values.yaml @@ -1,52 +1,203 @@ -# Common settings. +# Top level istio values file has the following sections. +# +# global: This file is the authoritative and exhaustive source for the global section. +# +# chart sections: Every subdirectory inside the charts/ directory has a top level +# configuration key in this file. This file overrides the values specified +# by the charts/${chartname}/values.yaml. +# Check the chart level values file for exhaustive list of configuration options. + +# +# Gateways Configuration, refer to the charts/gateways/values.yaml +# for detailed configuration +# +gateways: + enabled: true + +# +# sidecar-injector webhook configuration, refer to the +# charts/sidecarInjectorWebhook/values.yaml for detailed configuration +# +sidecarInjectorWebhook: + enabled: true + +# +# galley configuration, refer to charts/galley/values.yaml +# for detailed configuration +# +galley: + enabled: true + +# +# mixer configuration +# +# @see charts/mixer/values.yaml, it takes precedence +mixer: + policy: + # if policy is enabled the global.disablePolicyChecks has affect. + enabled: true + + telemetry: + enabled: true +# +# pilot configuration +# +# @see charts/pilot/values.yaml +pilot: + enabled: true + +# +# security configuration +# +security: + enabled: true + +# +# nodeagent configuration +# +nodeagent: + enabled: false + +# +# addon grafana configuration +# +grafana: + enabled: false + +# +# addon prometheus configuration +# +prometheus: + enabled: true + +# +# addon servicegraph configuration +# +servicegraph: + enabled: false + +# +# addon jaeger tracing configuration +# +tracing: + enabled: false + +# +# addon kiali tracing configuration +# +kiali: + enabled: false + +# +# addon certmanager configuration +# +certmanager: + enabled: false + +# +# Istio CNI plugin enabled +# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately. +# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect +# settings for the istio-proxy. +# +istio_cni: + enabled: false + +# addon Istio CoreDNS configuration +# +istiocoredns: + enabled: false + +# Common settings used among istio subcharts. global: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly - hub: docker.io/istio + hub: gcr.io/istio-release # Default tag for Istio images. - tag: 1.0.2 + tag: master-latest-daily - # Gateway used for legacy k8s Ingress resources. By default it is - # using 'istio:ingress', to match 0.8 config. It requires that - # ingress.enabled is set to true. You can also set it - # to ingressgateway, or any other gateway you define in the 'gateway' - # section. - k8sIngressSelector: ingress + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" - # k8sIngressHttps will add port 443 on the ingress and ingressgateway. - # It REQUIRES that the certificates are installed in the - # expected secrets - enabling this option without certificates - # will result in LDS rejection and the ingress will not work. - k8sIngressHttps: false + # monitoring port used by mixer, pilot, galley + monitoringPort: 15014 + + k8sIngress: + enabled: false + # Gateway used for k8s Ingress resources. By default it is + # using 'istio:ingressgateway' that will be installed by setting + # 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' + # flags to true. + gatewayName: ingressgateway + # enableHttps will add port 443 on the ingress. + # It REQUIRES that the certificates are installed in the + # expected secrets - enabling this option without certificates + # will result in LDS rejection and the ingress will not work. + enableHttps: false proxy: image: proxyv2 + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + # Resources for the sidecar. resources: requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 128Mi # Controls number of Proxy worker threads. # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: 0 - # Configures the access log for each sidecar. Setting it to an empty string will - # disable access log for sidecar. + # Configures the access log for each sidecar. + # Options: + # "" - disables access log + # "/dev/stdout" - enables access log accessLogFile: "/dev/stdout" + # Configure how and what fields are displayed in sidecar access log. Setting to + # empty string will result in default log format + accessLogFormat: "" + + # Configure the access log for sidecar to JSON or TEXT. + accessLogEncoding: TEXT + + # Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: "" + + # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS + # 5 seconds is the default refresh rate used by Envoy + dnsRefreshRate: 5s + #If set to true, istio-proxy container will have privileged securityContext privileged: false # If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + # istio egress capture whitelist # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" @@ -55,6 +206,9 @@ global: includeIPRanges: "*" excludeIPRanges: "" + # pod internal interfaces + kubevirtInterfaces: "" + # istio ingress capture whitelist # examples: # Redirect no inbound traffic to Envoy: --includeInboundPorts="" @@ -68,11 +222,30 @@ global: # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument # would be :). - # Can also be disabled (e.g. when Mixer is not installed). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. envoyStatsd: - enabled: true - host: istio-statsd-prom-bridge - port: 9125 + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector + # via the Metrics Service gRPC API. This contains detailed stats information emitted directly + # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also + # available to scrape via the Envoy admin port at either /stats or /stats/prometheus. + # + # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto + # for details about Envoy's Metrics Service API. + # + # Disabled by default. + envoyMetricsService: + enabled: false + host: # example: metrics-service.istio-system + port: # example: 15000 + + # Specify which tracer to use. One of: lightstep, zipkin, datadog + tracer: "zipkin" proxy_init: # Base name for the proxy_init container, used to configure iptables. @@ -83,17 +256,46 @@ global: # TODO: Switch to Always as default, and override in the local tests. imagePullPolicy: IfNotPresent - # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: false # disablePolicyChecks disables mixer policy checks. + # if mixer.policy.enabled==true then disablePolicyChecks has affect. # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. - disablePolicyChecks: false + disablePolicyChecks: true + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. enableTracing: true + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # secure: specifies whether data should be sent with TLS + # cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is + # required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination + # namespace with the key matching the base of the provided cacertPath and the value being the cacert itself. + # + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + secure: true # example: true|false + cacertPath: "" # example: /etc/lightstep/cacert.pem + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + # Default mtls policy. If true, mtls between services will be enabled by default. mtls: # Default setting for service-to-service mtls. Can be set explicitly using @@ -102,7 +304,9 @@ global: # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any clustser configured with privte docker registry. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. imagePullSecrets: # - private-registry-key @@ -120,16 +324,41 @@ global: # If not set, controller watches all namespaces oneNamespace: false + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + # Whether to perform server-side validation of configuration. configValidation: true + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global" + # If set to true, the pilot and citadel mtls will be exposed on the # ingress gateway - meshExpansion: false - - # If set to true, the pilot and citadel mtls and the plain text pilot ports - # will be exposed on an internal gateway - meshExpansionILB: false + meshExpansion: + enabled: false + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + useILB: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false # A minimal set of requested resources to applied to all deployments so that # Horizontal Pod Autoscaler will be able to function (if set). @@ -143,403 +372,113 @@ global: # cpu: 100m # memory: 128Mi - # Not recommended for user to configure this. Hyperkube image to use when creating custom resources - hyperkube: - hub: quay.io/coreos - tag: v1.7.6_coreos.0 + # enable pod distruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low prioroty class. + # will not be killed because of low priority class. # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass # for more detail. priorityClassName: "" - # Include the crd definition when generating the template. - # For 'helm template' and helm install > 2.10 it should be true. - # For helm < 2.9, crds must be installed ahead of time with - # 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml - # and this options must be set off. - crds: true - -# -# ingress configuration -# -ingress: - enabled: false - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - service: - annotations: {} - loadBalancerIP: "" - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - ports: - - port: 80 - name: http - nodePort: 32000 - - port: 443 - name: https - selector: - istio: ingress - -# -# Gateways Configuration -# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. -# You can add more gateways in addition to the defaults but make sure those are uniquely named -# and that NodePorts are not conflicting. -# Disable specifc gateway by setting the `enabled` to false. -# -gateways: - enabled: true - - istio-ingressgateway: - enabled: true - labels: - app: istio-ingressgateway - istio: ingressgateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 1800m - # memory: 256Mi - cpu: - targetAverageUtilization: 80 - loadBalancerIP: "" - serviceAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ports: - ## You can add custom gateway ports - - port: 80 - targetPort: 80 - name: http2 - nodePort: 31380 - - port: 443 - name: https - nodePort: 31390 - - port: 31400 - name: tcp - nodePort: 31400 - # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect - # to pilot/citadel if global.meshExpansion settings are enabled. - - port: 15011 - targetPort: 15011 - name: tcp-pilot-grpc-tls - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - - port: 853 - targetPort: 853 - name: tcp-dns-tls - - port: 15030 - targetPort: 15030 - name: http2-prometheus - - port: 15031 - targetPort: 15031 - name: http2-grafana - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - - istio-egressgateway: - enabled: true - labels: - app: istio-egressgateway - istio: egressgateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - cpu: - targetAverageUtilization: 80 - serviceAnnotations: {} - type: ClusterIP #change to NodePort or LoadBalancer if need be - ports: - - port: 80 - name: http2 - - port: 443 - name: https - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - - # Mesh ILB gateway creates a gateway of type InternalLoadBalancer, - # for mesh expansion. It exposes the mtls ports for Pilot,CA as well - # as non-mtls ports to support upgrades and gradual transition. - istio-ilbgateway: - enabled: false - labels: - app: istio-ilbgateway - istio: ilbgateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - resources: - requests: - cpu: 800m - memory: 512Mi - #limits: - # cpu: 1800m - # memory: 256Mi - cpu: - targetAverageUtilization: 80 - loadBalancerIP: "" - serviceAnnotations: - cloud.google.com/load-balancer-type: "internal" - type: LoadBalancer - ports: - ## You can add custom gateway ports - google ILB default quota is 5 ports, - - port: 15011 - name: grpc-pilot-mtls - # Insecure port - only for migration from 0.8. Will be removed in 1.1 - - port: 15010 - name: grpc-pilot - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - # Port 853 is reserved for the kube-dns gateway - - port: 853 - name: tcp-dns - secretVolumes: - - name: ilbgateway-certs - secretName: istio-ilbgateway-certs - mountPath: /etc/istio/ilbgateway-certs - - name: ilbgateway-ca-certs - secretName: istio-ilbgateway-ca-certs - mountPath: /etc/istio/ilbgateway-ca-certs - -# -# sidecar-injector webhook configuration -# -sidecarInjectorWebhook: - enabled: true - replicaCount: 1 - image: sidecar_injector - enableNamespacesByDefault: false - -# -# galley configuration -# -galley: - enabled: true - replicaCount: 1 - image: galley - -# -# mixer configuration -# -mixer: - enabled: true - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - image: mixer - - istio-policy: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - cpu: - targetAverageUtilization: 80 - - istio-telemetry: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - cpu: - targetAverageUtilization: 80 - - prometheusStatsdExporter: - hub: docker.io/prom - tag: v0.6.0 - -# -# pilot configuration -# -pilot: - enabled: true - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - image: pilot - sidecar: true - traceSampling: 100.0 - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - env: - PILOT_PUSH_THROTTLE_COUNT: 100 - GODEBUG: gctrace=2 - cpu: - targetAverageUtilization: 80 - -# -# security configuration -# -security: - replicaCount: 1 - image: citadel - selfSigned: true # indicate if self-signed CA is used. - -# -# addons configuration -# -telemetry-gateway: - gatewayName: ingressgateway - grafanaEnabled: false - prometheusEnabled: false - -grafana: - enabled: false - replicaCount: 1 - image: grafana - persist: false - storageClassName: "" - security: - enabled: false - adminUser: admin - adminPassword: admin - service: - annotations: {} - name: http - type: ClusterIP - externalPort: 3000 - internalPort: 3000 - -prometheus: - enabled: true - replicaCount: 1 - hub: docker.io/prom - tag: v2.3.1 - - service: - annotations: {} - nodePort: - enabled: false - port: 32090 - -servicegraph: - enabled: false - replicaCount: 1 - image: servicegraph - service: - annotations: {} - name: http - type: ClusterIP - externalPort: 8088 - internalPort: 8088 - ingress: + # Use the Mesh Control Protocol (MCP) for configuring Mixer and + # Pilot. Requires galley (`--set galley.enabled=true`). + useMCP: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + # Indicate the domain used in SPIFFE identity URL + # The default depends on the environment. + # kubernetes: cluster.local + # else: default dns domain + trustDomain: "" + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests + # to services outside of the mesh without any ServiceEntry. + # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY. + outboundTrafficPolicy: + mode: ALLOW_ANY + + # The namespace where globally shared configurations should be present. + # DestinationRules that apply to the entire mesh (e.g., enabling mTLS), + # default Sidecar configs, etc. should be added to this namespace. + # configRootNamespace: istio-config + + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + #defaultConfigVisibilitySettings: + #- '*' + + sds: + # SDS enabled. IF set to true, mTLS certificates for the sidecars will be + # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. enabled: false - # Used to create an Ingress record. - hosts: - - servicegraph.