From bb06d7569be0fede2f151c1992fb2bd3260f383a Mon Sep 17 00:00:00 2001 From: Martin Taillefer Date: Tue, 10 Sep 2019 21:04:56 -0700 Subject: [PATCH] Doc updates. (#278) --- .../v1alpha2/istiocontrolplane_types.pb.go | 18 +- .../v1alpha2/istiocontrolplane_types.proto | 196 +- pkg/apis/istio/v1alpha2/v1alpha2.pb.html | 6 +- pkg/apis/istio/v1alpha2/values/values.pb.html | 35 +- .../istio/v1alpha2/values/values_types.pb.go | 14 +- .../istio/v1alpha2/values/values_types.proto | 14 +- pkg/vfs/assets.gen.go | 1587 +++++------------ 7 files changed, 623 insertions(+), 1247 deletions(-) diff --git a/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go b/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go index b6151d06e..7253e372f 100644 --- a/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go +++ b/pkg/apis/istio/v1alpha2/istiocontrolplane_types.pb.go @@ -42,14 +42,14 @@ //spec: //``` // -//2. Default minimal profile install +//1. Default minimal profile install // //```yaml //spec: //profile: minimal //``` // -//3. Default install with telemetry disabled +//1. Default install with telemetry disabled // //```yaml //spec: @@ -57,7 +57,7 @@ //enabled: false //``` // -//4. Default install with each feature installed to different namespace and security components in separate namespaces +//1. Default install with each feature installed to different namespace and security components in separate namespaces // //```yaml //spec: @@ -83,7 +83,7 @@ //namespace: istio-node-agent //``` // -//5. Default install with specialized k8s settings for pilot +//1. Default install with specialized k8s settings for pilot // //```yaml //spec: @@ -105,7 +105,7 @@ //successThreshold: 33 //``` // -//6. Default install with values.yaml customizations for proxy +//1. Default install with values.yaml customizations for proxy // //```yaml //spec: @@ -117,7 +117,7 @@ //- global.proxy.dnsRefreshRate: 10s //``` // -//7. Default install with modification to container flag in galley +//1. Default install with modification to container flag in galley // //```yaml //spec: @@ -260,12 +260,12 @@ type IstioControlPlaneSpec struct { // Unvalidated overrides for default global values.yaml. UnvalidatedValues map[string]interface{} `protobuf:"bytes,51,opt,name=unvalidatedValues,proto3" json:"unvalidatedValues,omitempty"` // Path or name for the profile e.g. - // minimal (looks in profiles dir for a file called minimal.yaml) - // /tmp/istio/install/values/custom/custom-install.yaml (local file path) + // - minimal (looks in profiles dir for a file called minimal.yaml) + // - /tmp/istio/install/values/custom/custom-install.yaml (local file path) // default profile is used if this field is unset. Profile string `protobuf:"bytes,100,opt,name=profile,proto3" json:"profile,omitempty"` // Path for the install package. e.g. - // /tmp/istio-installer/nightly (local file path) + // - /tmp/istio-installer/nightly (local file path) InstallPackagePath string `protobuf:"bytes,102,opt,name=install_package_path,json=installPackagePath,proto3" json:"install_package_path,omitempty"` // Root for docker image paths e.g. docker.io/istio-release. // Releases are published to docker hub under 'istio' project. diff --git a/pkg/apis/istio/v1alpha2/istiocontrolplane_types.proto b/pkg/apis/istio/v1alpha2/istiocontrolplane_types.proto index e5443ffb7..6fe83fdc7 100644 --- a/pkg/apis/istio/v1alpha2/istiocontrolplane_types.proto +++ b/pkg/apis/istio/v1alpha2/istiocontrolplane_types.proto @@ -66,101 +66,101 @@ EXAMPLES 1. Default Istio install -```yaml -spec: -``` - -2. Default minimal profile install - -```yaml -spec: - profile: minimal -``` - -3. Default install with telemetry disabled - -```yaml -spec: - telemetry: - enabled: false -``` - -4. Default install with each feature installed to different namespace and security components in separate namespaces - -```yaml -spec: - traffic_management: - components: - namespace: istio-traffic-management - policy: - components: - namespace: istio-policy - telemetry: - components: - namespace: istio-telemetry - config_management: - components: - namespace: istio-config-management - security: - components: - citadel: - namespace: istio-citadel - cert_manager: - namespace: istio-cert-manager - node_agent: - namespace: istio-node-agent -``` - -5. Default install with specialized k8s settings for pilot - -```yaml -spec: - traffic_management: - components: - pilot: - k8s: - resources: - limits: - cpu: 444m - memory: 333Mi - requests: - cpu: 222m - memory: 111Mi - readinessProbe: - failureThreshold: 44 - initialDelaySeconds: 11 - periodSeconds: 22 - successThreshold: 33 -``` - -6. Default install with values.yaml customizations for proxy - -```yaml -spec: - traffic_management: - components: - proxy: - values: - - global.proxy.enableCoreDump: true - - global.proxy.dnsRefreshRate: 10s -``` - -7. Default install with modification to container flag in galley - -```yaml -spec: - configuration_management: - components: - galley: - k8s: - overlays: - - apiVersion: extensions/v1beta1 - kind: Deployment - name: istio-galley - patches: - - path: spec.template.spec.containers.[name:galley].command.[--livenessProbeInterval] - value: --livenessProbeInterval=123s -``` + ```yaml + spec: + ``` + +1. Default minimal profile install + + ```yaml + spec: + profile: minimal + ``` + +1. Default install with telemetry disabled + + ```yaml + spec: + telemetry: + enabled: false + ``` + +1. Default install with each feature installed to different namespace and security components in separate namespaces + + ```yaml + spec: + traffic_management: + components: + namespace: istio-traffic-management + policy: + components: + namespace: istio-policy + telemetry: + components: + namespace: istio-telemetry + config_management: + components: + namespace: istio-config-management + security: + components: + citadel: + namespace: istio-citadel + cert_manager: + namespace: istio-cert-manager + node_agent: + namespace: istio-node-agent + ``` + +1. Default install with specialized k8s settings for pilot + + ```yaml + spec: + traffic_management: + components: + pilot: + k8s: + resources: + limits: + cpu: 444m + memory: 333Mi + requests: + cpu: 222m + memory: 111Mi + readinessProbe: + failureThreshold: 44 + initialDelaySeconds: 11 + periodSeconds: 22 + successThreshold: 33 + ``` + +1. Default install with values.yaml customizations for proxy + + ```yaml + spec: + traffic_management: + components: + proxy: + values: + - global.proxy.enableCoreDump: true + - global.proxy.dnsRefreshRate: 10s + ``` + +1. Default install with modification to container flag in galley + + ```yaml + spec: + configuration_management: + components: + galley: + k8s: + overlays: + - apiVersion: extensions/v1beta1 + kind: Deployment + name: istio-galley + patches: + - path: spec.template.spec.containers.[name:galley].command.[--livenessProbeInterval] + value: --livenessProbeInterval=123s + ``` */ package v1alpha2; @@ -194,12 +194,12 @@ message IstioControlPlaneSpec { // Unvalidated overrides for default global values.yaml. TypeMapStringInterface unvalidatedValues = 51; // Path or name for the profile e.g. - // minimal (looks in profiles dir for a file called minimal.yaml) - // /tmp/istio/install/values/custom/custom-install.yaml (local file path) + // - minimal (looks in profiles dir for a file called minimal.yaml) + // - /tmp/istio/install/values/custom/custom-install.yaml (local file path) // default profile is used if this field is unset. string profile = 100; // Path for the install package. e.g. - // /tmp/istio-installer/nightly (local file path) + // - /tmp/istio-installer/nightly (local file path) string install_package_path = 102; // Root for docker image paths e.g. docker.io/istio-release. // Releases are published to docker hub under 'istio' project. diff --git a/pkg/apis/istio/v1alpha2/v1alpha2.pb.html b/pkg/apis/istio/v1alpha2/v1alpha2.pb.html index 7524a8bbb..98908ab40 100644 --- a/pkg/apis/istio/v1alpha2/v1alpha2.pb.html +++ b/pkg/apis/istio/v1alpha2/v1alpha2.pb.html @@ -860,8 +860,8 @@

