gitea_admin/application
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add helm charts

Browse Source
This commit is contained in:
Ybehrooz
2025-11-09 13:22:40 +03:30
parent 282c3e52d0
commit 38e4d749ad
1352 changed files with 190457 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
backing-services/istiod/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,82 @@
"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
$ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
Next steps:
{{- $profile := default "" .Values.profile }}
{{- if (eq $profile "ambient") }}
* Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
* Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
{{- else }}
* Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
* Try out our tasks to get started on common configurations:
* https://istio.io/latest/docs/tasks/traffic-management
* https://istio.io/latest/docs/tasks/security/
* https://istio.io/latest/docs/tasks/policy-enforcement/
{{- end }}
* Review the list of actively supported releases, CVE publications and our hardening guide:
* https://istio.io/latest/docs/releases/supported-releases/
* https://istio.io/latest/news/security/
* https://istio.io/latest/docs/ops/best-practices/security/
For further documentation see https://istio.io website
{{-
$deps := dict
"global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
"global.certificates" "meshConfig.certificates"
"global.localityLbSetting" "meshConfig.localityLbSetting"
"global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
"global.enableTracing" "meshConfig.enableTracing"
"global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
"global.proxy.accessLogFile" "meshConfig.accessLogFile"
"global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
"global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
"global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
"global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
"global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
"global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
"pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
"global.mtls.enabled" "the PeerAuthentication resource"
"global.mtls.auto" "meshConfig.enableAutoMtls"
"global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
"global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
"global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
"global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
"global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
"istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
}}
{{- range $dep, $replace := $deps }}
{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}}
{{- if not (eq $res "")}}
WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
{{- end }}
{{- end }}
{{-
$failDeps := dict
"telemetry.v2.prometheus.configOverride"
"telemetry.v2.stackdriver.configOverride"
"telemetry.v2.stackdriver.disableOutbound"
"telemetry.v2.stackdriver.outboundAccessLogging"
"global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
"global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
"global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
"global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
"meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
"meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
"meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
"meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
}}
{{- range $dep, $replace := $failDeps }}
{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}}
{{- if not (eq $res "")}}
{{fail (print $dep " is removed")}}
{{- end }}
{{- end }}
{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
{{- fail "pilotCertProvider=kubernetes is not supported" }}
{{- end }}

23
backing-services/istiod/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,23 @@
{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
{{ define "default-prometheus" }}
{{- and
(not .Values.meshConfig.defaultProviders)
.Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
}}
{{- end }}
{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
{{ define "default-sd-metrics" }}
{{- and
(not .Values.meshConfig.defaultProviders)
.Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
}}
{{- end }}
{{/* SD has metrics and logging split. */}}
{{ define "default-sd-logs" }}
{{- and
(not .Values.meshConfig.defaultProviders)
.Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
}}
{{- end }}

44
backing-services/istiod/templates/autoscale.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Not created if istiod is running remotely
{{- if not .Values.istiodRemote.enabled }}
{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
spec:
maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
{{- if .Values.memory.targetAverageUtilization }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.memory.targetAverageUtilization }}
{{- end }}
{{- if .Values.autoscaleBehavior }}
behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
{{- end }}
---
{{- end }}
{{- end }}