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: servicegraph-tls - # hosts: - # - servicegraph.local - # prometheus addres - prometheusAddr: http://prometheus:9090 - -tracing: - enabled: false - provider: jaeger - jaeger: - hub: docker.io/jaegertracing - tag: 1.5 - memory: - max_traces: 50000 - ui: - port: 16686 - ingress: - enabled: false - # Used to create an Ingress record. - hosts: - - jaeger.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: jaeger-tls - # hosts: - # - jaeger.local - replicaCount: 1 - service: - annotations: {} - name: http - type: ClusterIP - externalPort: 9411 - internalPort: 9411 - ingress: - enabled: false - # Used to create an Ingress record. - hosts: - - tracing.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: tracing-tls - # hosts: - # - tracing.local - -kiali: - enabled: false - replicaCount: 1 - hub: docker.io/kiali - tag: istio-release-1.0 - ingress: - enabled: false - ## Used to create an Ingress record. - # hosts: - # - kiali.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: kiali-tls - # hosts: - # - kiali.local - dashboard: - username: admin - # Default admin passphrase for kiali. Must be set during setup, and - # changed by overriding the secret - passphrase: admin - - # Override the automatically detected Grafana URL, usefull when Grafana service has no ExternalIPs - # grafanaURL: - - # Override the automatically detected Jaeger URL, usefull when Jaeger service has no ExternalIPs - # jaegerURL: - -# Certmanager uses ACME to sign certificates. Since Istio gateways are -# mounting the TLS secrets the Certificate CRDs must be created in the -# istio-system namespace. Once the certificate has been created, the -# gateway must be updated by adding 'secretVolumes'. After the gateway -# restart, DestinationRules can be created using the ACME-signed certificates. -certmanager: - enabled: false - hub: quay.io/jetstack - tag: v0.3.1 - resources: {} + udsPath: "" + useTrustworthyJwt: false + useNormalJwt: false + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (not + # supported yet). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway + # port: 443 + # + meshNetworks: {} + + # Specifies the global locality load balancing settings. + # Locality-weighted load balancing allows administrators to control the distribution of traffic to + # endpoints based on the localities of where the traffic originates and where it will terminate. + # Please set either failover or distribute configuration but not both. + # + # localityLbSetting: + # distribute: + # - from: "us-central1/*" + # to: + # "us-central1/*": 80 + # "us-central2/*": 20 + # + # localityLbSetting: + # failover: + # - from: us-east + # to: eu-west + # - from: us-west + # to: us-east + localityLbSetting: {} + + # Specifies whether helm test is enabled or not. + # This field is set to false by default, so 'helm template ...' + # will ignore the helm test yaml files when generating the template + enableHelmTest: false \ No newline at end of file -- GitLab From 7ca7ab28d5370a398f82b8f118eb4ad126f93703 Mon Sep 17 00:00:00 2001 From: Dimitar Zafirov Date: Tue, 16 Apr 2019 11:48:05 +0300 Subject: [PATCH 2/4] istio update to 1.1.2 --- istio-init/Chart.yaml | 13 + istio-init/LICENSE | 202 ++ istio-init/README.md | 77 + istio-init/files/crd-10.yaml | 594 ++++ istio-init/files/crd-11.yaml | 23 + istio-init/files/crd-12.yaml | 21 + istio-init/files/crd-certmanager-10.yaml | 81 + istio-init/files/crd-certmanager-11.yaml | 73 + istio-init/templates/clusterrole.yaml | 14 + istio-init/templates/clusterrolebinding.yaml | 15 + istio-init/templates/configmap-crd-10.yaml | 8 + istio-init/templates/configmap-crd-11.yaml | 8 + istio-init/templates/configmap-crd-12.yaml | 8 + .../configmap-crd-certmanager-10.yaml | 10 + .../configmap-crd-certmanager-11.yaml | 10 + istio-init/templates/job-crd-10.yaml | 26 + istio-init/templates/job-crd-11.yaml | 26 + istio-init/templates/job-crd-12.yaml | 26 + .../templates/job-crd-certmanager-10.yaml | 28 + .../templates/job-crd-certmanager-11.yaml | 28 + istio-init/templates/serviceaccount.yaml | 9 + istio-init/values.yaml | 16 + istio/.helmignore | 21 + istio/LICENSE | 202 ++ istio/charts/certmanager/templates/NOTES.txt | 6 + .../templates/poddisruptionbudget.yaml | 24 + istio/charts/certmanager/values.yaml | 31 + istio/charts/galley/OWNERS | 5 + .../galley/templates/poddisruptionbudget.yaml | 22 + .../validatingwebhookconfiguration.yaml.tpl | 120 + istio/charts/galley/values.yaml | 28 + istio/charts/gateways/templates/_affinity.tpl | 93 + istio/charts/gateways/templates/_helpers.tpl | 32 + .../templates/poddisruptionbudget.yaml | 31 + .../gateways/templates/preconfigured.yaml | 239 ++ istio/charts/gateways/templates/role.yaml | 18 + .../gateways/templates/rolebindings.yaml | 21 + istio/charts/gateways/values.yaml | 258 ++ .../grafana/dashboards/galley-dashboard.json | 1819 ++++++++++++ .../dashboards/istio-mesh-dashboard.json | 953 ++++++ .../istio-performance-dashboard.json | 618 ++++ .../dashboards/istio-service-dashboard.json | 2601 +++++++++++++++++ .../dashboards/istio-workload-dashboard.json | 2303 +++++++++++++++ .../grafana/dashboards/mixer-dashboard.json | 1808 ++++++++++++ .../grafana/dashboards/pilot-dashboard.json | 1595 ++++++++++ istio/charts/grafana/fix_datasources.sh | 16 + .../templates/configmap-custom-resources.yaml | 16 + .../templates/configmap-dashboards.yaml | 18 + istio/charts/grafana/templates/ingress.yaml | 40 + .../tests/test-grafana-connection.yaml | 30 + istio/charts/grafana/values.yaml | 86 + istio/charts/istiocoredns/Chart.yaml | 6 + .../istiocoredns/templates/_helpers.tpl | 32 + .../istiocoredns/templates/clusterrole.yaml | 13 + .../templates/clusterrolebinding.yaml | 17 + .../istiocoredns/templates/configmap.yaml | 24 + .../istiocoredns/templates/deployment.yaml | 89 + .../istiocoredns/templates/service.yaml | 20 + .../templates/serviceaccount.yaml | 16 + istio/charts/istiocoredns/values.yaml | 32 + istio/charts/kiali/templates/_helpers.tpl | 32 + istio/charts/kiali/templates/demosecret.yaml | 16 + .../tests/test-kiali-connection.yaml | 30 + istio/charts/kiali/values.yaml | 55 + .../mixer/templates/poddisruptionbudget.yaml | 32 + istio/charts/mixer/values.yaml | 84 + istio/charts/nodeagent/Chart.yaml | 13 + istio/charts/nodeagent/templates/_helpers.tpl | 32 + .../nodeagent/templates/clusterrole.yaml | 13 + .../templates/clusterrolebinding.yaml | 17 + .../charts/nodeagent/templates/daemonset.yaml | 52 + .../nodeagent/templates/serviceaccount.yaml | 16 + istio/charts/nodeagent/values.yaml | 34 + istio/charts/pilot/templates/_helpers.tpl | 32 + .../pilot/templates/poddisruptionbudget.yaml | 22 + istio/charts/pilot/values.yaml | 49 + .../charts/prometheus/templates/ingress.yaml | 40 + .../tests/test-prometheus-connection.yaml | 29 + istio/charts/prometheus/values.yaml | 58 + .../templates/enable-mesh-permissive.yaml | 16 + .../tests/test-citadel-connection.yaml | 29 + istio/charts/security/values.yaml | 30 + istio/charts/servicegraph/.helmignore | 21 + istio/charts/servicegraph/templates/NOTES.txt | 19 + .../tests/test-servicegraph-connection.yaml | 30 + istio/charts/servicegraph/values.yaml | 51 + istio/charts/sidecarInjectorWebhook/OWNERS | 2 + .../charts/sidecarInjectorWebhook/values.yaml | 34 + istio/charts/tracing/.helmignore | 21 + .../tracing/templates/deployment-jaeger.yaml | 85 + .../tracing/templates/deployment-zipkin.yaml | 74 + .../tests/test-tracing-connection.yaml | 33 + istio/charts/tracing/values.yaml | 76 + istio/example-values/README.md | 5 + .../values-istio-example-sds-vault.yaml | 29 + .../example-values/values-istio-gateways.yaml | 138 + .../example-values/values-istio-googleca.yaml | 22 + .../values-istio-multicluster-gateways.yaml | 27 + istio/templates/NOTES.txt | 29 + istio/templates/_podDisruptionBudget.tpl | 3 + istio/templates/clusterrole.yaml | 11 + istio/templates/clusterrolebinding.yaml | 14 + istio/templates/endpoints.yaml | 63 + istio/templates/service.yaml | 60 + istio/templates/serviceaccount.yaml | 5 + istio/test-values/README.md | 7 + istio/test-values/values-e2e.yaml | 70 + istio/test-values/values-istio-auth-mcp.yaml | 17 + .../values-istio-auth-multicluster.yaml | 21 + .../values-istio-auth-non-mcp.yaml | 7 + istio/test-values/values-istio-auth-sds.yaml | 23 + istio/test-values/values-istio-auth.yaml | 14 + istio/test-values/values-istio-mcp.yaml | 18 + .../values-istio-multicluster.yaml | 21 + istio/test-values/values-istio-non-mcp.yaml | 2 + .../values-istio-one-namespace-auth.yaml | 17 + ...lues-istio-one-namespace-trust-domain.yaml | 19 + .../values-istio-one-namespace.yaml | 17 + istio/test-values/values-istio.yaml | 7 + istio/values-istio-demo-common.yaml | 85 + istio/values-istio-minimal.yaml | 46 + istio/values-istio-remote.yaml | 34 + istio/values-istio-sds-auth.yaml | 20 + 123 files changed, 16647 insertions(+) create mode 100644 istio-init/Chart.yaml create mode 100644 istio-init/LICENSE create mode 100644 istio-init/README.md create mode 100644 istio-init/files/crd-10.yaml create mode 100644 istio-init/files/crd-11.yaml create mode 100644 istio-init/files/crd-12.yaml create mode 100644 istio-init/files/crd-certmanager-10.yaml create mode 100644 istio-init/files/crd-certmanager-11.yaml create mode 100644 istio-init/templates/clusterrole.yaml create mode 100644 istio-init/templates/clusterrolebinding.yaml create mode 100644 istio-init/templates/configmap-crd-10.yaml create mode 100644 istio-init/templates/configmap-crd-11.yaml create mode 100644 istio-init/templates/configmap-crd-12.yaml create mode 100644 istio-init/templates/configmap-crd-certmanager-10.yaml create mode 100644 istio-init/templates/configmap-crd-certmanager-11.yaml create mode 100644 istio-init/templates/job-crd-10.yaml create mode 100644 istio-init/templates/job-crd-11.yaml create mode 100644 istio-init/templates/job-crd-12.yaml create mode 100644 istio-init/templates/job-crd-certmanager-10.yaml create mode 100644 istio-init/templates/job-crd-certmanager-11.yaml create mode 100644 istio-init/templates/serviceaccount.yaml create mode 100644 istio-init/values.yaml create mode 100644 istio/.helmignore create mode 100644 istio/LICENSE create mode 100644 istio/charts/certmanager/templates/NOTES.txt create mode 100644 istio/charts/certmanager/templates/poddisruptionbudget.yaml create mode 100644 istio/charts/certmanager/values.yaml create mode 100644 istio/charts/galley/OWNERS create mode 100644 istio/charts/galley/templates/poddisruptionbudget.yaml create mode 100644 istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl create mode 100644 istio/charts/galley/values.yaml create mode 100644 istio/charts/gateways/templates/_affinity.tpl create mode 100644 istio/charts/gateways/templates/_helpers.tpl create mode 100644 istio/charts/gateways/templates/poddisruptionbudget.yaml create mode 100644 istio/charts/gateways/templates/preconfigured.yaml create mode 100644 istio/charts/gateways/templates/role.yaml create mode 100644 istio/charts/gateways/templates/rolebindings.yaml create mode 100644 istio/charts/gateways/values.yaml create mode 100644 istio/charts/grafana/dashboards/galley-dashboard.json create mode 100644 istio/charts/grafana/dashboards/istio-mesh-dashboard.json create mode 100644 istio/charts/grafana/dashboards/istio-performance-dashboard.json create mode 100644 istio/charts/grafana/dashboards/istio-service-dashboard.json create mode 100644 istio/charts/grafana/dashboards/istio-workload-dashboard.json create mode 100644 istio/charts/grafana/dashboards/mixer-dashboard.json create mode 100644 istio/charts/grafana/dashboards/pilot-dashboard.json create mode 100644 istio/charts/grafana/fix_datasources.sh create mode 100644 istio/charts/grafana/templates/configmap-custom-resources.yaml create mode 100644 istio/charts/grafana/templates/configmap-dashboards.yaml create mode 100644 istio/charts/grafana/templates/ingress.yaml create mode 100644 istio/charts/grafana/templates/tests/test-grafana-connection.yaml create mode 100644 istio/charts/grafana/values.yaml create mode 100644 istio/charts/istiocoredns/Chart.yaml create mode 100644 istio/charts/istiocoredns/templates/_helpers.tpl create mode 100644 istio/charts/istiocoredns/templates/clusterrole.yaml create mode 100644 istio/charts/istiocoredns/templates/clusterrolebinding.yaml create mode 100644 istio/charts/istiocoredns/templates/configmap.yaml create mode 100644 istio/charts/istiocoredns/templates/deployment.yaml create mode 100644 istio/charts/istiocoredns/templates/service.yaml create mode 100644 istio/charts/istiocoredns/templates/serviceaccount.yaml create mode 100644 istio/charts/istiocoredns/values.yaml create mode 100644 istio/charts/kiali/templates/_helpers.tpl create mode 100644 istio/charts/kiali/templates/demosecret.yaml create mode 100644 istio/charts/kiali/templates/tests/test-kiali-connection.yaml create mode 100644 istio/charts/kiali/values.yaml create mode 100644 istio/charts/mixer/templates/poddisruptionbudget.yaml create mode 100644 istio/charts/mixer/values.yaml create mode 100644 istio/charts/nodeagent/Chart.yaml create mode 100644 istio/charts/nodeagent/templates/_helpers.tpl create mode 100644 istio/charts/nodeagent/templates/clusterrole.yaml create mode 100644 istio/charts/nodeagent/templates/clusterrolebinding.yaml create mode 100644 istio/charts/nodeagent/templates/daemonset.yaml create mode 100644 istio/charts/nodeagent/templates/serviceaccount.yaml create mode 100644 istio/charts/nodeagent/values.yaml create mode 100644 istio/charts/pilot/templates/_helpers.tpl create mode 100644 istio/charts/pilot/templates/poddisruptionbudget.yaml create mode 100644 istio/charts/pilot/values.yaml create mode 100644 istio/charts/prometheus/templates/ingress.yaml create mode 100644 istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml create mode 100644 istio/charts/prometheus/values.yaml create mode 100644 istio/charts/security/templates/enable-mesh-permissive.yaml create mode 100644 istio/charts/security/templates/tests/test-citadel-connection.yaml create mode 100644 istio/charts/security/values.yaml create mode 100644 istio/charts/servicegraph/.helmignore create mode 100644 istio/charts/servicegraph/templates/NOTES.txt create mode 100644 istio/charts/servicegraph/templates/tests/test-servicegraph-connection.yaml create mode 100644 istio/charts/servicegraph/values.yaml create mode 100644 istio/charts/sidecarInjectorWebhook/OWNERS create mode 100644 istio/charts/sidecarInjectorWebhook/values.yaml create mode 100644 istio/charts/tracing/.helmignore create mode 100644 istio/charts/tracing/templates/deployment-jaeger.yaml create mode 100644 istio/charts/tracing/templates/deployment-zipkin.yaml create mode 100644 istio/charts/tracing/templates/tests/test-tracing-connection.yaml create mode 100644 istio/charts/tracing/values.yaml create mode 100644 istio/example-values/README.md create mode 100644 istio/example-values/values-istio-example-sds-vault.yaml create mode 100644 istio/example-values/values-istio-gateways.yaml create mode 100644 istio/example-values/values-istio-googleca.yaml