IstioControlPlaneSpec

string

Path or name for the profile e.g. - minimal (looks in profiles dir for a file called minimal.yaml) - /tmp/istio/install/values/custom/custom-install.yaml (local file path) + - minimal (looks in profiles dir for a file called minimal.yaml) + - /tmp/istio/install/values/custom/custom-install.yaml (local file path) default profile is used if this field is unset.

@@ -871,7 +871,7 @@

IstioControlPlaneSpec

string

Path for the install package. e.g. - /tmp/istio-installer/nightly (local file path)

+ - /tmp/istio-installer/nightly (local file path)

diff --git a/pkg/apis/istio/v1alpha2/values/values.pb.html b/pkg/apis/istio/v1alpha2/values/values.pb.html index e85324ace..ce2e13904 100644 --- a/pkg/apis/istio/v1alpha2/values/values.pb.html +++ b/pkg/apis/istio/v1alpha2/values/values.pb.html @@ -398,15 +398,18 @@

EgressGatewayConfig

correspondingly. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

-

Examples: -podAntiAffinityLabelSelector: +

Examples:

+ +
podAntiAffinityLabelSelector:
  - key: security
    operator: In
    values: S1,S2
-   topologyKey: “kubernetes.io/hostname”
- This pod anti-affinity rule says that the pod requires not to be scheduled
- onto a node if that node is already running a pod with label having key
- “security” and value “S1”.

+   topologyKey: "kubernetes.io/hostname"
+
+ +

This pod anti-affinity rule says that the pod requires not to be scheduled +onto a node if that node is already running a pod with label having key +“security” and value “S1”.

@@ -798,19 +801,20 @@

GlobalConfig

endpoints based on the localities of where the traffic originates and where it will terminate. Please set either failover or distribute configuration but not both.

-

localityLbSetting: +

localityLbSetting:
   distribute:
-  - from: “us-central1/”
+  - from: "us-central1/*"
     to:
-      “us-central1/”: 80
-      “us-central2/*”: 20

+      "us-central1/*": 80
+      "us-central2/*": 20
 
-
localityLbSetting:
+localityLbSetting:
   failover:
   - from: us-east
     to: eu-west
   - from: us-west
-    to: us-east

+    to: us-east
+
@@ -855,10 +859,10 @@

GlobalConfig

LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, it still need to be configured manually).

-

meshNetworks: +

meshNetworks:
   network1:
     endpoints:
-    - fromCidr: “192.168.0.124”
+    - fromCidr: "192.168.0.1/24"
     gateways:
     - address: 1.1.1.1
       port: 80
@@ -867,7 +871,8 @@ 
GlobalConfig

     - fromRegistry: reg1
     gateways:
     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
-      port: 443