206
backing-services/istiod/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,206 @@
# Created if this is not a remote istiod, OR if it is and is also a config cluster
{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["update", "patch"]
resources:
- authorizationpolicies/status
- destinationrules/status
- envoyfilters/status
- gateways/status
- peerauthentications/status
- proxyconfigs/status
- requestauthentications/status
- serviceentries/status
- sidecars/status
- telemetries/status
- virtualservices/status
- wasmplugins/status
- workloadentries/status
- workloadgroups/status
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status", "serviceentries/status" ]
- apiGroups: ["security.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "authorizationpolicies/status" ]
- apiGroups: [""]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "services/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
{{- if .Values.taint.enabled }}
- apiGroups: [""]
resources: ["nodes"]
verbs: ["patch"]
{{- end }}
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
{{- range .Values.global.certSigners }}
- {{ . | quote }}
{{- end }}
verbs: ["approve"]
{{- end}}
{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
- apiGroups: ["certificates.k8s.io"]
resources: ["clustertrustbundles"]
verbs: ["update", "create", "delete"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["istio.io/istiod-ca"]
verbs: ["attest"]
{{- end }}
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["gateway.networking.x-k8s.io"]
resources:
- xbackendtrafficpolicies/status
verbs: ["update", "patch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources:
- backendtlspolicies/status
- gatewayclasses/status
- gateways/status
- grpcroutes/status
- httproutes/status
- referencegrants/status
- tcproutes/status
- tlsroutes/status
- udproutes/status
verbs: ["update", "patch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gatewayclasses"]
verbs: ["create", "update", "patch", "delete"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["{{ $mcsAPIGroup }}"]
resources: ["serviceexports"]
verbs: [ "get", "watch", "list", "create", "delete"]
# Used for MCS serviceimport management
- apiGroups: ["{{ $mcsAPIGroup }}"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
---
{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
rules:
- apiGroups: ["apps"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "deployments" ]
- apiGroups: ["autoscaling"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "horizontalpodautoscalers" ]
- apiGroups: ["policy"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "poddisruptionbudgets" ]
- apiGroups: [""]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "services" ]
- apiGroups: [""]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "serviceaccounts"]
{{- end }}
{{- end }}

40
backing-services/istiod/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Created if this is not a remote istiod, OR if it is and is also a config cluster
{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
---
{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
{{- end }}
{{- end }}

19
backing-services/istiod/templates/configmap-jwks.yaml Normal file
View File

@@ -0,0 +1,19 @@
# Not created if istiod is running remotely
{{- if not .Values.istiodRemote.enabled }}
{{- if .Values.jwksResolverExtraRootCA }}
apiVersion: v1
kind: ConfigMap
metadata:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
data:
extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
{{- end }}
{{- end }}

20
backing-services/istiod/templates/configmap-values.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
annotations:
kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
data:
original-values: |-
{{ .Values._original | toPrettyJson | indent 4 }}
{{- $_ := unset $.Values "_original" }}
merged-values: |-
{{ .Values | toPrettyJson | indent 4 }}

107
backing-services/istiod/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,107 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
{{ $prom := include "default-prometheus" . | eq "true" }}
{{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
{{ $sdLogs := include "default-sd-logs" . | eq "true" }}
{{- if or $prom $sdMetrics $sdLogs }}
defaultProviders:
{{- if or $prom $sdMetrics }}
metrics:
{{ if $prom }}- prometheus{{ end }}
{{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
{{- end }}
{{- if and $sdMetrics $sdLogs }}
accessLogging:
- stackdriver
{{- end }}
{{- end }}
defaultConfig:
{{- if .Values.global.meshID }}
meshId: "{{ .Values.global.meshID }}"
{{- end }}
{{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
image:
imageType: {{. | quote}}
{{- end }}
{{- if not (eq .Values.global.proxy.tracer "none") }}
tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }}
lightstep:
# Address of the LightStep Satellite pool
address: {{ .Values.global.tracer.lightstep.address }}
# Access Token used to communicate with the Satellite pool
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
zipkin:
# Address of the Zipkin collector
address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
datadog:
# Address of the Datadog Agent
address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
stackdriver:
# enables trace output to stdout.
debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
# The global default max number of attributes per span.
maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
# The global default max number of annotation events per span.
maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
# The global default max number of message events per span.
maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
{{- end }}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
{{- else }}
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
{{- end }}
{{- end }}
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
{{- $originalMesh := include "mesh" . | fromYaml }}
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
{{- if .Values.configMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
data:
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
{{- if .Values.global.meshNetworks }}
networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
{{- else }}
networks: {}
{{- end }}
mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---
{{- end }}