create mode 100644 istio/example-values/values-istio-multicluster-gateways.yaml create mode 100644 istio/templates/NOTES.txt create mode 100644 istio/templates/_podDisruptionBudget.tpl create mode 100644 istio/templates/clusterrole.yaml create mode 100644 istio/templates/clusterrolebinding.yaml create mode 100644 istio/templates/endpoints.yaml create mode 100644 istio/templates/service.yaml create mode 100644 istio/templates/serviceaccount.yaml create mode 100644 istio/test-values/README.md create mode 100644 istio/test-values/values-e2e.yaml create mode 100644 istio/test-values/values-istio-auth-mcp.yaml create mode 100644 istio/test-values/values-istio-auth-multicluster.yaml create mode 100644 istio/test-values/values-istio-auth-non-mcp.yaml create mode 100644 istio/test-values/values-istio-auth-sds.yaml create mode 100644 istio/test-values/values-istio-auth.yaml create mode 100644 istio/test-values/values-istio-mcp.yaml create mode 100644 istio/test-values/values-istio-multicluster.yaml create mode 100644 istio/test-values/values-istio-non-mcp.yaml create mode 100644 istio/test-values/values-istio-one-namespace-auth.yaml create mode 100644 istio/test-values/values-istio-one-namespace-trust-domain.yaml create mode 100644 istio/test-values/values-istio-one-namespace.yaml create mode 100644 istio/test-values/values-istio.yaml create mode 100644 istio/values-istio-demo-common.yaml create mode 100644 istio/values-istio-minimal.yaml create mode 100644 istio/values-istio-remote.yaml create mode 100644 istio/values-istio-sds-auth.yaml diff --git a/istio-init/Chart.yaml b/istio-init/Chart.yaml new file mode 100644 index 0000000..ab4ce1f --- /dev/null +++ b/istio-init/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-init +version: 1.1.0 +appVersion: 1.1.0 +tillerVersion: ">=2.7.2-0" +description: Helm chart to initialize Istio CRDs +keywords: + - istio + - crd +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-init/LICENSE b/istio-init/LICENSE new file mode 100644 index 0000000..56df9b2 --- /dev/null +++ b/istio-init/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2018 Istio Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/istio-init/README.md b/istio-init/README.md new file mode 100644 index 0000000..9a1330b --- /dev/null +++ b/istio-init/README.md @@ -0,0 +1,77 @@ +# Istio + +[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. + +## Introduction + +This chart bootstraps Istio's [CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) +which are an internal implementation detail of Istio. CRDs define data structures for storing runtime configuration +specified by a human operator. + +This chart must be run to completion prior to running other Istio charts, or other Istio charts will fail to initialize. + +## Prerequisites + +- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required +- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required + +## Resources Required + +The chart deploys pods that consume minimal resources. + +## Installing the Chart + +1. If a service account has not already been installed for Tiller, install one: + ``` + $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml + ``` + +1. If Tiller has not already been installed in your cluster, Install Tiller on your cluster with the service account: + ``` + $ helm init --service-account tiller + ``` + +1. Install the Istio initializer chart: + ``` + $ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system + ``` + + > Although you can install the `istio-init` chart to any namespace, it is recommended to install `istio-init` in the same namespace(`istio-system`) as other Istio charts. + +## Configuration + +The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. +To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. + +Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: + +| Parameter | Description | Values | Default | +| --- | --- | --- | --- | +| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` | +| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | +| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | + + +## Uninstalling the Chart + +> Uninstalling this chart does not delete Istio's registered CRDs. Istio by design expects +> CRDs to leak into the Kubernetes environment. As CRDs contain all runtime configuration +> data in CustomResources the Istio designers feel it is better to explicitly delete this +> configuration rather then unexpectedly lose it. + +To uninstall/delete the `istio-init` release but continue to track the release: + ``` + $ helm delete istio-init + ``` + +To uninstall/delete the `istio-init` release completely and make its name free for later use: + ``` + $ helm delete istio-init --purge + ``` + +> Warning: Deleting CRDs will delete any configuration that you have made to Istio. + +To delete all CRDs, run the following command + ``` + $ for i in istio-init/files/*crd*yaml; do kubectl delete -f $i; done + ``` diff --git a/istio-init/files/crd-10.yaml b/istio-init/files/crd-10.yaml new file mode 100644 index 0000000..f3ac8f7 --- /dev/null +++ b/istio-init/files/crd-10.yaml @@ -0,0 +1,594 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/hook": crd-install +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + shortNames: + - vs + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + shortNames: + - dr + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + shortNames: + - se + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + shortNames: + - gw + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: clusterrbacconfigs.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: policies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- diff --git a/istio-init/files/crd-11.yaml b/istio-init/files/crd-11.yaml new file mode 100644 index 0000000..f3711ec --- /dev/null +++ b/istio-init/files/crd-11.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- diff --git a/istio-init/files/crd-12.yaml b/istio-init/files/crd-12.yaml new file mode 100644 index 0000000..36e0c8a --- /dev/null +++ b/istio-init/files/crd-12.yaml @@ -0,0 +1,21 @@ +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizationpolicies.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio +spec: + group: rbac.istio.io + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- diff --git a/istio-init/files/crd-certmanager-10.yaml b/istio-init/files/crd-certmanager-10.yaml new file mode 100644 index 0000000..594b659 --- /dev/null +++ b/istio-init/files/crd-certmanager-10.yaml @@ -0,0 +1,81 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/hook": crd-install +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/hook": crd-install +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/hook": crd-install +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs diff --git a/istio-init/files/crd-certmanager-11.yaml b/istio-init/files/crd-certmanager-11.yaml new file mode 100644 index 0000000..963f271 --- /dev/null +++ b/istio-init/files/crd-certmanager-11.yaml @@ -0,0 +1,73 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.reason + name: Reason + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Order + plural: orders + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: challenges.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Challenge + plural: challenges + scope: Namespaced diff --git a/istio-init/templates/clusterrole.yaml b/istio-init/templates/clusterrole.yaml new file mode 100644 index 0000000..f7116c8 --- /dev/null +++ b/istio-init/templates/clusterrole.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-init-{{ .Release.Namespace }} + labels: + app: istio-init + istio: init +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "create", "watch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "list", "watch", "patch"] diff --git a/istio-init/templates/clusterrolebinding.yaml b/istio-init/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..481674c --- /dev/null +++ b/istio-init/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-init-admin-role-binding-{{ .Release.Namespace }} + labels: + app: istio-init + istio: init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-init-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-init-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-init/templates/configmap-crd-10.yaml b/istio-init/templates/configmap-crd-10.yaml new file mode 100644 index 0000000..69e37fa --- /dev/null +++ b/istio-init/templates/configmap-crd-10.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-10 +data: + crd-10.yaml: |- +{{.Files.Get "files/crd-10.yaml" | printf "%s" | indent 4}} diff --git a/istio-init/templates/configmap-crd-11.yaml b/istio-init/templates/configmap-crd-11.yaml new file mode 100644 index 0000000..952640d --- /dev/null +++ b/istio-init/templates/configmap-crd-11.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-11 +data: + crd-11.yaml: |- +{{.Files.Get "files/crd-11.yaml" | printf "%s" | indent 4}} diff --git a/istio-init/templates/configmap-crd-12.yaml b/istio-init/templates/configmap-crd-12.yaml new file mode 100644 index 0000000..a497365 --- /dev/null +++ b/istio-init/templates/configmap-crd-12.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-12 +data: + crd-12.yaml: |- +{{.Files.Get "files/crd-12.yaml" | printf "%s" | indent 4}} diff --git a/istio-init/templates/configmap-crd-certmanager-10.yaml b/istio-init/templates/configmap-crd-certmanager-10.yaml new file mode 100644 index 0000000..8ab3e83 --- /dev/null +++ b/istio-init/templates/configmap-crd-certmanager-10.yaml @@ -0,0 +1,10 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-certmanager-10 +data: + crd-certmanager-10.yaml: |- +{{.Files.Get "files/crd-certmanager-10.yaml" | printf "%s" | indent 4}} +{{- end }} diff --git a/istio-init/templates/configmap-crd-certmanager-11.yaml b/istio-init/templates/configmap-crd-certmanager-11.yaml new file mode 100644 index 0000000..beef304 --- /dev/null +++ b/istio-init/templates/configmap-crd-certmanager-11.yaml @@ -0,0 +1,10 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-certmanager-11 +data: + crd-certmanager-11.yaml: |- +{{.Files.Get "files/crd-certmanager-11.yaml" | printf "%s" | indent 4}} +{{- end }} diff --git a/istio-init/templates/job-crd-10.yaml b/istio-init/templates/job-crd-10.yaml new file mode 100644 index 0000000..87d6469 --- /dev/null +++ b/istio-init/templates/job-crd-10.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-10 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-10 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-10 + mountPath: /etc/istio/crd-10 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-10/crd-10.yaml"] + volumes: + - name: crd-10 + configMap: + name: istio-crd-10 + restartPolicy: OnFailure diff --git a/istio-init/templates/job-crd-11.yaml b/istio-init/templates/job-crd-11.yaml new file mode 100644 index 0000000..0f3a4b8 --- /dev/null +++ b/istio-init/templates/job-crd-11.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-11 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-11 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-11 + mountPath: /etc/istio/crd-11 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-11/crd-11.yaml"] + volumes: + - name: crd-11 + configMap: + name: istio-crd-11 + restartPolicy: OnFailure diff --git a/istio-init/templates/job-crd-12.yaml b/istio-init/templates/job-crd-12.yaml new file mode 100644 index 0000000..a8d483c --- /dev/null +++ b/istio-init/templates/job-crd-12.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-12 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-12 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-12 + mountPath: /etc/istio/crd-12 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-12/crd-12.yaml"] + volumes: + - name: crd-12 + configMap: + name: istio-crd-12 + restartPolicy: OnFailure diff --git a/istio-init/templates/job-crd-certmanager-10.yaml b/istio-init/templates/job-crd-certmanager-10.yaml new file mode 100644 index 0000000..028df6e --- /dev/null +++ b/istio-init/templates/job-crd-certmanager-10.yaml @@ -0,0 +1,28 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-certmanager-10 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-certmanager-10 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-certmanager-10 + mountPath: /etc/istio/crd-certmanager-10 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-10/crd-certmanager-10.yaml"] + volumes: + - name: crd-certmanager-10 + configMap: + name: istio-crd-certmanager-10 + restartPolicy: OnFailure +{{- end }} diff --git a/istio-init/templates/job-crd-certmanager-11.yaml b/istio-init/templates/job-crd-certmanager-11.yaml new file mode 100644 index 0000000..1b6cb4e --- /dev/null +++ b/istio-init/templates/job-crd-certmanager-11.yaml @@ -0,0 +1,28 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-certmanager-11 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-certmanager-11 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-certmanager-11 + mountPath: /etc/istio/crd-certmanager-11 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-11/crd-certmanager-11.yaml"] + volumes: + - name: crd-certmanager-11 + configMap: + name: istio-crd-certmanager-11 + restartPolicy: OnFailure +{{- end }} diff --git a/istio-init/templates/serviceaccount.yaml b/istio-init/templates/serviceaccount.yaml new file mode 100644 index 0000000..dce9017 --- /dev/null +++ b/istio-init/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-init-service-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-init + istio: init + diff --git a/istio-init/values.yaml b/istio-init/values.yaml new file mode 100644 index 0000000..25f9ef1 --- /dev/null +++ b/istio-init/values.yaml @@ -0,0 +1,16 @@ +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: master-latest-daily + + # imagePullPolicy is applied to istio control plane components. + # local tests require IfNotPresent, to avoid uploading to dockerhub. + # TODO: Switch to Always as default, and override in the local tests. + imagePullPolicy: IfNotPresent + +certmanager: + enabled: false diff --git a/istio/.helmignore b/istio/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/istio/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/istio/LICENSE b/istio/LICENSE new file mode 100644 index 0000000..56df9b2 --- /dev/null +++ b/istio/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2018 Istio Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/istio/charts/certmanager/templates/NOTES.txt b/istio/charts/certmanager/templates/NOTES.txt new file mode 100644 index 0000000..0307ede --- /dev/null +++ b/istio/charts/certmanager/templates/NOTES.txt @@ -0,0 +1,6 @@ +certmanager has been deployed successfully! + +More information on the different types of issuers and how to configure them +can be found in our documentation: + +https://cert-manager.readthedocs.io/en/latest/reference/issuers.html \ No newline at end of file diff --git a/istio/charts/certmanager/templates/poddisruptionbudget.yaml b/istio/charts/certmanager/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..b251e36 --- /dev/null +++ b/istio/charts/certmanager/templates/poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: certmanager + namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + version: {{ .Chart.Version }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 4 }} + {{- end }} +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: certmanager + release: {{ .Release.Name }} +{{- end }} diff --git a/istio/charts/certmanager/values.yaml b/istio/charts/certmanager/values.yaml new file mode 100644 index 0000000..33c2857 --- /dev/null +++ b/istio/charts/certmanager/values.yaml @@ -0,0 +1,31 @@ +# Certmanager uses ACME to sign certificates. Since Istio gateways are +# mounting the TLS secrets the Certificate CRDs must be created in the +# istio-system namespace. Once the certificate has been created, the +# gateway must be updated by adding 'secretVolumes'. After the gateway +# restart, DestinationRules can be created using the ACME-signed certificates. +enabled: false +hub: quay.io/jetstack +tag: v0.6.2 +resources: {} +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/galley/OWNERS b/istio/charts/galley/OWNERS new file mode 100644 index 0000000..d6a0e1b --- /dev/null +++ b/istio/charts/galley/OWNERS @@ -0,0 +1,5 @@ +approvers: + - cmluciano + - geeknoid + - ozevren + - ayj diff --git a/istio/charts/galley/templates/poddisruptionbudget.yaml b/istio/charts/galley/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..75bf778 --- /dev/null +++ b/istio/charts/galley/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-galley + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ template "galley.name" . }} + release: {{ .Release.Name }} + istio: galley +{{- end }} diff --git a/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl b/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl new file mode 100644 index 0000000..7847d24 --- /dev/null +++ b/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl @@ -0,0 +1,120 @@ +{{ define "validatingwebhookconfiguration.yaml.tpl" }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-galley + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley +webhooks: +{{- if .Values.global.configValidation }} + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: {{ .Release.Namespace }} + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + failurePolicy: Fail + sideEffects: None + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: {{ .Release.Namespace }} + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - solarwindses + - stackdrivers + - cloudwatches + - dogstatsds + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - tracespans + - adapters + - handlers + - instances + - templates + - zipkins + failurePolicy: Fail + sideEffects: None +{{- end }} +{{- end }} diff --git a/istio/charts/galley/values.yaml b/istio/charts/galley/values.yaml new file mode 100644 index 0000000..5911982 --- /dev/null +++ b/istio/charts/galley/values.yaml @@ -0,0 +1,28 @@ +# +# galley configuration +# +enabled: true +replicaCount: 1 +image: galley +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/gateways/templates/_affinity.tpl b/istio/charts/gateways/templates/_affinity.tpl new file mode 100644 index 0000000..6720123 --- /dev/null +++ b/istio/charts/gateways/templates/_affinity.tpl @@ -0,0 +1,93 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "gatewaynodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewayNodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewayNodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "gatewayNodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .root.Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .root.Values.global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val }} + {{- end }} +{{- end }} + +{{- define "gatewayNodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .root.Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewaypodAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewaypodAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.value }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/istio/charts/gateways/templates/_helpers.tpl b/istio/charts/gateways/templates/_helpers.tpl new file mode 100644 index 0000000..bfc8bc4 --- /dev/null +++ b/istio/charts/gateways/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "gateway.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gateway.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/gateways/templates/poddisruptionbudget.yaml b/istio/charts/gateways/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..36a2d5a --- /dev/null +++ b/istio/charts/gateways/templates/poddisruptionbudget.yaml @@ -0,0 +1,31 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "enabled") }} +{{- if $spec.enabled }} +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +spec: +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/istio/charts/gateways/templates/preconfigured.yaml b/istio/charts/gateways/templates/preconfigured.yaml new file mode 100644 index 0000000..8d3dee9 --- /dev/null +++ b/istio/charts/gateways/templates/preconfigured.yaml @@ -0,0 +1,239 @@ +{{- if .Values.global.k8sIngress.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-autogenerated-k8s-ingress + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + istio: {{ .Values.global.k8sIngress.gatewayName }} + servers: + - port: + number: 80 + protocol: HTTP2 + name: http + hosts: + - "*" +{{ if .Values.global.k8sIngress.enableHttps }} + - port: + number: 443 + protocol: HTTPS + name: https-default + tls: + mode: SIMPLE + serverCertificate: /etc/istio/ingress-certs/tls.crt + privateKey: /etc/istio/ingress-certs/tls.key + hosts: + - "*" +{{ end }} +--- +{{ end }} + +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-ilb-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + istio: ilbgateway + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 8060 + protocol: TCP + name: tcp-citadel + hosts: + - "*" + - port: + number: 15004 + name: tls-mixer + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*" +--- +{{- else }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 8060 + protocol: TCP + name: tcp-citadel + hosts: + - "*" + - port: + number: 15004 + name: tls-mixer + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*" +--- +{{- end }} +{{- end }} + +{{- if .Values.global.multiCluster.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-egressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-egressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - hosts: + - "*.global" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - hosts: + - "*.global" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + workloadLabels: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + filters: + - listenerMatch: + portNumber: 15443 + listenerType: GATEWAY + insertPosition: + index: AFTER + relativeTo: envoy.filters.network.sni_cluster + filterName: envoy.filters.network.tcp_cluster_rewrite + filterType: NETWORK + filterConfig: + cluster_pattern: "\\.global$" + cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" +--- +## To ensure all traffic to *.global is using mTLS +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-multicluster-destinationrule + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: "*.global" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +{{- end }} diff --git a/istio/charts/gateways/templates/role.yaml b/istio/charts/gateways/templates/role.yaml new file mode 100644 index 0000000..de46604 --- /dev/null +++ b/istio/charts/gateways/templates/role.yaml @@ -0,0 +1,18 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $key }}-sds + namespace: {{ $.Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/istio/charts/gateways/templates/rolebindings.yaml b/istio/charts/gateways/templates/rolebindings.yaml new file mode 100644 index 0000000..4bb3015 --- /dev/null +++ b/istio/charts/gateways/templates/rolebindings.yaml @@ -0,0 +1,21 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $key }}-sds + namespace: {{ $.Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $key }}-sds +subjects: +- kind: ServiceAccount + name: {{ $key }}-service-account +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/istio/charts/gateways/values.yaml b/istio/charts/gateways/values.yaml new file mode 100644 index 0000000..0ef14a3 --- /dev/null +++ b/istio/charts/gateways/values.yaml @@ -0,0 +1,258 @@ +# +# Gateways Configuration +# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. +# You can add more gateways in addition to the defaults but make sure those are uniquely named +# and that NodePorts are not conflicting. +# Disable specifc gateway by setting the `enabled` to false. +# +enabled: true + +istio-ingressgateway: + enabled: true + # + # Secret Discovery Service (SDS) configuration for ingress gateway. + # + sds: + # If true, ingress gateway fetches credentials from SDS server to handle TLS connections. + enabled: false + # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway. + # This server runs in the same pod as ingress gateway. + image: node-agent-k8s + labels: + app: istio-ingressgateway + istio: ingressgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 256Mi + cpu: + targetAverageUtilization: 80 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalIPs: [] + serviceAnnotations: {} + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out + ports: + ## You can add custom gateway ports + - port: 80 + targetPort: 80 + name: http2 + nodePort: 31380 + - port: 443 + name: https + nodePort: 31390 + # Example of a port to add. Remove if not needed + - port: 31400 + name: tcp + nodePort: 31400 + ### PORTS FOR UI/metrics ##### + ## Disable if not needed + - port: 15029 + targetPort: 15029 + name: https-kiali + - port: 15030 + targetPort: 15030 + name: https-prometheus + - port: 15031 + targetPort: 15031 + name: https-grafana + - port: 15032 + targetPort: 15032 + name: https-tracing + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + - port: 15020 + targetPort: 15020 + name: status-port + #### MESH EXPANSION PORTS ######## + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + # Delete these ports if mesh expansion is not enabled, to avoid + # exposing unnecessary ports on the web. + # You can remove these ports if you are not using mesh expansion + meshExpansionPorts: + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 15004 + targetPort: 15004 + name: tcp-mixer-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + - port: 853 + targetPort: 853 + name: tcp-dns-tls + ####### end MESH EXPANSION PORTS ###### + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + ### Advanced options ############ + env: + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + nodeSelector: {} + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote “hard” vs. “soft” requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # “security” and value “S1”. + podAntiAffinityLabelSelector: {} + podAntiAffinityTermLabelSelector: {} + +istio-egressgateway: + enabled: false + labels: + app: istio-egressgateway + istio: egressgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 256Mi + cpu: + targetAverageUtilization: 80 + serviceAnnotations: {} + podAnnotations: {} + type: ClusterIP #change to NodePort or LoadBalancer if need be + ports: + - port: 80 + name: http2 + - port: 443 + name: https + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + #### Advanced options ######## + env: + # Set this to "external" if and only if you want the egress gateway to + # act as a transparent SNI gateway that routes mTLS/TLS traffic to + # external services defined using service entries, where the service + # entry has resolution set to DNS, has one or more endpoints with + # network field set to "external". By default its set to "" so that + # the egress gateway sees the same set of endpoints as the sidecars + # preserving backward compatibility + # ISTIO_META_REQUESTED_NETWORK_VIEW: "" + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + nodeSelector: {} + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote “hard” vs. “soft” requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # “security” and value “S1”. + podAntiAffinityLabelSelector: {} + podAntiAffinityTermLabelSelector: {} + +# Mesh ILB gateway creates a gateway of type InternalLoadBalancer, +# for mesh expansion. It exposes the mtls ports for Pilot,CA as well +# as non-mtls ports to support upgrades and gradual transition. +istio-ilbgateway: + enabled: false + labels: + app: istio-ilbgateway + istio: ilbgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + cpu: + targetAverageUtilization: 80 + resources: + requests: + cpu: 800m + memory: 512Mi + #limits: + # cpu: 1800m + # memory: 256Mi + loadBalancerIP: "" + serviceAnnotations: + cloud.google.com/load-balancer-type: "internal" + podAnnotations: {} + type: LoadBalancer + ports: + ## You can add custom gateway ports - google ILB default quota is 5 ports, + - port: 15011 + name: grpc-pilot-mtls + # Insecure port - only for migration from 0.8. Will be removed in 1.1 + - port: 15010 + name: grpc-pilot + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + # Port 5353 is forwarded to kube-dns + - port: 5353 + name: tcp-dns + secretVolumes: + - name: ilbgateway-certs + secretName: istio-ilbgateway-certs + mountPath: /etc/istio/ilbgateway-certs + - name: ilbgateway-ca-certs + secretName: istio-ilbgateway-ca-certs + mountPath: /etc/istio/ilbgateway-ca-certs + nodeSelector: {} diff --git a/istio/charts/grafana/dashboards/galley-dashboard.json b/istio/charts/grafana/dashboards/galley-dashboard.json new file mode 100644 index 0000000..5487cf8 --- /dev/null +++ b/istio/charts/grafana/dashboards/galley-dashboard.json @@ -0,0 +1,1819 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 46, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"galley\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Galley Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 40, + "panels": [], + "title": "Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 36, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "A" + }, + { + "expr": "process_resident_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "B" + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "C" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F" + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "G" + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "H" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Total (kis)", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 38, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "galley (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 12, + "y": 6 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Open FDs (galley)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} ", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 6 + }, + "id": 44, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "goroutines_total", + "refId": "A" + }, + { + "expr": "galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "clients_total", + "refId": "B" + }, + { + "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "avg_goroutines_per_client", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 14 + }, + "id": 10, + "panels": [], + "title": "Runtime", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 15 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Strategy Change