+      port: 443
+
diff --git a/pkg/apis/istio/v1alpha2/values/values_types.pb.go b/pkg/apis/istio/v1alpha2/values/values_types.pb.go index 51448f318..b5aadcc41 100644 --- a/pkg/apis/istio/v1alpha2/values/values_types.pb.go +++ b/pkg/apis/istio/v1alpha2/values/values_types.pb.go @@ -671,14 +671,17 @@ type EgressGatewayConfig struct { // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity // // Examples: + // + // ```yaml // podAntiAffinityLabelSelector: // - key: security // operator: In // values: S1,S2 // topologyKey: "kubernetes.io/hostname" - // This pod anti-affinity rule says that the pod requires not to be scheduled - // onto a node if that node is already running a pod with label having key - // “security” and value “S1”. + // ``` + // This pod anti-affinity rule says that the pod requires not to be scheduled + // onto a node if that node is already running a pod with label having key + // “security” and value “S1”. PodAntiAffinityLabelSelector *TypeSliceOfMapStringInterface `protobuf:"bytes,12,opt,name=podAntiAffinityLabelSelector,proto3" json:"podAntiAffinityLabelSelector,omitempty"` // See PodAntiAffinityLabelSelector. PodAntiAffinityTermLabelSelector *TypeSliceOfMapStringInterface `protobuf:"bytes,13,opt,name=podAntiAffinityTermLabelSelector,proto3" json:"podAntiAffinityTermLabelSelector,omitempty"` @@ -1160,6 +1163,7 @@ type GlobalConfig struct { // endpoints based on the localities of where the traffic originates and where it will terminate. // Please set either failover or distribute configuration but not both. // + // ```yaml // localityLbSetting: // distribute: // - from: "us-central1/*" @@ -1173,6 +1177,7 @@ type GlobalConfig struct { // to: eu-west // - from: us-west // to: us-east + // ``` LocalityLbSetting map[string]string `protobuf:"bytes,15,rep,name=localityLbSetting,proto3" json:"localityLbSetting,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // Specifies the Configuration for the legacy kubernetes Ingress. K8SIngress *KubernetesIngressConfig `protobuf:"bytes,16,opt,name=k8sIngress,proto3" json:"k8sIngress,omitempty"` @@ -1193,6 +1198,7 @@ type GlobalConfig struct { // LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, // it still need to be configured manually). // + // ```yaml // meshNetworks: // network1: // endpoints: @@ -1206,7 +1212,7 @@ type GlobalConfig struct { // gateways: // - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local // port: 443 - // + // ``` MeshNetworks *TypeMapStringInterface `protobuf:"bytes,19,opt,name=meshNetworks,proto3" json:"meshNetworks,omitempty"` // Specifies the monitor port number for all Istio control plane components. MonitoringPort uint32 `protobuf:"varint,20,opt,name=monitoringPort,proto3" json:"monitoringPort,omitempty"` diff --git a/pkg/apis/istio/v1alpha2/values/values_types.proto b/pkg/apis/istio/v1alpha2/values/values_types.proto index f83120d62..9479829c5 100644 --- a/pkg/apis/istio/v1alpha2/values/values_types.proto +++ b/pkg/apis/istio/v1alpha2/values/values_types.proto @@ -162,14 +162,17 @@ message EgressGatewayConfig { // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity // // Examples: + // + // ```yaml // podAntiAffinityLabelSelector: // - key: security // operator: In // values: S1,S2 // topologyKey: "kubernetes.io/hostname" - // This pod anti-affinity rule says that the pod requires not to be scheduled - // onto a node if that node is already running a pod with label having key - // “security” and value “S1”. + // ``` + // This pod anti-affinity rule says that the pod requires not to be scheduled + // onto a node if that node is already running a pod with label having key + // “security” and value “S1”. TypeSliceOfMapStringInterface podAntiAffinityLabelSelector = 12; // See PodAntiAffinityLabelSelector. @@ -318,6 +321,7 @@ message GlobalConfig { // endpoints based on the localities of where the traffic originates and where it will terminate. // Please set either failover or distribute configuration but not both. // + // ```yaml // localityLbSetting: // distribute: // - from: "us-central1/*" @@ -331,6 +335,7 @@ message GlobalConfig { // to: eu-west // - from: us-west // to: us-east + // ``` map localityLbSetting = 15; // LocalityLbSetting map[string]interface{} `json:"localityLbSetting"` @@ -356,6 +361,7 @@ message GlobalConfig { // LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, // it still need to be configured manually). // + // ```yaml // meshNetworks: // network1: // endpoints: @@ -369,7 +375,7 @@ message GlobalConfig { // gateways: // - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local // port: 443 - // + // ``` TypeMapStringInterface meshNetworks = 19; // Specifies the monitor port number for all Istio control plane components. diff --git a/pkg/vfs/assets.gen.go b/pkg/vfs/assets.gen.go index ea8235dce..eadea84fc 100644 --- a/pkg/vfs/assets.gen.go +++ b/pkg/vfs/assets.gen.go @@ -39,6 +39,7 @@ // ../../data/charts/gateways/istio-ingress/templates/serviceaccount.yaml // ../../data/charts/gateways/istio-ingress/templates/sidecar.yaml // ../../data/charts/gateways/istio-ingress/values.yaml +// ../../data/charts/global.yaml // ../../data/charts/istio-cni/Chart.yaml // ../../data/charts/istio-cni/templates/clusterrole.yaml // ../../data/charts/istio-cni/templates/clusterrolebinding.yaml @@ -211,14 +212,10 @@ // ../../data/charts/security/nodeagent/templates/serviceaccount.yaml // ../../data/charts/security/nodeagent/values.yaml // ../../data/profiles/default.yaml -// ../../data/profiles/default.yaml.orig // ../../data/profiles/demo-auth.yaml -// ../../data/profiles/demo-auth.yaml.orig // ../../data/profiles/demo.yaml -// ../../data/profiles/demo.yaml.orig // ../../data/profiles/minimal.yaml // ../../data/profiles/sds.yaml -// ../../data/profiles/sds.yaml.orig // DO NOT EDIT! package vfs @@ -3788,6 +3785,446 @@ func chartsGatewaysIstioIngressValuesYaml() (*asset, error) { return a, nil } +var _chartsGlobalYaml = []byte(`# Global and common settings for installing Istio. + +# This file is configured for a small scale production cluster. +# Use user-values-medium or custom settings to tune up the CPU and scalling. +# Additional values overrides can be