306
backing-services/istiod/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,306 @@
# Not created if istiod is running remotely
{{- if not .Values.istiodRemote.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
istio: pilot
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
{{- range $key, $val := .Values.deploymentLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
spec:
{{- if not .Values.autoscaleEnabled }}
{{- if .Values.replicaCount }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.rollingMaxSurge }}
maxUnavailable: {{ .Values.rollingMaxUnavailable }}
selector:
matchLabels:
{{- if ne .Values.revision "" }}
app: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
{{- else }}
istio: pilot
{{- end }}
template:
metadata:
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot"
{{- if ne .Values.revision "" }}
istio: istiod
{{- else }}
istio: pilot
{{- end }}
{{- range $key, $val := .Values.podLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
istio.io/dataplane-mode: none
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 8 }}
annotations:
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
- key: cni.istio.io/not-ready
operator: "Exists"
{{- with .Values.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
{{- with .Values.initContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: discovery
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
args:
- "discovery"
- --monitoringAddr=:15014
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --domain
- {{ .Values.global.proxy.clusterDomain }}
{{- if .Values.taint.namespace }}
- --cniNamespace={{ .Values.taint.namespace }}
{{- end }}
- --keepaliveMaxServerConnectionAge
- "{{ .Values.keepaliveMaxServerConnectionAge }}"
{{- if .Values.extraContainerArgs }}
{{- with .Values.extraContainerArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
ports:
- containerPort: 8080
protocol: TCP
name: http-debug
- containerPort: 15010
protocol: TCP
name: grpc-xds
- containerPort: 15012
protocol: TCP
name: tls-xds
- containerPort: 15017
protocol: TCP
name: https-webhooks
- containerPort: 15014
protocol: TCP
name: http-monitoring
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: REVISION
value: "{{ .Values.revision | default `default` }}"
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
# If you explicitly told us where ztunnel lives, use that.
# Otherwise, assume it lives in our namespace
# Also, check for an explicit ENV override (legacy approach) and prefer that
# if present
{{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
{{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
{{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
- name: CA_TRUSTED_NODE_ACCOUNTS
value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
{{- end }}
{{- if .Values.env }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- with .Values.envVarFrom }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.traceSampling }}"
{{- end }}
# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
# don't set it here to avoid duplication.
# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
- name: EXTERNAL_ISTIOD
value: "{{ .Values.global.externalIstiod }}"
{{- end }}
- name: PILOT_ENABLE_ANALYSIS
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: "1"
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
divisor: "1"
- name: PLATFORM
value: "{{ coalesce .Values.global.platform .Values.platform }}"
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | trim | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
{{- if .Values.seccompProfile }}
seccompProfile:
{{ toYaml .Values.seccompProfile | trim | indent 14 }}
{{- end }}
volumeMounts:
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
{{- if .Values.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
{{- end }}
- name: istio-csr-dns-cert
mountPath: /var/run/secrets/istiod/tls
readOnly: true
- name: istio-csr-ca-configmap
mountPath: /var/run/secrets/istiod/ca
readOnly: true
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
volumes:
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ .Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
# Optional: istio-csr dns pilot certs
- name: istio-csr-dns-cert
secret:
secretName: istiod-tls
optional: true
- name: istio-csr-ca-configmap
{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
projected:
sources:
- clusterTrustBundle:
name: istio.io:istiod-ca:root-cert
path: root-cert.pem
optional: true
{{- else }}
configMap:
name: istio-ca-root-cert
defaultMode: 420
optional: true
{{- end }}
{{- if .Values.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 6}}
{{- end }}
---
{{- end }}

21
backing-services/istiod/templates/gateway-class-configmap.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{ range $key, $value := .Values.gatewayClasses }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}}
namespace: {{ $.Release.Namespace }}
labels:
istio.io/rev: {{ $.Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ $.Release.Name }}
app.kubernetes.io/name: "istiod"
gateway.istio.io/defaults-for-class: {{$key|quote}}
{{- include "istio.labels" $ | nindent 4 }}
data:
{{ range $kind, $overlay := $value }}
{{$kind}}: |
{{$overlay|toYaml|trim|indent 4}}
{{ end }}
---
{{ end }}