Events", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Processed Events", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Snapshot Published", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Event Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 15 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Max Time Reached", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Quiesce Reached", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Timer Resets", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Timer Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 15 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 3, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P95", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Events Per Snapshot", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ typeURL }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "State Type Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Count", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 34, + "panels": [], + "title": "Validation", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 28 + }, + "id": 28, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 28 + }, + "id": 30, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 28 + }, + "id": 32, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 34 + }, + "id": 12, + "panels": [], + "title": "Kubernetes Source", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_event_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Success", + "refId": "A" + }, + { + "expr": "rate(galley_source_kube_event_error_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Source Event Rate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 16, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Successes", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Conversions/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 24, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Failures/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 41 + }, + "id": 18, + "panels": [], + "title": "Mesh Configuration Protocol", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 20, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_mcp_source_clients_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Clients", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Connected Clients", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 42 + }, + "id": 22, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request ACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "ACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 42 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request NACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "NACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "TSEY6jLmk", + "version": 1 +} diff --git a/istio/charts/grafana/dashboards/istio-mesh-dashboard.json b/istio/charts/grafana/dashboards/istio-mesh-dashboard.json new file mode 100644 index 0000000..99c911f --- /dev/null +++ b/istio/charts/grafana/dashboards/istio-mesh-dashboard.json @@ -0,0 +1,953 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "content": "
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
\n Need help? Join the Istio community.\n
\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 45 + }, + "id": 111, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "version": 4 +} diff --git a/istio/charts/grafana/dashboards/istio-performance-dashboard.json b/istio/charts/grafana/dashboards/istio-performance-dashboard.json new file mode 100644 index 0000000..621709f --- /dev/null +++ b/istio/charts/grafana/dashboards/istio-performance-dashboard.json @@ -0,0 +1,618 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 1, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-proxy", + "refId": "B" + }, + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "D" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only. \n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance. \n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.", + "gridPos": { + "h": 4, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 11, + "links": [], + "mode": "markdown", + "title": "Istio Performance Dashboard Readme", + "type": "text" + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "version": 4 +} diff --git a/istio/charts/grafana/dashboards/istio-service-dashboard.json b/istio/charts/grafana/dashboards/istio-service-dashboard.json new file mode 100644 index 0000000..dad423c --- /dev/null +++ b/istio/charts/grafana/dashboards/istio-service-dashboard.json @@ -0,0 +1,2601 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "iteration": 1536442501501, + "links": [], + "panels": [ + { + "content": "
\nSERVICE: $service\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Received Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Sent Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nCLIENT WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "
\nSERVICE WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 1 +} diff --git a/istio/charts/grafana/dashboards/istio-workload-dashboard.json b/istio/charts/grafana/dashboards/istio-workload-dashboard.json new file mode 100644 index 0000000..4d6f7a4 --- /dev/null +++ b/istio/charts/grafana/dashboards/istio-workload-dashboard.json @@ -0,0 +1,2303 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
\nWORKLOAD: $workload.$namespace\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nINBOUND WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
\nOUTBOUND SERVICES\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} diff --git a/istio/charts/grafana/dashboards/mixer-dashboard.json b/istio/charts/grafana/dashboards/mixer-dashboard.json new file mode 100644 index 0000000..151c862 --- /dev/null +++ b/istio/charts/grafana/dashboards/mixer-dashboard.json @@ -0,0 +1,1808 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1543881232533, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 62, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 64, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"mixer\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Mixer Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Mixer Overview

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 21 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_server_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 21 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 21 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 21 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Adapters and Config

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 30 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 30 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 37 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 37 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 37 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 37 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Individual Adapters

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 44 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 47 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 48 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 48 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Mixer Dashboard", + "version": 4 +} diff --git a/istio/charts/grafana/dashboards/pilot-dashboard.json b/istio/charts/grafana/dashboards/pilot-dashboard.json new file mode 100644 index 0000000..1d39ce3 --- /dev/null +++ b/istio/charts/grafana/dashboards/pilot-dashboard.json @@ -0,0 +1,1595 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 58, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"pilot\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Pilot Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

xDS

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 21 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 21 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 27 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 27 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 27 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Pilot Dashboard", + "version": 4 +} diff --git a/istio/charts/grafana/fix_datasources.sh b/istio/charts/grafana/fix_datasources.sh new file mode 100644 index 0000000..33d6869 --- /dev/null +++ b/istio/charts/grafana/fix_datasources.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +UX=$(uname) + +for db in "${THIS_DIR}"/dashboards/*.json; do + if [[ ${UX} == "Darwin" ]]; then + # shellcheck disable=SC2016 + sed -i '' 's/${DS_PROMETHEUS}/Prometheus/g' "$db" + else + # shellcheck disable=SC2016 + sed -i 's/${DS_PROMETHEUS}/Prometheus/g' "$db" + fi +done diff --git a/istio/charts/grafana/templates/configmap-custom-resources.yaml b/istio/charts/grafana/templates/configmap-custom-resources.yaml new file mode 100644 index 0000000..b89bc07 --- /dev/null +++ b/istio/charts/grafana/templates/configmap-custom-resources.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: grafana +data: + custom-resources.yaml: |- + {{- include "grafana-default.yaml.tpl" . | indent 4}} + run.sh: |- + {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/istio/charts/grafana/templates/configmap-dashboards.yaml b/istio/charts/grafana/templates/configmap-dashboards.yaml new file mode 100644 index 0000000..dd1ab0d --- /dev/null +++ b/istio/charts/grafana/templates/configmap-dashboards.yaml @@ -0,0 +1,18 @@ +{{- $files := .Files }} +{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} +{{- $filename := trimSuffix (ext $path) (base $path) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-{{ $filename }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ template "grafana.name" $ }} + chart: {{ template "grafana.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + istio: grafana +data: + {{ base $path }}: '{{ $files.Get $path }}' +--- +{{- end }} diff --git a/istio/charts/grafana/templates/ingress.yaml b/istio/charts/grafana/templates/ingress.yaml new file mode 100644 index 0000000..0ebe71f --- /dev/null +++ b/istio/charts/grafana/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: grafana + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: grafana + servicePort: 3000 + {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: grafana + servicePort: 3000 +{{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio/charts/grafana/templates/tests/test-grafana-connection.yaml b/istio/charts/grafana/templates/tests/test-grafana-connection.yaml new file mode 100644 index 0000000..036391b --- /dev/null +++ b/istio/charts/grafana/templates/tests/test-grafana-connection.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "grafana.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: grafana-test + chart: {{ template "grafana.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: grafana + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "grafana.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + args: ['http://grafana:{{ .Values.grafana.service.externalPort }}'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/grafana/values.yaml b/istio/charts/grafana/values.yaml new file mode 100644 index 0000000..d5ab7bf --- /dev/null +++ b/istio/charts/grafana/values.yaml @@ -0,0 +1,86 @@ +# +# addon grafana configuration +# +enabled: false +replicaCount: 1 +image: + repository: grafana/grafana + tag: 6.0.0 +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - grafana.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: grafana-tls + # hosts: + # - grafana.local +persist: false +storageClassName: "" +accessMode: ReadWriteMany +security: + enabled: false + secretName: grafana + usernameKey: username + passphraseKey: passphrase +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +contextPath: /grafana +service: + annotations: {} + name: http + type: ClusterIP + externalPort: 3000 + loadBalancerIP: + loadBalancerSourceRanges: + +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + orgId: 1 + url: http://prometheus:9090 + access: proxy + isDefault: true + jsonData: + timeInterval: 5s + editable: true + +dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'istio' + orgId: 1 + folder: 'istio' + type: file + disableDeletion: false + options: + path: /var/lib/grafana/dashboards/istio diff --git a/istio/charts/istiocoredns/Chart.yaml b/istio/charts/istiocoredns/Chart.yaml new file mode 100644 index 0000000..fa04814 --- /dev/null +++ b/istio/charts/istiocoredns/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Istio CoreDNS provides DNS resolution for services in multicluster setups. +name: istiocoredns +version: 1.1.0 +appVersion: 0.1 +tillerVersion: ">=2.7.2" diff --git a/istio/charts/istiocoredns/templates/_helpers.tpl b/istio/charts/istiocoredns/templates/_helpers.tpl new file mode 100644 index 0000000..e7add11 --- /dev/null +++ b/istio/charts/istiocoredns/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istiocoredns.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istiocoredns.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istiocoredns.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/istiocoredns/templates/clusterrole.yaml b/istio/charts/istiocoredns/templates/clusterrole.yaml new file mode 100644 index 0000000..4242a32 --- /dev/null +++ b/istio/charts/istiocoredns/templates/clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiocoredns + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] diff --git a/istio/charts/istiocoredns/templates/clusterrolebinding.yaml b/istio/charts/istiocoredns/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..bafd0ca --- /dev/null +++ b/istio/charts/istiocoredns/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-istiocoredns-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiocoredns +subjects: +- kind: ServiceAccount + name: istiocoredns-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio/charts/istiocoredns/templates/configmap.yaml b/istio/charts/istiocoredns/templates/configmap.yaml new file mode 100644 index 0000000..50d166f --- /dev/null +++ b/istio/charts/istiocoredns/templates/configmap.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + Corefile: | + .:53 { + errors + health + proxy global 127.0.0.1:8053 { + protocol grpc insecure + } + prometheus :9153 + proxy . /etc/resolv.conf + cache 30 + reload + } +--- diff --git a/istio/charts/istiocoredns/templates/deployment.yaml b/istio/charts/istiocoredns/templates/deployment.yaml new file mode 100644 index 0000000..aa67ea0 --- /dev/null +++ b/istio/charts/istiocoredns/templates/deployment.