used. + +# Each individual component will use values from this file, with defaults and 'advanced' settings included in +# its own chart's values.yaml. + +# TODO: trim this file to commonly used settings, leave 'advanced' in the individual values.yaml (they can +# still be overridden by users, but won't show in basic documentation. + +# This doesn't match istio defaults, which are more geared towards tests and bookinfo. + +global: + # Used to locate istio-pilot. + # Default is to install pilot in a dedicated namespace, istio-pilot11. You can use multiple namespaces, but + # for each 'profile' you need to match the control plane namespace and the value of istioNamespace + # It is assumed that istio-system is running either 1.0 or an upgraded version of 1.1, but only security components are + # used (citadel generating the secrets). + istioNamespace: istio-control + configNamespace: istio-control + + # Telemetry namespace, including tracing. + telemetryNamespace: istio-telemetry + + prometheusNamespace: istio-telemetry + + policyNamespace: istio-policy + + ## End new settings + ## After this line we have the old Istio settings. + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: master-latest-daily + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + k8sIngress: + enabled: false + # Gateway used for k8s Ingress resources. By default it is + # using 'istio:ingressgateway' that will be installed by setting + # 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' + # flags to true. + gatewayName: ingressgateway + # enableHttps will add port 443 on the ingress. + # It REQUIRES that the certificates are installed in the + # expected secrets - enabling this option without certificates + # will result in LDS rejection and the ingress will not work. + enableHttps: false + + proxy: + image: proxyv2 + + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 128Mi + + # Controls number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + + # Configures the access log for each sidecar. + # Options: + # "" - disables access log + # "/dev/stdout" - enables access log + accessLogFile: "" + + # Configure how and what fields are displayed in sidecar access log. Setting to + # empty string will result in default log format + accessLogFormat: "" + + # Configure the access log for sidecar to JSON or TEXT. + accessLogEncoding: TEXT + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS + # This must be given it terms of seconds. For example, 300s is valid but 5m is invalid. + dnsRefreshRate: 300s + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # istio egress capture whitelist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + + # pod internal interfaces + kubevirtInterfaces: "" + + # istio ingress capture whitelist + # examples: + # Redirect no inbound traffic to Envoy: --includeInboundPorts="" + # Redirect all inbound traffic to Envoy: --includeInboundPorts="*" + # Redirect only selected ports: --includeInboundPorts="80,8080" + includeInboundPorts: "*" + excludeInboundPorts: "" + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector + # via the Metrics Service gRPC API. This contains detailed stats information emitted directly + # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also + # available to scrape via the Envoy admin port at either /stats or /stats/prometheus. + # + # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto + # for details about Envoy's Metrics Service API. + # + # Disabled by default. + envoyMetricsService: + enabled: false + host: # example: metrics-service.istio-system + port: # example: 15000 + + # Specify which tracer to use. One of: lightstep, zipkin, datadog + tracer: "zipkin" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxy_init + + # imagePullPolicy is applied to istio control plane components. + # local tests require IfNotPresent, to avoid uploading to dockerhub. + # TODO: Switch to Always as default, and override in the local tests. + imagePullPolicy: Always + + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + # disablePolicyChecks disables mixer policy checks. + # if mixer.policy.enabled==true then disablePolicyChecks has affect. + # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. + disablePolicyChecks: true + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + + # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. + enableTracing: true + + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # secure: specifies whether data should be sent with TLS + # cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is + # required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination + # namespace with the key matching the base of the provided cacertPath and the value being the cacert itself. + # + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + secure: true # example: true|false + cacertPath: "" # example: /etc/lightstep/cacert.pem + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + + # Default mtls policy. If true, mtls between services will be enabled by default. + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any clustser configured with private docker registry. + imagePullSecrets: + # - private-registry-key + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + + # Whether to perform server-side validation of configuration. + configValidation: true + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global" + + # If set to true, the pilot and citadel mtls will be exposed on the + # ingress gateway + meshExpansion: + enabled: false + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + useILB: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # enable pod distruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Use the Mesh Control Protocol (MCP) for configuring Mixer and + # Pilot. Requires galley (`+"`"+`--set galley.enabled=true`+"`"+`). + useMCP: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + # Indicate the domain used in SPIFFE identity URL + # The default depends on the environment. + # kubernetes: cluster.local + # else: default dns domain + trustDomain: "" + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests + # to services outside of the mesh without any ServiceEntry. + # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY. + outboundTrafficPolicy: + mode: ALLOW_ANY + + # The namespace where globally shared configurations should be present. + # DestinationRules that apply to the entire mesh (e.g., enabling mTLS), + # default Sidecar configs, etc. should be added to this namespace. + # configRootNamespace: istio-config + + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + #defaultConfigVisibilitySettings: + #- '*' + + sds: + # SDS enabled. IF set to true, mTLS certificates for the sidecars will be + # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. + enabled: false + udsPath: "" + useTrustworthyJwt: false + useNormalJwt: false + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `+"`"+`network1`+"`"+` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `+"`"+`network2`+"`"+`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (not + # supported yet). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway + # port: 443 + # + meshNetworks: {} + + # Specifies the global locality load balancing settings. + # Locality-weighted load balancing allows administrators to control the distribution of traffic to + # endpoints based on the localities of where the traffic originates and where it will terminate. + # Please set either failover or distribute configuration but not both. + # + # localityLbSetting: + # distribute: + # - from: "us-central1/*" + # to: + # "us-central1/*": 80 + # "us-central2/*": 20 + # + # localityLbSetting: + # failover: + # - from: us-east + # to: eu-west + # - from: us-west + # to: us-east + localityLbSetting: {} + + # Specifies whether helm test is enabled or not. + # This field is set to false by default, so 'helm template ...' + # will ignore the helm test yaml files when generating the template + enableHelmTest: false + +certmanager: {} + +# Internal setting - used when generating helm templates for kustomize. +# clusterResources controls the inclusion of cluster-wide resources when generating the charts/installing. +# For backward compat, it is set to 'true', resulting in the old-style installation. +# When set to 'false', all cluster-wide resources will be omitted, and are expected to be installed +# at the same time with the CRDs. +clusterResources: true + +# Version is set as 'version' label and part of the resource names when installing. +# It is used to support multiple version in same namespace, similar with normal app traffic shift. +version: "" +`) + +func chartsGlobalYamlBytes() ([]byte, error) { + return _chartsGlobalYaml, nil +} + +func chartsGlobalYaml() (*asset, error) { + bytes, err := chartsGlobalYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "charts/global.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _chartsIstioCniChartYaml = []byte(`apiVersion: v1 name: istio-cni version: 0.2.0 @@ -32126,702 +32563,33 @@ spec: image: node-agent-k8s gateways: - istio-egressgateway: - autoscaleEnabled: true - zvpn: - suffix: global - enabled: true - drainDuration: 45s - connectTimeout: 10s - env: - ISTIO_META_ROUTER_MODE: "sni-dnat" - ports: - - port: 80 - name: http2 - - port: 443 - name: https - - port: 15443 - targetPort: 15443 - name: tls - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - - istio-ingressgateway: - autoscaleEnabled: true - applicationPorts: "" - debug: info - domain: "" - zvpn: - enabled: true - suffix: global - telemetry_domain_name: "" - env: - ISTIO_META_ROUTER_MODE: "sni-dnat" - ports: - - port: 15020 - targetPort: 15020 - name: status-port - - port: 80 - targetPort: 80 - name: http2 - - port: 443 - name: https - - port: 15029 - targetPort: 15029 - name: kiali - - port: 15030 - targetPort: 15030 - name: prometheus - - port: 15031 - targetPort: 15031 - name: grafana - - port: 15032 - targetPort: 15032 - name: tracing - - port: 15443 - targetPort: 15443 - name: tls - meshExpansionPorts: - - port: 15011 - targetPort: 15011 - name: tcp-pilot-grpc-tls - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - - port: 853 - targetPort: 853 - name: tcp-dns-tls - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - telemetry_addon_gateways: - tracing_gateway: - name: tracing - port: 15032 - desPort: 80 - enabled: false - tls: false - kiali_gateway: - name: kiali - port: 15029 - desPort: 20001 - enabled: false - tls: false - grafana_gateway: - name: grafana - port: 15031 - desPort: 3000 - enabled: false - tls: false - prometheus_gateway: - name: prometheus - port: 15030 - desPort: 9090 - enabled: false - tls: false - - sidecarInjectorWebhook: - image: sidecar_injector - enableNamespacesByDefault: false - rewriteAppHTTPProbe: false - selfSigned: false - injectLabel: istio-injection - - prometheus: - enabled: true - replicaCount: 1 - hub: docker.io/prom - tag: v2.8.0 - retention: 6h - scrapeInterval: 15s - contextPath: /prometheus - ingress: - enabled: false - hosts: - - prometheus.local - annotations: - tls: - security: - enabled: true - nodeSelector: {} - tolerations: [] - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - grafana: - enabled: false - replicaCount: 1 - image: - repository: grafana/grafana - tag: 6.1.6 - persist: false - storageClassName: "" - accessMode: ReadWriteMany - security: - enabled: false - secretName: grafana - usernameKey: username - passphraseKey: passphrase - - contextPath: /grafana - service: - annotations: {} - name: http - type: ClusterIP - externalPort: 3000 - loadBalancerIP: - loadBalancerSourceRanges: - ingress: - enabled: false - hosts: - - grafana.local - annotations: - tls: - datasources: - datasources.yaml: - apiVersion: 1 - datasources: - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: 'istio' - orgId: 1 - folder: 'istio' - type: file - disableDeletion: false - options: - path: /var/lib/grafana/dashboards/istio - nodeSelector: {} - tolerations: [] - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - env: {} - envSecrets: {} - - tracing: - enabled: false - provider: jaeger - nodeSelector: {} - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - jaeger: - hub: docker.io/jaegertracing - tag: 1.12 - memory: - max_traces: 50000 - spanStorageType: badger - persist: false - storageClassName: "" - accessMode: ReadWriteMany - zipkin: - hub: docker.io/openzipkin - tag: 2.14.2 - probeStartupDelay: 200 - queryPort: 9411 - resources: - limits: - cpu: 300m - memory: 900Mi - requests: - cpu: 150m - memory: 900Mi - javaOptsHeap: 700 - maxSpans: 500000 - node: - cpus: 2 - opencensus: - hub: docker.io/omnition - tag: 0.1.9 - resources: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 200m - memory: 400Mi - exporters: - stackdriver: - enable_tracing: true - service: - annotations: {} - name: http - type: ClusterIP - externalPort: 9411 - ingress: - enabled: false - hosts: - annotations: - tls: - - kiali: - enabled: false - replicaCount: 1 - hub: docker.io/kiali - tag: v1.1.0 - contextPath: /kiali - nodeSelector: {} - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - ingress: - enabled: false - hosts: - - kiali.local - annotations: - tls: - dashboard: - secretName: kiali - usernameKey: username - passphraseKey: passphrase - viewOnlyMode: false - grafanaURL: - jaegerURL: - prometheusNamespace: - createDemoSecret: true - security: - enabled: true - cert_file: /kiali-cert/cert-chain.pem - private_key_file: /kiali-cert/key.pem - - # TODO: derive from operator API - version: "" - clusterResources: true -`) - -func profilesDefaultYamlBytes() ([]byte, error) { - return _profilesDefaultYaml, nil -} - -func profilesDefaultYaml() (*asset, error) { - bytes, err := profilesDefaultYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "profiles/default.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - -var _profilesDefaultYamlOrig = []byte(`apiVersion: install.istio.io/v1alpha2 -kind: IstioControlPlane -spec: - hub: gcr.io/istio-release - tag: master-latest-daily - defaultNamespace: istio-system - - # Traffic management feature - trafficManagement: - enabled: true - components: - pilot: - enabled: true - k8s: - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: GODEBUG - value: gctrace=1 - - name: PILOT_TRACE_SAMPLING - value: "1" - - name: CONFIG_NAMESPACE - value: istio-config - hpaSpec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-pilot - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 30 - timeoutSeconds: 5 - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Policy feature - policy: - enabled: true - components: - policy: - enabled: true - k8s: - replicaCount: 1 - hpaSpec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-policy - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - env: - - name: GODEBUG - value: "gctrace=1" - - # Telemetry feature - telemetry: - enabled: true - components: - telemetry: - enabled: true - k8s: - env: - - name: GODEBUG - value: "gctrace=1" - - name: GOMAXPROCS - value: "6" - hpaSpec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-telemetry - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - replicaCount: 1 - resources: - requests: - cpu: 1000m - memory: 1G - limits: - cpu: 4800m - memory: 4G - - # Security feature - security: - enabled: true - components: - certManager: - enabled: false - nodeAgent: - enabled: false - - # Config management feature - configManagement: - enabled: true - components: - galley: - enabled: true - k8s: - replicaCount: 1 - resources: - requests: - cpu: 100m - - # Auto injection feature - autoInjection: - enabled: true - components: - injector: - enabled: true - k8s: - replicaCount: 1 - - # Istio Gateway feature - gateways: - enabled: true - components: - ingressGateway: - enabled: true - k8s: - hpaSpec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - egressGateway: - enabled: false - k8s: - hpaSpec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-egressgateway - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 256Mi - - # Global values passed through to helm global.yaml. - values: - global: - logging: - level: "default:info" - logAsJson: false - k8sIngress: - enabled: false - gatewayName: ingressgateway - enableHttps: false - proxy: - image: proxyv2 - clusterDomain: "cluster.local" - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - concurrency: 2 - accessLogFile: "" - accessLogFormat: "" - accessLogEncoding: TEXT - envoyAccessLogService: - enabled: false - host: # example: accesslog-service.istio-system - port: # example: 15000 - logLevel: warning - componentLogLevel: "misc:error" - dnsRefreshRate: 300s - privileged: false - enableCoreDump: false - statusPort: 15020 - readinessInitialDelaySeconds: 1 - readinessPeriodSeconds: 2 - readinessFailureThreshold: 30 - includeIPRanges: "*" - excludeIPRanges: "" - excludeOutboundPorts: "" - kubevirtInterfaces: "" - includeInboundPorts: "*" - excludeInboundPorts: "" - autoInject: enabled - envoyStatsd: - enabled: false - host: # example: statsd-svc.istio-system - port: # example: 9125 - envoyMetricsService: - enabled: false - host: # example: metrics-service.istio-system - port: # example: 15000 - tracer: "zipkin" - proxy_init: - image: proxy_init - resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - imagePullPolicy: Always - controlPlaneSecurityEnabled: true - disablePolicyChecks: true - policyCheckFailOpen: false - enableTracing: true - tracer: - lightstep: - address: "" # example: lightstep-satellite:443 - accessToken: "" # example: abcdefg1234567 - secure: true # example: true|false - cacertPath: "" # example: /etc/lightstep/cacert.pem - zipkin: - address: "" - datadog: - address: "$(HOST_IP):8126" - mtls: - enabled: false - imagePullSecrets: [] - arch: - amd64: 2 - s390x: 2 - ppc64le: 2 - oneNamespace: false - defaultNodeSelector: {} - configValidation: true - meshExpansion: - enabled: false - useILB: false - multiCluster: - enabled: false - defaultResources: - requests: - cpu: 10m - defaultPodDisruptionBudget: - enabled: true - priorityClassName: "" - useMCP: true - trustDomain: "" - outboundTrafficPolicy: - mode: ALLOW_ANY - sds: - enabled: false - udsPath: "" - meshNetworks: {} - localityLbSetting: - enabled: true - enableHelmTest: false - - pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - image: pilot - traceSampling: 1.0 - configNamespace: istio-config - appNamespaces: [] - env: - GODEBUG: gctrace=1 - cpu: - targetAverageUtilization: 80 - nodeSelector: {} - tolerations: [] - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - keepaliveMaxServerConnectionAge: 