82
backing-services/istiod/templates/istiod-injector-configmap.yaml Normal file
View File

@@ -0,0 +1,82 @@
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
data:
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
values: |-
{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
{{ $pilotVals := pick .Values "cni" "env" -}}
{{ $vals = set $vals "pilot" $pilotVals -}}
{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
{{ $vals = set $vals "gateways" $gatewayVals -}}
{{ $vals | toPrettyJson | indent 4 }}
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
# and istiod webhook functionality.
#
# New fields should not use Values - it is a 'primary' config object, users should be able
# to fine tune it or use it with kube-inject.
config: |-
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
{{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
defaultTemplates:
{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
- {{ . }}
{{- end }}
{{- else }}
defaultTemplates: [sidecar]
{{- end }}
policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
injectedAnnotations:
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
"{{ $key }}": {{ $val | quote }}
{{- end }}
{{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
This should make it obvious that their installation is broken.
*/}}
template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
templates:
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
sidecar: |
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
gateway: |
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
grpc-simple: |
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
grpc-agent: |
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
waypoint: |
{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
kube-gateway: |
{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
{{- end }}
{{- with .Values.sidecarInjectorWebhook.templates }}
{{ toYaml . | trim | indent 6 }}
{{- end }}
{{- end }}

165
backing-services/istiod/templates/mutatingwebhook.yaml Normal file
View File

@@ -0,0 +1,165 @@
# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
{{- /* Core defines the common configuration used by all webhook segments */}}
{{/* Copy just what we need to avoid expensive deepCopy */}}
{{- $whv := dict
"revision" .Values.revision
"injectionPath" .Values.istiodRemote.injectionPath
"injectionURL" .Values.istiodRemote.injectionURL
"reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
"caBundle" .Values.istiodRemote.injectionCABundle
"namespace" .Release.Namespace }}
{{- define "core" }}
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
a unique prefix to each. */}}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .injectionURL }}
url: "{{ .injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
namespace: {{ .namespace }}
path: "{{ .injectionPath }}"
port: 443
{{- end }}
{{- if .caBundle }}
caBundle: "{{ .caBundle }}"
{{- end }}
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
reinvocationPolicy: "{{ .reinvocationPolicy }}"
admissionReviewVersions: ["v1"]
{{- end }}
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
{{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq .Release.Namespace "istio-system"}}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- else }}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
{{- if $.Values.sidecarInjectorWebhookAnnotations }}
annotations:
{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
{{- end }}
webhooks:
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
{{- /* Webhooks for default revision */}}
{{- if (eq .Values.revision "") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
- key: "kubernetes.io/metadata.name"
operator: "NotIn"
values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
{{- end }}

30
backing-services/istiod/templates/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,30 @@
# Not created if istiod is running remotely
{{- if not .Values.istiodRemote.enabled }}
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
istio: pilot
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
spec:
minAvailable: 1
selector:
matchLabels:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision | quote }}
{{- else }}
istio: pilot
{{- end }}
---
{{- end }}
{{- end }}

64
backing-services/istiod/templates/reader-clusterrole.yaml Normal file
View File

@@ -0,0 +1,64 @@
{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
app.kubernetes.io/name: "istio-reader"
{{- include "istio.labels" . | nindent 4 }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
- "telemetry.istio.io"
- "extensions.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
# TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod
# is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs).
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["gateways"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["{{ $mcsAPIGroup }}"]
resources: ["serviceexports"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["{{ $mcsAPIGroup }}"]
resources: ["serviceimports"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- if .Values.istiodRemote.enabled }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}

17
backing-services/istiod/templates/reader-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
app.kubernetes.io/name: "istio-reader"
{{- include "istio.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}