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiocoredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: istiocoredns + template: + metadata: + name: istiocoredns + labels: + app: istiocoredns + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istiocoredns-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: coredns + image: {{ .Values.coreDNSImage }} + imagePullPolicy: IfNotPresent + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + - name: istio-coredns-plugin + command: + - /usr/local/bin/plugin + image: {{ .Values.coreDNSPluginImage }} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8053 + name: dns-grpc + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/istiocoredns/templates/service.yaml b/istio/charts/istiocoredns/templates/service.yaml new file mode 100644 index 0000000..a631101 --- /dev/null +++ b/istio/charts/istiocoredns/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiocoredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + app: istiocoredns + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP diff --git a/istio/charts/istiocoredns/templates/serviceaccount.yaml b/istio/charts/istiocoredns/templates/serviceaccount.yaml new file mode 100644 index 0000000..e2627cf --- /dev/null +++ b/istio/charts/istiocoredns/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istiocoredns-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio/charts/istiocoredns/values.yaml b/istio/charts/istiocoredns/values.yaml new file mode 100644 index 0000000..161361e --- /dev/null +++ b/istio/charts/istiocoredns/values.yaml @@ -0,0 +1,32 @@ +# +# addon istiocoredns tracing configuration +# +enabled: false +replicaCount: 1 +coreDNSImage: coredns/coredns:1.1.2 +# Source code for the plugin can be found at +# https://github.com/istio-ecosystem/istio-coredns-plugin +# The plugin listens for DNS requests from coredns server at 127.0.0.1:8053 +coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/kiali/templates/_helpers.tpl b/istio/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000..6b00957 --- /dev/null +++ b/istio/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kiali.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kiali.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/kiali/templates/demosecret.yaml b/istio/charts/kiali/templates/demosecret.yaml new file mode 100644 index 0000000..ad44298 --- /dev/null +++ b/istio/charts/kiali/templates/demosecret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.createDemoSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.dashboard.secretName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +data: + username: YWRtaW4= # admin + passphrase: YWRtaW4= # admin +{{- end }} diff --git a/istio/charts/kiali/templates/tests/test-kiali-connection.yaml b/istio/charts/kiali/templates/tests/test-kiali-connection.yaml new file mode 100644 index 0000000..3e458d7 --- /dev/null +++ b/istio/charts/kiali/templates/tests/test-kiali-connection.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kiali.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: kiali-test + chart: {{ template "kiali.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: kiali + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "kiali.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + args: ['http://kiali:20001'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/kiali/values.yaml b/istio/charts/kiali/values.yaml new file mode 100644 index 0000000..793cbc2 --- /dev/null +++ b/istio/charts/kiali/values.yaml @@ -0,0 +1,55 @@ +# +# addon kiali +# +enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`. +replicaCount: 1 +hub: docker.io/kiali +tag: v0.16 +contextPath: /kiali # The root context path to access the Kiali UI. +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - kiali.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: kiali-tls + # hosts: + # - kiali.local + +dashboard: + secretName: kiali # You must create a secret with this name - one is not provided out-of-box. + usernameKey: username # This is the key name within the secret whose value is the actual username. + passphraseKey: passphrase # This is the key name within the secret whose value is the actual passphrase. + grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown. + jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown. +prometheusAddr: http://prometheus:9090 + +# When true, a secret will be created with a default username and password. Useful for demos. +createDemoSecret: false diff --git a/istio/charts/mixer/templates/poddisruptionbudget.yaml b/istio/charts/mixer/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..a6bfe86 --- /dev/null +++ b/istio/charts/mixer/templates/poddisruptionbudget.yaml @@ -0,0 +1,32 @@ +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-{{ $key }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ $key }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + version: {{ $.Chart.Version }} + istio: mixer + istio-mixer-type: {{ $key }} +spec: +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ $key }} + release: {{ $.Release.Name }} + istio: mixer + istio-mixer-type: {{ $key }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/istio/charts/mixer/values.yaml b/istio/charts/mixer/values.yaml new file mode 100644 index 0000000..0d538ce --- /dev/null +++ b/istio/charts/mixer/values.yaml @@ -0,0 +1,84 @@ +# +# mixer configuration +# +image: mixer + +env: + GODEBUG: gctrace=1 + # max procs should be ceil(cpu limit + 1) + GOMAXPROCS: "6" + +policy: + # if policy is enabled, global.disablePolicyChecks has affect. + enabled: false + replicaCount: 1 + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + +telemetry: + enabled: true + replicaCount: 1 + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + sessionAffinityEnabled: false + + # mixer load shedding configuration. + # When mixer detects that it is overloaded, it starts rejecting grpc requests. + loadshedding: + # disabled, logonly or enforce + mode: enforce + # based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async. + latencyThreshold: 100ms + resources: + requests: + cpu: 1000m + memory: 1G + limits: + # It is best to do horizontal scaling of mixer using moderate cpu allocation. + # We have experimentally found that these values work well. + cpu: 4800m + memory: 4G + +podAnnotations: {} +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +adapters: + kubernetesenv: + enabled: true + + # stdio is a debug adapter in istio-telemetry, it is not recommended for production use. + stdio: + enabled: false + outputAsJson: true + prometheus: + enabled: true + metricsExpiryDuration: 10m + # Setting this to false sets the useAdapterCRDs mixer startup argument to false + useAdapterCRDs: false diff --git a/istio/charts/nodeagent/Chart.yaml b/istio/charts/nodeagent/Chart.yaml new file mode 100644 index 0000000..9ba4eeb --- /dev/null +++ b/istio/charts/nodeagent/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: nodeagent +version: 1.1.0 +appVersion: 1.1.0 +tillerVersion: ">=2.7.2" +description: Helm chart for nodeagent deployment +keywords: + - istio + - nodeagent +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio/charts/nodeagent/templates/_helpers.tpl b/istio/charts/nodeagent/templates/_helpers.tpl new file mode 100644 index 0000000..fda6043 --- /dev/null +++ b/istio/charts/nodeagent/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nodeagent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nodeagent.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nodeagent.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/nodeagent/templates/clusterrole.yaml b/istio/charts/nodeagent/templates/clusterrole.yaml new file mode 100644 index 0000000..9127b05 --- /dev/null +++ b/istio/charts/nodeagent/templates/clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-nodeagent-{{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] \ No newline at end of file diff --git a/istio/charts/nodeagent/templates/clusterrolebinding.yaml b/istio/charts/nodeagent/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..963757e --- /dev/null +++ b/istio/charts/nodeagent/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-nodeagent-{{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-nodeagent-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-nodeagent-service-account + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/istio/charts/nodeagent/templates/daemonset.yaml b/istio/charts/nodeagent/templates/daemonset.yaml new file mode 100644 index 0000000..c955aa3 --- /dev/null +++ b/istio/charts/nodeagent/templates/daemonset.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: istio-nodeagent + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: nodeagent +spec: + selector: + matchLabels: + istio: nodeagent + template: + metadata: + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: nodeagent + spec: + serviceAccountName: istio-nodeagent-service-account + containers: + - name: nodeagent +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + env: + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + - name: "Trust_Domain" + value: "{{ .Values.global.trustDomain }}" + volumes: + - name: sdsudspath + hostPath: + path: /var/run/sds + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} diff --git a/istio/charts/nodeagent/templates/serviceaccount.yaml b/istio/charts/nodeagent/templates/serviceaccount.yaml new file mode 100644 index 0000000..b52f852 --- /dev/null +++ b/istio/charts/nodeagent/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-nodeagent-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/istio/charts/nodeagent/values.yaml b/istio/charts/nodeagent/values.yaml new file mode 100644 index 0000000..66f1f38 --- /dev/null +++ b/istio/charts/nodeagent/values.yaml @@ -0,0 +1,34 @@ +# +# nodeagent configuration +# +enabled: false +image: node-agent-k8s +env: + # name of authentication provider. + CA_PROVIDER: "" + # CA endpoint. + CA_ADDR: "" + # names of authentication provider's plugins. + Plugins: "" +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/pilot/templates/_helpers.tpl b/istio/charts/pilot/templates/_helpers.tpl new file mode 100644 index 0000000..c812c37 --- /dev/null +++ b/istio/charts/pilot/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "pilot.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "pilot.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "pilot.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio/charts/pilot/templates/poddisruptionbudget.yaml b/istio/charts/pilot/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..fd9e06a --- /dev/null +++ b/istio/charts/pilot/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: pilot +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ template "pilot.name" . }} + release: {{ .Release.Name }} + istio: pilot +{{- end }} diff --git a/istio/charts/pilot/values.yaml b/istio/charts/pilot/values.yaml new file mode 100644 index 0000000..0a7da57 --- /dev/null +++ b/istio/charts/pilot/values.yaml @@ -0,0 +1,49 @@ +# +# pilot configuration +# +enabled: true +autoscaleEnabled: true +autoscaleMin: 1 +autoscaleMax: 5 +# specify replicaCount when autoscaleEnabled: false +# replicaCount: 1 +image: pilot +sidecar: true +traceSampling: 1.0 +# Resources for a small pilot install +resources: + requests: + cpu: 500m + memory: 2048Mi +env: + PILOT_PUSH_THROTTLE: 100 + GODEBUG: gctrace=1 +cpu: + targetAverageUtilization: 80 +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +# The following is used to limit how long a sidecar can be connected +# to a pilot. It balances out load across pilot instances at the cost of +# increasing system churn. +keepaliveMaxServerConnectionAge: 30m diff --git a/istio/charts/prometheus/templates/ingress.yaml b/istio/charts/prometheus/templates/ingress.yaml new file mode 100644 index 0000000..43be655 --- /dev/null +++ b/istio/charts/prometheus/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: prometheus + servicePort: 9090 + {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: prometheus + servicePort: 9090 +{{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml b/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml new file mode 100644 index 0000000..ba2c7d8 --- /dev/null +++ b/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml @@ -0,0 +1,29 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "prometheus.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: prometheus-test + chart: {{ template "prometheus.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: prometheus + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "prometheus.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/prometheus/values.yaml b/istio/charts/prometheus/values.yaml new file mode 100644 index 0000000..f40b3cd --- /dev/null +++ b/istio/charts/prometheus/values.yaml @@ -0,0 +1,58 @@ +# +# addon prometheus configuration +# +enabled: true +replicaCount: 1 +hub: docker.io/prom +tag: v2.8.0 +retention: 6h +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +# Controls the frequency of prometheus scraping +scrapeInterval: 15s + +contextPath: /prometheus + +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - prometheus.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: prometheus-tls + # hosts: + # - prometheus.local + +service: + annotations: {} + nodePort: + enabled: false + port: 32090 + +security: + enabled: true diff --git a/istio/charts/security/templates/enable-mesh-permissive.yaml b/istio/charts/security/templates/enable-mesh-permissive.yaml new file mode 100644 index 0000000..a6931b3 --- /dev/null +++ b/istio/charts/security/templates/enable-mesh-permissive.yaml @@ -0,0 +1,16 @@ +{{- define "security-permissive.yaml.tpl" }} +# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + peers: + - mtls: + mode: PERMISSIVE +{{- end }} diff --git a/istio/charts/security/templates/tests/test-citadel-connection.yaml b/istio/charts/security/templates/tests/test-citadel-connection.yaml new file mode 100644 index 0000000..2e3da06 --- /dev/null +++ b/istio/charts/security/templates/tests/test-citadel-connection.yaml @@ -0,0 +1,29 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "security.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: istio-citadel-test + chart: {{ template "security.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "security.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && exit 0 || sleep 15; done; exit 1'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/security/values.yaml b/istio/charts/security/values.yaml new file mode 100644 index 0000000..01501e1 --- /dev/null +++ b/istio/charts/security/values.yaml @@ -0,0 +1,30 @@ +# +# security configuration +# +enabled: true +replicaCount: 1 +image: citadel +selfSigned: true # indicate if self-signed CA is used. +createMeshPolicy: true +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} diff --git a/istio/charts/servicegraph/.helmignore b/istio/charts/servicegraph/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/istio/charts/servicegraph/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/istio/charts/servicegraph/templates/NOTES.txt b/istio/charts/servicegraph/templates/NOTES.txt new file mode 100644 index 0000000..87d1755 --- /dev/null +++ b/istio/charts/servicegraph/templates/NOTES.txt @@ -0,0 +1,19 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "servicegraph.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "servicegraph.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "servicegraph.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.externalPort }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "servicegraph.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:8088 +{{- end }} diff --git a/istio/charts/servicegraph/templates/tests/test-servicegraph-connection.yaml b/istio/charts/servicegraph/templates/tests/test-servicegraph-connection.yaml new file mode 100644 index 0000000..1244259 --- /dev/null +++ b/istio/charts/servicegraph/templates/tests/test-servicegraph-connection.