30m - deploymentLabels: - meshNetworks: - networks: {} - configMap: true - ingress: - ingressService: istio-ingressgateway - ingressControllerMode: "OFF" - ingressClass: istio - telemetry: - enabled: true - policy: - enabled: false - useMCP: true - - mixer: - adapters: - stdio: - enabled: false - outputAsJson: false - prometheus: - enabled: true - metricsExpiryDuration: 10m - kubernetesenv: - enabled: true - stackdriver: - enabled: false - auth: - appCredentials: false - apiKey: "" - serviceAccountPath: "" - tracer: - enabled: false - sampleProbability: 1 - useAdapterCRDs: false - - telemetry: - image: mixer - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - sessionAffinityEnabled: false - loadshedding: - mode: enforce - latencyThreshold: 100ms - reportBatchMaxEntries: 100 - reportBatchMaxTime: 1s - useMCP: true - nodeSelector: {} - tolerations: [] - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - policy: - image: mixer - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - adapters: - kubernetesenv: - enabled: true - - galley: - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - citadel: - image: citadel - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - selfSigned: true # indicate if self-signed CA is used. - trustDomain: cluster.local # indicate the domain used in SPIFFE identity URL - enableNamespacesByDefault: true - dnsCerts: - istio-pilot-service-account.istio-system: istio-pilot.istio-system - - certmanager: - hub: quay.io/jetstack - tag: v0.6.2 - image: cert-manager-controller - - nodeagent: - image: node-agent-k8s - - gateways: + istio-egressgateway: + autoscaleEnabled: true + zvpn: + suffix: global + enabled: true + drainDuration: 45s + connectTimeout: 10s + env: + ISTIO_META_ROUTER_MODE: "sni-dnat" + ports: + - port: 80 + name: http2 + - port: 443 + name: https + - port: 15443 + targetPort: 15443 + name: tls + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + istio-ingressgateway: autoscaleEnabled: true - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% applicationPorts: "" debug: info domain: "" @@ -32897,46 +32665,8 @@ spec: desPort: 9090 enabled: false tls: false -<<<<<<< HEAD - istio-egressgateway: - ports: - - port: 80 - name: http2 - - port: 443 - name: https - - port: 15443 - targetPort: 15443 - name: tls - zvpn: - suffix: global - enabled: true - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - drainDuration: 45s - connectTimeout: 10s - serviceAnnotations: {} - podAnnotations: {} - type: ClusterIP # change to NodePort or LoadBalancer if need be - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - env: - ISTIO_META_ROUTER_MODE: "sni-dnat" - nodeSelector: {} - tolerations: [] - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] -======= ->>>>>>> 598103cf7e20c05c6aa466d2a6a30c1b4ce1f71b sidecarInjectorWebhook: - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% image: sidecar_injector enableNamespacesByDefault: false rewriteAppHTTPProbe: false @@ -33104,17 +32834,17 @@ spec: clusterResources: true `) -func profilesDefaultYamlOrigBytes() ([]byte, error) { - return _profilesDefaultYamlOrig, nil +func profilesDefaultYamlBytes() ([]byte, error) { + return _profilesDefaultYaml, nil } -func profilesDefaultYamlOrig() (*asset, error) { - bytes, err := profilesDefaultYamlOrigBytes() +func profilesDefaultYaml() (*asset, error) { + bytes, err := profilesDefaultYamlBytes() if err != nil { return nil, err } - info := bindataFileInfo{name: "profiles/default.yaml.orig", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + info := bindataFileInfo{name: "profiles/default.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -33248,159 +32978,6 @@ func profilesDemoAuthYaml() (*asset, error) { return a, nil } -var _profilesDemoAuthYamlOrig = []byte(`apiVersion: install.istio.io/v1alpha2 -kind: IstioControlPlane -spec: - gateways: - components: - egressGateway: -<<<<<<< HEAD - enabled: false - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi -======= - common: - enabled: true - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - limits: - cpu: 2000m - memory: 256Mi - values: - autoscaleEnabled: false ->>>>>>> 0e53114f62ca1dafda5750c8817f10747379b0af - ingressGateway: - enabled: true - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - policy: - components: - policy: - k8s: - resources: - requests: - cpu: 10m - memory: 100Mi - - telemetry: - components: - telemetry: - k8s: - resources: - requests: - cpu: 50m - memory: 100Mi - - - trafficManagement: - components: - pilot: - k8s: - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: GODEBUG - value: gctrace=1 - - name: PILOT_TRACE_SAMPLING - value: "100" - - name: CONFIG_NAMESPACE - value: istio-config - resources: - requests: - cpu: 10m - memory: 100Mi - - proxy: - values: - accessLogFile: /dev/stdout - resources: - requests: - cpu: 10m - memory: 40Mi - - values: - global: - disablePolicyChecks: false - mtls: - enabled: true - - pilot: - autoscaleEnabled: false - - proxy: - accessLogFile: /dev/stdout - resources: - requests: - cpu: 10m - memory: 40Mi - - mixer: - adapters: - useAdapterCRDs: false - kubernetesenv: - enabled: true - prometheus: - enabled: true - metricsExpiryDuration: 10m - stackdriver: - enabled: false - stdio: - enabled: true - outputAsJson: false - policy: - autoscaleEnabled: false - telemetry: - autoscaleEnabled: false - - gateway: - istio-egressgateway: - autoscaleEnabled: false - istio-ingressgateway: - autoscaleEnabled: false - - grafana: - enabled: true - - tracing: - enabled: true - - kiali: - enabled: true - createDemoSecret: true -`) - -func profilesDemoAuthYamlOrigBytes() ([]byte, error) { - return _profilesDemoAuthYamlOrig, nil -} - -func profilesDemoAuthYamlOrig() (*asset, error) { - bytes, err := profilesDemoAuthYamlOrigBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "profiles/demo-auth.yaml.orig", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - var _profilesDemoYaml = []byte(`apiVersion: install.istio.io/v1alpha2 kind: IstioControlPlane spec: @@ -33530,150 +33107,6 @@ func profilesDemoYaml() (*asset, error) { return a, nil } -var _profilesDemoYamlOrig = []byte(`apiVersion: install.istio.io/v1alpha2 -kind: IstioControlPlane -spec: - gateways: - components: - egressGateway: -<<<<<<< HEAD - enabled: false - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - -======= - common: - enabled: true - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - limits: - cpu: 2000m - memory: 256Mi - values: - autoscaleEnabled: false ->>>>>>> 0e53114f62ca1dafda5750c8817f10747379b0af - ingressGateway: - enabled: true - k8s: - resources: - requests: - cpu: 10m - memory: 40Mi - - policy: - components: - policy: - k8s: - resources: - requests: - cpu: 10m - memory: 100Mi - - telemetry: - components: - telemetry: - k8s: - resources: - requests: - cpu: 50m - memory: 100Mi - - trafficManagement: - components: - pilot: - k8s: - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: GODEBUG - value: gctrace=1 - - name: PILOT_TRACE_SAMPLING - value: "100" - - name: CONFIG_NAMESPACE - value: istio-config - resources: - requests: - cpu: 10m - memory: 100Mi - - values: - global: - disablePolicyChecks: false - - pilot: - autoscaleEnabled: false - - proxy: - accessLogFile: /dev/stdout - resources: - requests: - cpu: 10m - memory: 40Mi - - mixer: - adapters: - useAdapterCRDs: false - kubernetesenv: - enabled: true - prometheus: - enabled: true - metricsExpiryDuration: 10m - stackdriver: - enabled: false - stdio: - enabled: true - outputAsJson: false - policy: - autoscaleEnabled: false - telemetry: - autoscaleEnabled: false - - gateway: - istio-egressgateway: - autoscaleEnabled: false - istio-ingressgateway: - autoscaleEnabled: false - - grafana: - enabled: true - - tracing: - enabled: true - - kiali: - enabled: true - createDemoSecret: true -`) - -func profilesDemoYamlOrigBytes() ([]byte, error) { - return _profilesDemoYamlOrig, nil -} - -func profilesDemoYamlOrig() (*asset, error) { - bytes, err := profilesDemoYamlOrigBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "profiles/demo.yaml.orig", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - var _profilesMinimalYaml = []byte(`apiVersion: install.istio.io/v1alpha2 kind: IstioControlPlane spec: @@ -33768,74 +33201,6 @@ func profilesSdsYaml() (*asset, error) { return a, nil } -var _profilesSdsYamlOrig = []byte(`apiVersion: install.istio.io/v1alpha2 -kind: IstioControlPlane -spec: - security: - components: - nodeAgent: - enabled: true -<<<<<<< HEAD -<<<<<<< HEAD - -======= ->>>>>>> 0584d5d7... add back the mandiff test. (#223) -======= - k8s: - env: - - name: CA_ADDR - value: "istio-citadel:8060" - - name: CA_PROVIDER - value: Citadel - - name: Plugins - value: "" - - name: VALID_TOKEN - value: "true" - - name: Trust_Domain - value: "" - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace ->>>>>>> a119f421... fix mandiff gaps. (#222) - values: - global: - controlPlaneSecurityEnabled: false - mtls: - enabled: true - controlPlaneSecurityEnabled: false - sds: - enabled: true - udsPath: "unix:/var/run/sds/uds_path" - useNormalJwt: false - useTrustworthyJwt: true - nodeagent: - image: node-agent-k8s - env: - CA_PROVIDER: "Citadel" - CA_ADDR: "istio-citadel:8060" - VALID_TOKEN: true -<<<<<<< HEAD -======= - ->>>>>>> 0584d5d7... add back the mandiff test. (#223) -`) - -func profilesSdsYamlOrigBytes() ([]byte, error) { - return _profilesSdsYamlOrig, nil -} - -func profilesSdsYamlOrig() (*asset, error) { - bytes, err := profilesSdsYamlOrigBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "profiles/sds.yaml.orig", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - // Asset loads and returns the asset for the given name. // It returns an error if the asset could not be found or // could not be loaded. @@ -33927,6 +33292,7 @@ var _bindata = map[string]func() (*asset, error){ "charts/gateways/istio-ingress/templates/serviceaccount.yaml": chartsGatewaysIstioIngressTemplatesServiceaccountYaml, "charts/gateways/istio-ingress/templates/sidecar.yaml": chartsGatewaysIstioIngressTemplatesSidecarYaml, "charts/gateways/istio-ingress/values.yaml": chartsGatewaysIstioIngressValuesYaml, + "charts/global.yaml": chartsGlobalYaml, "charts/istio-cni/Chart.yaml": chartsIstioCniChartYaml, "charts/istio-cni/templates/clusterrole.yaml": chartsIstioCniTemplatesClusterroleYaml, "charts/istio-cni/templates/clusterrolebinding.yaml": chartsIstioCniTemplatesClusterrolebindingYaml, @@ -34099,14 +33465,10 @@ var _bindata = map[string]func() (*asset, error){ "charts/security/nodeagent/templates/serviceaccount.yaml": chartsSecurityNodeagentTemplatesServiceaccountYaml, "charts/security/nodeagent/values.yaml": chartsSecurityNodeagentValuesYaml, "profiles/default.yaml": profilesDefaultYaml, - "profiles/default.yaml.orig": profilesDefaultYamlOrig, "profiles/demo-auth.yaml": profilesDemoAuthYaml, - "profiles/demo-auth.yaml.orig": profilesDemoAuthYamlOrig, "profiles/demo.yaml": profilesDemoYaml, - "profiles/demo.yaml.orig": profilesDemoYamlOrig, "profiles/minimal.yaml": profilesMinimalYaml, "profiles/sds.yaml": profilesSdsYaml, - "profiles/sds.yaml.orig": profilesSdsYamlOrig, } // AssetDir returns the file names below a certain @@ -34205,6 +33567,7 @@ var _bintree = &bintree{nil, map[string]*bintree{ "values.yaml": &bintree{chartsGatewaysIstioIngressValuesYaml, map[string]*bintree{}}, }}, }}, + "global.yaml": &bintree{chartsGlobalYaml, map[string]*bintree{}}, "istio-cni": &bintree{nil, map[string]*bintree{ "Chart.yaml": &bintree{chartsIstioCniChartYaml, map[string]*bintree{}}, "templates": &bintree{nil, map[string]*bintree{ @@ -34453,14 +33816,10 @@ var _bintree = &bintree{nil, map[string]*bintree{ }}, "profiles": &bintree{nil, map[string]*bintree{ "default.yaml": &bintree{profilesDefaultYaml, map[string]*bintree{}}, - "default.yaml.orig": &bintree{profilesDefaultYamlOrig, map[string]*bintree{}}, "demo-auth.yaml": &bintree{profilesDemoAuthYaml, map[string]*bintree{}}, - "demo-auth.yaml.orig": &bintree{profilesDemoAuthYamlOrig, map[string]*bintree{}}, "demo.yaml": &bintree{profilesDemoYaml, map[string]*bintree{}}, - "demo.yaml.orig": &bintree{profilesDemoYamlOrig, map[string]*bintree{}}, "minimal.yaml": &bintree{profilesMinimalYaml, map[string]*bintree{}}, "sds.yaml": &bintree{profilesSdsYaml, map[string]*bintree{}}, - "sds.yaml.orig": &bintree{profilesSdsYamlOrig, map[string]*bintree{}}, }}, }}