25
backing-services/istiod/templates/remote-istiod-endpoints.yaml Normal file
View File

@@ -0,0 +1,25 @@
# This file is only used for remote `istiod` installs.
{{- if .Values.istiodRemote.enabled }}
# if the remotePilotAddress is an IP addr
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
- port: 15017
name: tcp-webhook
protocol: TCP
---
{{- end }}
{{- end }}

35
backing-services/istiod/templates/remote-istiod-service.yaml Normal file
View File

@@ -0,0 +1,35 @@
# This file is only used for remote `istiod` installs.
{{- if .Values.global.remotePilotAddress }}
apiVersion: v1
kind: Service
metadata:
name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "istiod"
{{ include "istio.labels" . | nindent 4 }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
- port: 443
targetPort: 15017
name: tcp-webhook
protocol: TCP
{{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
# if the remotePilotAddress is not an IP addr, we use ExternalName
type: ExternalName
externalName: {{ .Values.global.remotePilotAddress }}
{{- end }}
{{- if .Values.global.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
{{- end }}
{{- if .Values.global.ipFamilies }}
ipFamilies:
{{- range .Values.global.ipFamilies }}
- {{ . }}
{{- end }}
{{- end }}
---
{{- end }}

149
backing-services/istiod/templates/revision-tags.yaml Normal file
View File

@@ -0,0 +1,149 @@
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
{{- $whv := dict
"revision" .Values.revision
"injectionPath" .Values.istiodRemote.injectionPath
"injectionURL" .Values.istiodRemote.injectionURL
"reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
"namespace" .Release.Namespace }}
{{- define "core" }}
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
a unique prefix to each. */}}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .injectionURL }}
url: "{{ .injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
namespace: {{ .namespace }}
path: "{{ .injectionPath }}"
port: 443
{{- end }}
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
reinvocationPolicy: "{{ .reinvocationPolicy }}"
admissionReviewVersions: ["v1"]
{{- end }}
{{- range $tagName := $.Values.revisionTags }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq $.Release.Namespace "istio-system"}}
name: istio-revision-tag-{{ $tagName }}
{{- else }}
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
{{- end }}
labels:
istio.io/tag: {{ $tagName }}
istio.io/rev: {{ $.Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ $.Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" $ | nindent 4 }}
{{- if $.Values.sidecarInjectorWebhookAnnotations }}
annotations:
{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
{{- end }}
webhooks:
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
{{- if (eq $tagName "default") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
- key: "kubernetes.io/metadata.name"
operator: "NotIn"
values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
---
{{- end }}

35
backing-services/istiod/templates/role.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Created if this is not a remote istiod, OR if it is and is also a config cluster
{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]
# For status controller, so it can delete the distribution report configmap
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["delete"]
# For gateway deployment controller
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "update", "patch", "create"]
{{- end }}

21
backing-services/istiod/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,21 @@
# Created if this is not a remote istiod, OR if it is and is also a config cluster
{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
{{- end }}

55
backing-services/istiod/templates/service.yaml Normal file
View File

@@ -0,0 +1,55 @@
# Not created if istiod is running remotely
{{- if not .Values.istiodRemote.enabled }}
apiVersion: v1
kind: Service
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
{{- if .Values.serviceAnnotations }}
annotations:
{{ toYaml .Values.serviceAnnotations | indent 4 }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" | quote }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: istiod
istio: pilot
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
spec:
ports:
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
selector:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision | quote }}
{{- else }}
# Label used by the 'default' service. For versioned deployments we match with app and version.
# This avoids default deployment picking the canary
istio: pilot
{{- end }}
{{- if .Values.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
{{- end }}
{{- if .Values.ipFamilies }}
ipFamilies:
{{- range .Values.ipFamilies }}
- {{ . }}
{{- end }}
{{- end }}
---
{{- end }}

24
backing-services/istiod/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,24 @@
# Created if this is not a remote istiod, OR if it is and is also a config cluster
{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
{{- if .Values.serviceAccountAnnotations }}
annotations:
{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
{{- end }}
{{- end }}
---