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "servicegraph.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: servicegraph-test + chart: {{ template "servicegraph.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: servicegraph + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "servicegraph.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + args: ['http://servicegraph:{{ .Values.servicegraph.service.externalPort }}'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/servicegraph/values.yaml b/istio/charts/servicegraph/values.yaml new file mode 100644 index 0000000..037c03d --- /dev/null +++ b/istio/charts/servicegraph/values.yaml @@ -0,0 +1,51 @@ +# +# addon servicegraph configuration +# +enabled: false +replicaCount: 1 +image: servicegraph +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +service: + annotations: {} + name: http + type: ClusterIP + externalPort: 8088 + loadBalancerIP: + loadBalancerSourceRanges: +ingress: + enabled: false + # Used to create an Ingress record. + hosts: + - servicegraph.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: servicegraph-tls + # hosts: + # - servicegraph.local +# prometheus address +prometheusAddr: http://prometheus:9090 diff --git a/istio/charts/sidecarInjectorWebhook/OWNERS b/istio/charts/sidecarInjectorWebhook/OWNERS new file mode 100644 index 0000000..9e2c32b --- /dev/null +++ b/istio/charts/sidecarInjectorWebhook/OWNERS @@ -0,0 +1,2 @@ +approvers: + - ostromart diff --git a/istio/charts/sidecarInjectorWebhook/values.yaml b/istio/charts/sidecarInjectorWebhook/values.yaml new file mode 100644 index 0000000..4f326ea --- /dev/null +++ b/istio/charts/sidecarInjectorWebhook/values.yaml @@ -0,0 +1,34 @@ +# +# sidecar-injector webhook configuration +# +enabled: true +replicaCount: 1 +image: sidecar_injector +enableNamespacesByDefault: false +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +# If true, webhook or istioctl injector will rewrite PodSpec for liveness +# health check to redirect request to sidecar. This makes liveness check work +# even when mTLS is enabled. +rewriteAppHTTPProbe: false diff --git a/istio/charts/tracing/.helmignore b/istio/charts/tracing/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/istio/charts/tracing/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/istio/charts/tracing/templates/deployment-jaeger.yaml b/istio/charts/tracing/templates/deployment-jaeger.yaml new file mode 100644 index 0000000..d3cba6e --- /dev/null +++ b/istio/charts/tracing/templates/deployment-jaeger.yaml @@ -0,0 +1,85 @@ +{{ if eq .Values.provider "jaeger" }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-tracing + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: jaeger + template: + metadata: + labels: + app: jaeger + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "16686" +{{- if .Values.contextPath }} + prometheus.io/path: "{{ .Values.contextPath }}/metrics" +{{- else }} + prometheus.io/path: "/{{ .Values.provider }}/metrics" +{{- end }} + spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} + containers: + - name: jaeger + image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9411 + - containerPort: 16686 + - containerPort: 5775 + protocol: UDP + - containerPort: 6831 + protocol: UDP + - containerPort: 6832 + protocol: UDP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 16686 + readinessProbe: + httpGet: + path: / + port: 16686 + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} +{{ end }} diff --git a/istio/charts/tracing/templates/deployment-zipkin.yaml b/istio/charts/tracing/templates/deployment-zipkin.yaml new file mode 100644 index 0000000..511033e --- /dev/null +++ b/istio/charts/tracing/templates/deployment-zipkin.yaml @@ -0,0 +1,74 @@ +{{ if eq .Values.provider "zipkin" }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-tracing + namespace: {{ .Release.Namespace }} + labels: + app: zipkin + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: zipkin + template: + metadata: + labels: + app: zipkin + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} + containers: + - name: zipkin + image: "{{ .Values.zipkin.hub }}/zipkin:{{ .Values.zipkin.tag }}" + ports: + - containerPort: {{ .Values.zipkin.queryPort }} + livenessProbe: + initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }} + tcpSocket: + port: {{ .Values.zipkin.queryPort }} + readinessProbe: + initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }} + httpGet: + path: /health + port: {{ .Values.zipkin.queryPort }} + resources: +{{- if .Values.zipkin.resources }} +{{ toYaml .Values.zipkin.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: QUERY_PORT + value: "{{ .Values.zipkin.queryPort }}" + - name: JAVA_OPTS + value: "-XX:ConcGCThreads={{ .Values.zipkin.node.cpus }} -XX:ParallelGCThreads={{ .Values.zipkin.node.cpus }} -Djava.util.concurrent.ForkJoinPool.common.parallelism={{ .Values.zipkin.node.cpus }} -Xms{{ .Values.zipkin.javaOptsHeap }}M -Xmx{{ .Values.zipkin.javaOptsHeap }}M -XX:+UseG1GC -server" + - name: STORAGE_METHOD + value: "mem" + - name: ZIPKIN_STORAGE_MEM_MAXSPANS + value: "{{ .Values.zipkin.maxSpans }}" + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} +{{ end }} diff --git a/istio/charts/tracing/templates/tests/test-tracing-connection.yaml b/istio/charts/tracing/templates/tests/test-tracing-connection.yaml new file mode 100644 index 0000000..9090cee --- /dev/null +++ b/istio/charts/tracing/templates/tests/test-tracing-connection.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ .Release.Name }}-{{ .Values.provider }}-test + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }}-test + chart: {{ template "tracing.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ .Values.provider }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + {{- if eq .Values.provider "jaeger" }} + args: ['http://tracing:80{{ .Values.jaeger.contextPath}}'] + {{- else }} + args: ['http://tracing:80'] + {{- end }} + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} +{{- end }} diff --git a/istio/charts/tracing/values.yaml b/istio/charts/tracing/values.yaml new file mode 100644 index 0000000..a97053d --- /dev/null +++ b/istio/charts/tracing/values.yaml @@ -0,0 +1,76 @@ +# +# addon jaeger tracing configuration +# +enabled: false + +provider: jaeger +nodeSelector: {} + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: {} +podAntiAffinityTermLabelSelector: {} + +jaeger: + hub: docker.io/jaegertracing + tag: 1.9 + memory: + max_traces: 50000 + +zipkin: + hub: docker.io/openzipkin + tag: 2 + probeStartupDelay: 200 + queryPort: 9411 + resources: + limits: + cpu: 300m + memory: 900Mi + requests: + cpu: 150m + memory: 900Mi + javaOptsHeap: 700 + # From: https://github.com/openzipkin/zipkin/blob/master/zipkin-server/src/main/resources/zipkin-server-shared.yml#L51 + # Maximum number of spans to keep in memory. When exceeded, oldest traces (and their spans) will be purged. + # A safe estimate is 1K of memory per span (each span with 2 annotations + 1 binary annotation), plus + # 100 MB for a safety buffer. You'll need to verify in your own environment. + maxSpans: 500000 + node: + cpus: 2 + +service: + annotations: {} + name: http + type: ClusterIP + externalPort: 9411 + +ingress: + enabled: false + # Used to create an Ingress record. + hosts: + # - tracing.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: tracing-tls + # hosts: + # - tracing.local + diff --git a/istio/example-values/README.md b/istio/example-values/README.md new file mode 100644 index 0000000..74fedcb --- /dev/null +++ b/istio/example-values/README.md @@ -0,0 +1,5 @@ +# Example Values + +These files provide various example values for different Istio setups. + +To use them, [read the docs](https://istio.io/docs/setup/kubernetes/helm-install/) and add the flag `--values example-file.yaml`. diff --git a/istio/example-values/values-istio-example-sds-vault.yaml b/istio/example-values/values-istio-example-sds-vault.yaml new file mode 100644 index 0000000..ed06c4a --- /dev/null +++ b/istio/example-values/values-istio-example-sds-vault.yaml @@ -0,0 +1,29 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useNormalJwt: true + +nodeagent: + enabled: true + image: node-agent-k8s + env: + # https://35.233.249.249:8200 is the IP address and the port number + # of a testing Vault server. + CA_ADDR: "https://35.233.249.249:8200" + CA_PROVIDER: "VaultCA" + VALID_TOKEN: true + # https://35.233.249.249:8200 is the IP address and the port number + # of a testing Vault server. + VAULT_ADDR: "https://35.233.249.249:8200" + VAULT_AUTH_PATH: "auth/kubernetes/login" + VAULT_ROLE: "istio-cert" + VAULT_SIGN_CSR_PATH: "istio_ca/sign/istio-pki-role" + VAULT_TLS_ROOT_CERT: '-----BEGIN CERTIFICATE-----\nMIIC3jCCAcagAwIBAgIRAIcSFH1jneS0XPz5r2QDbigwDQYJKoZIhvcNAQELBQAw\nEDEOMAwGA1UEChMFVmF1bHQwIBcNMTgxMjI2MDkwMDU3WhgPMjExODEyMDIwOTAw\nNTdaMBAxDjAMBgNVBAoTBVZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA2q5lfJCLAOTEjX3xV8qMLEX8zUQpd0AjD6zzOMzx51GVM7Plf7CJmaDq\nyloRz3zcrTEltHUrln5fvouvp4TetOlqEU979vvccnFLgXrSpn+Zt/EyjE0rUYY3\n5e2qxy9bP2E7zJSKONIT6zRDd2zUQGH3zUem1ZG0GFY1ZL5qFSOIy+PvuQ4u8HCa\n1CcnHmI613fVDbFbaxuF2G2MIwCZ/Fg6KBd9kgU7uCOvkbR4AtRe0ntwweIjOIas\nFiohPQzVY4obrYZiTV43HT4lGti7ySn2c96UnRSnmHLWyBb7cafd4WZN/t+OmYSd\nooxCVQ2Zqub6NlZ5OySYOz/0BJq6DQIDAQABozEwLzAOBgNVHQ8BAf8EBAMCBaAw\nDAYDVR0TAQH/BAIwADAPBgNVHREECDAGhwQj6fn5MA0GCSqGSIb3DQEBCwUAA4IB\nAQBORvUcW0wgg/Wo1aKFaZQuPPFVLjOZat0QpCJYNDhsSIO4Y0JS+Y1cEIkvXB3S\nQ3D7IfNP0gh1fhtP/d45LQSPqpyJF5vKWAvwa/LSPKpw2+Zys4oDahcH+SEKiQco\nIhkkHNEgC4LEKEaGvY4A8Cw7uWWquUJB16AapSSnkeD2vTcxErfCO59yR7yEWDa6\n8j6QNzmGNj2YXtT86+Mmedhfh65Rrh94mhAPQHBAdCNGCUwZ6zHPQ6Z1rj+x3Wm9\ngqpveVq2olloNbnLNmM3V6F9mqSZACgADmRqf42bixeHczkTfRDKThJcpY5U44vy\nw4Nm32yDWhD6AC68rDkXX68m\n-----END CERTIFICATE-----' \ No newline at end of file diff --git a/istio/example-values/values-istio-gateways.yaml b/istio/example-values/values-istio-gateways.yaml new file mode 100644 index 0000000..1ffcd19 --- /dev/null +++ b/istio/example-values/values-istio-gateways.yaml @@ -0,0 +1,138 @@ +# Common settings. +global: + # Omit the istio-sidecar-injector configmap when generate a + # standalone gateway. Gateways may be created in namespaces other + # than `istio-system` and we don't want to re-create the injector + # configmap in those. + omitSidecarInjectorConfigMap: true + + # Istio control plane namespace: This specifies where the Istio control + # plane was installed earlier. Modify this if you installed the control + # plane in a different namespace than istio-system. + istioNamespace: istio-system + + proxy: + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + +# +# Gateways Configuration +# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. +# You can add more gateways in addition to the defaults but make sure those are uniquely named +# and that NodePorts are not conflicting. +# Disable specific gateway by setting the `enabled` to false. +# +gateways: + enabled: true + + custom-gateway: + enabled: true + labels: + app: custom-gateway + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + #requests: + # cpu: 1800m + # memory: 256Mi + cpu: + targetAverageUtilization: 80 + loadBalancerIP: "" + loadBalancerSourceRanges: {} + externalIPs: [] + serviceAnnotations: {} + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out + ports: + ## You can add custom gateway ports + - port: 80 + targetPort: 80 + name: http2 + # nodePort: 31380 + - port: 443 + name: https + # nodePort: 31390 + - port: 31400 + name: tcp + # nodePort: 31400 + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + # Addon ports for kiali are enabled in gateway - but will only redirect if + # the gateway configuration for the various components are enabled. + - port: 15029 + targetPort: 15029 + name: http2-kiali + # Telemetry-related ports are enabled in gateway - but will only redirect if + # the gateway configuration for the various components are enabled. + - port: 15030 + targetPort: 15030 + name: http2-prometheus + - port: 15031 + targetPort: 15031 + name: http2-grafana + - port: 15032 + targetPort: 15032 + name: http2-tracing + secretVolumes: + - name: customgateway-certs + secretName: istio-customgateway-certs + mountPath: /etc/istio/customgateway-certs + - name: customgateway-ca-certs + secretName: istio-customgateway-ca-certs + mountPath: /etc/istio/customgateway-ca-certs + +# all other components are disabled except the gateways +security: + enabled: false + +sidecarInjectorWebhook: + enabled: false + +galley: + enabled: false + +mixer: + policy: + enabled: false + telemetry: + enabled: false + +pilot: + enabled: false + +grafana: + enabled: false + +prometheus: + enabled: false + +servicegraph: + enabled: false + +tracing: + enabled: false + +kiali: + enabled: false + +certmanager: + enabled: false diff --git a/istio/example-values/values-istio-googleca.yaml b/istio/example-values/values-istio-googleca.yaml new file mode 100644 index 0000000..e0c633e --- /dev/null +++ b/istio/example-values/values-istio-googleca.yaml @@ -0,0 +1,22 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useTrustworthyJwt: true + + trustDomain: "" + +nodeagent: + enabled: true + image: node-agent-k8s + env: + CA_PROVIDER: "GoogleCA" + CA_ADDR: "istioca.googleapis.com:443" + Plugins: "GoogleTokenExchange" diff --git a/istio/example-values/values-istio-multicluster-gateways.yaml b/istio/example-values/values-istio-multicluster-gateways.yaml new file mode 100644 index 0000000..bdc1863 --- /dev/null +++ b/istio/example-values/values-istio-multicluster-gateways.yaml @@ -0,0 +1,27 @@ +global: + # Provides dns resolution for global services + podDNSSearchNamespaces: + - global + - "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global" + + multiCluster: + enabled: true + + controlPlaneSecurityEnabled: true + +# Multicluster with gateways requires a root CA +# Cluster local CAs are bootstrapped with the root CA. +security: + selfSigned: false + +# Provides dns resolution for service entries of form +# name.namespace.global +istiocoredns: + enabled: true + +gateways: + istio-egressgateway: + enabled: true + env: + # Needed to route traffic via egress gateway if desired. + ISTIO_META_REQUESTED_NETWORK_VIEW: "external" diff --git a/istio/templates/NOTES.txt b/istio/templates/NOTES.txt new file mode 100644 index 0000000..d17982c --- /dev/null +++ b/istio/templates/NOTES.txt @@ -0,0 +1,29 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +To get started running application with Istio, execute the following steps: + +{{- if index .Values "sidecarInjectorWebhook" "enabled" }} +1. Label namespace that application object will be deployed to by the following command (take default namespace as an example) + +$ kubectl label namespace default istio-injection=enabled +$ kubectl get namespace -L istio-injection + +2. Deploy your applications + +$ kubectl apply -f .yaml +{{- else }} +1. Download the latest release package to get sidecar injection tool + +$ curl -L https://git.io/getLatestIstio | sh - +$ mv istio-* istio-latest +$ export PATH="$PATH:$PWD/istio-latest/bin" + +2. Deploy your application by manually injecting envoy sidecar with `istioctl kube-inject` + +$ kubectl apply -f <(istioctl kube-inject -f .yaml) +{{- end }} + +For more information on running Istio, visit: +https://istio.io/ \ No newline at end of file diff --git a/istio/templates/_podDisruptionBudget.tpl b/istio/templates/_podDisruptionBudget.tpl new file mode 100644 index 0000000..ebb8606 --- /dev/null +++ b/istio/templates/_podDisruptionBudget.tpl @@ -0,0 +1,3 @@ +{{- define "podDisruptionBudget.spec" }} + minAvailable: 1 +{{- end }} diff --git a/istio/templates/clusterrole.yaml b/istio/templates/clusterrole.yaml new file mode 100644 index 0000000..b92c9ef --- /dev/null +++ b/istio/templates/clusterrole.yaml @@ -0,0 +1,11 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] diff --git a/istio/templates/clusterrolebinding.yaml b/istio/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..827601b --- /dev/null +++ b/istio/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi + namespace: {{ .Release.Namespace }} diff --git a/istio/templates/endpoints.yaml b/istio/templates/endpoints.yaml new file mode 100644 index 0000000..81b8218 --- /dev/null +++ b/istio/templates/endpoints.yaml @@ -0,0 +1,63 @@ +{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15003 + name: http-old-discovery # mTLS or non-mTLS depending on auth setting + - port: 15005 + name: https-discovery # always mTLS + - port: 15007 + name: http-discovery # always plain-text + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS or non-mTLS depending on auth setting + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring +{{- end }} +{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-policy + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePolicyAddress }} + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 +{{- end }} +{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-telemetry + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remoteTelemetryAddress }} + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 +{{- end }} diff --git a/istio/templates/service.yaml b/istio/templates/service.yaml new file mode 100644 index 0000000..732cdef --- /dev/null +++ b/istio/templates/service.yaml @@ -0,0 +1,60 @@ +{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15003 + name: http-old-discovery # mTLS or non-mTLS depending on auth setting + - port: 15005 + name: https-discovery # always mTLS + - port: 15007 + name: http-discovery # always plain-text + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS or non-mTLS depending on auth setting + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring + clusterIP: None +{{- end }} +{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-policy + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + clusterIP: None +{{- end }} +{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-telemetry + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 + clusterIP: None +{{- end }} diff --git a/istio/templates/serviceaccount.yaml b/istio/templates/serviceaccount.yaml new file mode 100644 index 0000000..e52d9eb --- /dev/null +++ b/istio/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi + namespace: {{ .Release.Namespace }} diff --git a/istio/test-values/README.md b/istio/test-values/README.md new file mode 100644 index 0000000..8e5ff27 --- /dev/null +++ b/istio/test-values/README.md @@ -0,0 +1,7 @@ +# Test Values + +These files are intended to be used to install Istio for E2E tests. + +The rendered files can be generated with `make generate_e2e_yaml`. + +These files will all have `values-e2e.yaml` applied to them *first*, so if there are settings there that should not be included in the test the must be overridden. diff --git a/istio/test-values/values-e2e.yaml b/istio/test-values/values-e2e.yaml new file mode 100644 index 0000000..a6e4360 --- /dev/null +++ b/istio/test-values/values-e2e.yaml @@ -0,0 +1,70 @@ +# This file overrides values for e2e testing. + +global: + proxy: + concurrency: 0 + resources: + requests: + cpu: 10m + memory: 40Mi + + accessLogFile: "/dev/stdout" + enableCoreDump: true + + disablePolicyChecks: false + outboundTrafficPolicy: + mode: REGISTRY_ONLY + +prometheus: + scrapeInterval: 5s + +gateways: + istio-ingressgateway: + autoscaleMax: 1 + resources: + requests: + cpu: 10m + memory: 40Mi + limits: + cpu: 100m + memory: 128Mi + + istio-egressgateway: + enabled: true + autoscaleMax: 1 + resources: + requests: + cpu: 10m + memory: 40Mi + limits: + cpu: 100m + memory: 128Mi + +mixer: + policy: + enabled: true + replicaCount: 2 + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + telemetry: + enabled: true + loadshedding: + mode: disabled + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + adapters: + stdio: + enabled: true + kiali: + enabled: true diff --git a/istio/test-values/values-istio-auth-mcp.yaml b/istio/test-values/values-istio-auth-mcp.yaml new file mode 100644 index 0000000..fb284d9 --- /dev/null +++ b/istio/test-values/values-istio-auth-mcp.yaml @@ -0,0 +1,17 @@ +# This is used to generate istio-auth.yaml with MCP enabled +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + useMCP: true + diff --git a/istio/test-values/values-istio-auth-multicluster.yaml b/istio/test-values/values-istio-auth-multicluster.yaml new file mode 100644 index 0000000..af14798 --- /dev/null +++ b/istio/test-values/values-istio-auth-multicluster.yaml @@ -0,0 +1,21 @@ +# This is used to generate istio-auth-multicluster.yaml, used for CI/CD. +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + proxy: + accessLogFile: "/dev/stdout" + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + +# In a multiple cluster environment, citadel uses the same root certificate in all the clusters +security: + selfSigned: false diff --git a/istio/test-values/values-istio-auth-non-mcp.yaml b/istio/test-values/values-istio-auth-non-mcp.yaml new file mode 100644 index 0000000..4401aa5 --- /dev/null +++ b/istio/test-values/values-istio-auth-non-mcp.yaml @@ -0,0 +1,7 @@ +global: + mtls: + enabled: true + + controlPlaneSecurityEnabled: true + + useMCP: false \ No newline at end of file diff --git a/istio/test-values/values-istio-auth-sds.yaml b/istio/test-values/values-istio-auth-sds.yaml new file mode 100644 index 0000000..a011726 --- /dev/null +++ b/istio/test-values/values-istio-auth-sds.yaml @@ -0,0 +1,23 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useNormalJwt: true + + proxy: + enableCoreDump: true + +nodeagent: + enabled: true + image: node-agent-k8s + env: + CA_PROVIDER: "Citadel" + CA_ADDR: "istio-citadel:8060" + VALID_TOKEN: true \ No newline at end of file diff --git a/istio/test-values/values-istio-auth.yaml b/istio/test-values/values-istio-auth.yaml new file mode 100644 index 0000000..4ec1d35 --- /dev/null +++ b/istio/test-values/values-istio-auth.yaml @@ -0,0 +1,14 @@ +# This is used to generate istio-auth.yaml for automated CI/CD test, using v1/alpha1 +# or v2/alpha3 with 'gradual migration' (using env variable at inject time). +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. + # imagePullSecrets: + # - name: "private-registry-key" diff --git a/istio/test-values/values-istio-mcp.yaml b/istio/test-values/values-istio-mcp.yaml new file mode 100644 index 0000000..a6638ee --- /dev/null +++ b/istio/test-values/values-istio-mcp.yaml @@ -0,0 +1,18 @@ +# This is used to generate istio.yaml with MCP enabled +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + useMCP: true + + diff --git a/istio/test-values/values-istio-multicluster.yaml b/istio/test-values/values-istio-multicluster.yaml new file mode 100644 index 0000000..59b924a --- /dev/null +++ b/istio/test-values/values-istio-multicluster.yaml @@ -0,0 +1,21 @@ +# This is used to generate istio-multicluster.yaml, used for CI/CD. +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + proxy: + accessLogFile: "/dev/stdout" + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + +# In a multiple cluster environment, citadel uses the same root certificate in all the clusters +security: + selfSigned: false diff --git a/istio/test-values/values-istio-non-mcp.yaml b/istio/test-values/values-istio-non-mcp.yaml new file mode 100644 index 0000000..66b236b --- /dev/null +++ b/istio/test-values/values-istio-non-mcp.yaml @@ -0,0 +1,2 @@ +global: + useMCP: false \ No newline at end of file diff --git a/istio/test-values/values-istio-one-namespace-auth.yaml b/istio/test-values/values-istio-one-namespace-auth.yaml new file mode 100644 index 0000000..c49f402 --- /dev/null +++ b/istio/test-values/values-istio-one-namespace-auth.yaml @@ -0,0 +1,17 @@ +# This is used to generate istio.yaml used for deprecated CI/CD testing. +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Restrict the applications in one namespace the controller manages + oneNamespace: true diff --git a/istio/test-values/values-istio-one-namespace-trust-domain.yaml b/istio/test-values/values-istio-one-namespace-trust-domain.yaml new file mode 100644 index 0000000..1840ab3 --- /dev/null +++ b/istio/test-values/values-istio-one-namespace-trust-domain.yaml @@ -0,0 +1,19 @@ +# This is used to generate istio.yaml used for deprecated CI/CD testing. +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + # Default is 10s second + refreshInterval: 1s + + # The trust domain corresponds to the trust root of a system + trustDomain: test.local + + # Restrict the applications in one namespace the controller manages + oneNamespace: true diff --git a/istio/test-values/values-istio-one-namespace.yaml b/istio/test-values/values-istio-one-namespace.yaml new file mode 100644 index 0000000..14aa450 --- /dev/null +++ b/istio/test-values/values-istio-one-namespace.yaml @@ -0,0 +1,17 @@ +# This is used to generate istio.yaml used for deprecated CI/CD testing. +global: + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + ## imagePullSecrets for all ServiceAccount. Must be set for any cluster configured with private docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Restrict the applications in one namespace the controller manages + oneNamespace: true diff --git a/istio/test-values/values-istio.yaml b/istio/test-values/values-istio.yaml new file mode 100644 index 0000000..c115103 --- /dev/null +++ b/istio/test-values/values-istio.yaml @@ -0,0 +1,7 @@ + +# This is used to generate istio.yaml for automated CI/CD test, using v1/alpha1 +# or v2/alpha3 with 'gradual migration' (using env variable at inject time). +# global: + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with private docker registry. + # imagePullSecrets: + # - name: "private-registry-key" diff --git a/istio/values-istio-demo-common.yaml b/istio/values-istio-demo-common.yaml new file mode 100644 index 0000000..601555f --- /dev/null +++ b/istio/values-istio-demo-common.yaml @@ -0,0 +1,85 @@ +# This is used to generate minimal demo mode. It is included from demo and demo-auth values. +# It is shipped with the release, used for bookinfo or quick installation of istio. +# Includes components used in the demo, defaults to alpha3 rules. +# Note: please only put common configuration for the demo profiles here. +global: + proxy: + accessLogFile: "/dev/stdout" + resources: + requests: + cpu: 10m + memory: 40Mi + + disablePolicyChecks: false + + sidecarInjectorWebhook: + enabled: true + # If true, webhook or istioctl injector will rewrite PodSpec for liveness + # health check to redirect request to sidecar. This makes liveness check work + # even when mTLS is enabled. + rewriteAppHTTPProbe: false + +pilot: + traceSampling: 100.0 + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + cpu: 100m + memory: 200Mi + +mixer: + policy: + enabled: true + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + + telemetry: + enabled: true + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + + adapters: + stdio: + enabled: true + +grafana: + enabled: true + +tracing: + enabled: true + +kiali: + enabled: true + createDemoSecret: true + +gateways: + istio-ingressgateway: + resources: + requests: + cpu: 10m + memory: 40Mi + limits: + cpu: 100m + memory: 128Mi + + istio-egressgateway: + enabled: true + resources: + requests: + cpu: 10m + memory: 40Mi + limits: + cpu: 100m + memory: 128Mi diff --git a/istio/values-istio-minimal.yaml b/istio/values-istio-minimal.yaml new file mode 100644 index 0000000..eb92536 --- /dev/null +++ b/istio/values-istio-minimal.yaml @@ -0,0 +1,46 @@ +# +# Minimal Istio Configuration: https://istio.io/docs/setup/kubernetes/minimal-install/ +# +pilot: + enabled: true + sidecar: false + +gateways: + enabled: false + +security: + enabled: false + +sidecarInjectorWebhook: + enabled: false + +galley: + enabled: false + +mixer: + policy: + enabled: false + telemetry: + enabled: false + +prometheus: + enabled: false + + +# Common settings. +global: + + proxy: + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + useMCP: false + + diff --git a/istio/values-istio-remote.yaml b/istio/values-istio-remote.yaml new file mode 100644 index 0000000..20fe2ac --- /dev/null +++ b/istio/values-istio-remote.yaml @@ -0,0 +1,34 @@ +gateways: + enabled: false + +galley: + enabled: false + +mixer: + policy: + enabled: false + telemetry: + enabled: false + +pilot: + enabled: false + +security: + enabled: true + createMeshPolicy: false + +prometheus: + enabled: false + +global: + istioRemote: true + + enableTracing: false + + # Sets an identifier for the remote network to be used for Split Horizon EDS. The network will be sent + # to the Pilot when connected by the sidecar and will affect the results returned in EDS requests. + # Based on the network identifier Pilot will return all local endpoints + endpoints of gateways to + # other networks. + # + # Must match the names in the meshNetworks section in the Istio local. + network: "" diff --git a/istio/values-istio-sds-auth.yaml b/istio/values-istio-sds-auth.yaml new file mode 100644 index 0000000..a741bfd --- /dev/null +++ b/istio/values-istio-sds-auth.yaml @@ -0,0 +1,20 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useNormalJwt: true + +nodeagent: + enabled: true + image: node-agent-k8s + env: + CA_PROVIDER: "Citadel" + CA_ADDR: "istio-citadel:8060" + VALID_TOKEN: true \ No newline at end of file -- GitLab From fa448934fa6db21253b59a55a1714858a29e573f Mon Sep 17 00:00:00 2001 From: Bogdan Alov Date: Thu, 18 Apr 2019 14:41:25 +0300 Subject: [PATCH 3/4] we don't need istio license --- istio-init/LICENSE | 202 --------------------------------------------- 1 file changed, 202 deletions(-) delete mode 100644 istio-init/LICENSE diff --git a/istio-init/LICENSE b/istio-init/LICENSE deleted file mode 100644 index 56df9b2..0000000 --- a/istio-init/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2018 Istio Authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -- GitLab From 4442faf85edfb3c937adbe7e9cbb9cd9ef8817aa Mon Sep 17 00:00:00 2001 From: Bogdan Alov Date: Thu, 18 Apr 2019 14:41:40 +0300 Subject: [PATCH 4/4] we don't need istio license --- istio/LICENSE | 202 -------------------------------------------------- 1 file changed, 202 deletions(-) delete mode 100644 istio/LICENSE diff --git a/istio/LICENSE b/istio/LICENSE deleted file mode 100644 index 56df9b2..0000000 --- a/istio/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2018 Istio Authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -- GitLab