63
backing-services/istiod/templates/validatingadmissionpolicy.yaml Normal file
View File

@@ -0,0 +1,63 @@
# Created if this is not a remote istiod, OR if it is and is also a config cluster
{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
{{- if .Values.experimental.stableValidationPolicy }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
labels:
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
- extensions.istio.io
apiVersions: ["*"]
operations: ["CREATE", "UPDATE"]
resources: ["*"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
variables:
- name: isEnvoyFilter
expression: "object.kind == 'EnvoyFilter'"
- name: isWasmPlugin
expression: "object.kind == 'WasmPlugin'"
- name: isProxyConfig
expression: "object.kind == 'ProxyConfig'"
- name: isTelemetry
expression: "object.kind == 'Telemetry'"
validations:
- expression: "!variables.isEnvoyFilter"
- expression: "!variables.isWasmPlugin"
- expression: "!variables.isProxyConfig"
- expression: |
!(
variables.isTelemetry && (
(has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
(has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
(has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
)
)
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
spec:
policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
validationActions: [Deny]
{{- end }}
{{- end }}

68
backing-services/istiod/templates/validatingwebhookconfiguration.yaml Normal file
View File

@@ -0,0 +1,68 @@
# Created if this is not a remote istiod, OR if it is and is also a config cluster
{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
istio.io/rev: {{ .Values.revision | default "default" | quote }}
app.kubernetes.io/name: "istiod"
{{- include "istio.labels" . | nindent 4 }}
webhooks:
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
# are rejecting invalid configs on a per-revision basis.
- name: rev.validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
{{- if .Values.base.validationCABundle }}
caBundle: "{{ .Values.base.validationCABundle }}"
{{- end }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
- extensions.istio.io
apiVersions:
- "*"
resources:
- "*"
{{- if .Values.base.validationCABundle }}
# Disable webhook controller in Pilot to stop patching it
failurePolicy: Fail
{{- else }}
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
{{- end }}
sideEffects: None
admissionReviewVersions: ["v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
---
{{- end }}
{{- end }}

3
backing-services/istiod/templates/zzy_descope_legacy.yaml Normal file
View File

@@ -0,0 +1,3 @@
{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
Due to the file naming, this always happens after zzz_profile.yaml */}}
{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}

75
backing-services/istiod/templates/zzz_profile.yaml Normal file
View File

@@ -0,0 +1,75 @@
{{/*
WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
The original version of this file is located at /manifests directory.
If you want to make a change in this file, edit the original one and run "make gen".
Complex logic ahead...
We have three sets of values, in order of precedence (last wins):
1. The builtin values.yaml defaults
2. The profile the user selects
3. Users input (-f or --set)
Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
{{- if $.Values.defaults}}
{{ fail (cat
"Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
($.Values.defaults | toYaml |nindent 4)
) }}
{{- end }}
{{- $defaults := $.Values._internal_defaults_do_not_set }}
{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
{{- $profile := dict }}
{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
{{- $profile = (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown profile" .) }}
{{- end }}
{{- end }}
{{- with .Values.compatibilityVersion }}
{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
{{- end }}
{{- end }}
{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
{{- else }}
{{ fail (cat "unknown platform" .) }}
{{- end }}
{{- end }}
{{- if $profile }}
{{- $a := mustMergeOverwrite $defaults $profile }}
{{- end }}
# Flatten globals, if defined on a per-chart basis
{{- if false }}
{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }}
{{- end }}
{{- $x := set $.Values "_original" (deepCopy $.Values) }}
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
{{/*
Labels that should be applied to ALL resources.
*/}}
{{- define "istio.labels" -}}
{{- if .Release.Service -}}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- end }}
{{- if .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- end }}
app.kubernetes.io/part-of: "istio"
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
{{- if and .Chart.Name .Chart.Version }}
helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end -}}