From a58c005dab8985e650afed78245333484bd46834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=BE=84=E6=BD=AD?= Date: Thu, 19 Jan 2023 09:54:50 +0800 Subject: [PATCH] support simple install without istio (#139) --- VERSION | 2 +- helm/higress/Chart.yaml | 4 +- helm/higress/templates/configmap.yaml | 81 +++- .../templates/controller-clusterrole.yaml | 56 ++- .../templates/controller-deployment.yaml | 162 +++++++ helm/higress/templates/controller-role.yaml | 13 + .../templates/controller-rolebinding.yaml | 15 + .../higress/templates/controller-service.yaml | 15 + helm/higress/templates/deployment.yaml | 6 +- helm/higress/values.yaml | 421 +++++++++++++++++- helm/kind/higress/Chart.yaml | 6 +- 11 files changed, 763 insertions(+), 18 deletions(-) create mode 100644 helm/higress/templates/controller-role.yaml create mode 100644 helm/higress/templates/controller-rolebinding.yaml diff --git a/VERSION b/VERSION index 8ea9cc1eb..60f634328 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.5.4 +v0.6.0 diff --git a/helm/higress/Chart.yaml b/helm/higress/Chart.yaml index 8d5592d73..a3ecacea1 100644 --- a/helm/higress/Chart.yaml +++ b/helm/higress/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.5.4 +appVersion: 0.6.0 description: Helm chart for deploying higress gateways icon: https://higress.io/img/higress_logo_small.png keywords: @@ -9,4 +9,4 @@ name: higress sources: - http://github.com/alibaba/higress type: application -version: 0.5.4 +version: 0.6.0 diff --git a/helm/higress/templates/configmap.yaml b/helm/higress/templates/configmap.yaml index 63afba5d4..385eebafb 100644 --- a/helm/higress/templates/configmap.yaml +++ b/helm/higress/templates/configmap.yaml @@ -1,8 +1,77 @@ {{- define "mesh" }} # The trust domain corresponds to the trust root of a system. # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + accessLogEncoding: TEXT + accessLogFile: "/dev/stdout" + accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"} + + ' + dnsRefreshRate: 200s + enableAutoMtls: false + enablePrometheusMerge: false + protocolDetectionTimeout: 100ms + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + configSources: + - address: "xds://127.0.0.1:15051" + defaultConfig: - discoveryAddress: {{ printf "istiod.%s.svc" .Values.istioNamespace }}:15012 + {{- if .Values.global.meshID }} + meshId: {{ .Values.global.meshID }} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- else }} + {} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "higress-controller.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: higress-controller.{{.Release.Namespace}}.svc:15012 + {{- end }} proxyStatsMatcher: inclusionRegexps: - ".*" @@ -21,6 +90,16 @@ metadata: labels: {{- include "gateway.labels" . | nindent 4 }} data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + mesh: |- {{- if .Values.meshConfig }} {{ $mesh | toYaml | indent 4 }} diff --git a/helm/higress/templates/controller-clusterrole.yaml b/helm/higress/templates/controller-clusterrole.yaml index 5bb0c06fc..cefc9b930 100644 --- a/helm/higress/templates/controller-clusterrole.yaml +++ b/helm/higress/templates/controller-clusterrole.yaml @@ -44,13 +44,65 @@ rules: - apiGroups: ["extensions.higress.io"] resources: ["wasmplugins"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] - # Used to verify the JWT tokens + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] + + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] diff --git a/helm/higress/templates/controller-deployment.yaml b/helm/higress/templates/controller-deployment.yaml index afcf4e7fc..7be743fc3 100644 --- a/helm/higress/templates/controller-deployment.yaml +++ b/helm/higress/templates/controller-deployment.yaml @@ -28,6 +28,135 @@ spec: securityContext: {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} containers: +{{- if not .Values.global.enableMesh }} + - name: discovery +{{- if contains "/" .Values.pilot.image }} + image: "{{ .Values.pilot.image }}" +{{- else }} + image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.global.oneNamespace }} + - "-a" + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.pilot.plugins }} + - --plugins={{ .Values.pilot.plugins }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: HIGRESS_CONTROLLER_SVC + value: "127.0.0.1" + - name: HIGRESS_CONTROLLER_PORT + value: "15051" + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: "istiod" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + {{- if .Values.pilot.env }} + {{- range $key, $val := .Values.pilot.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.pilot.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.pilot.traceSampling }}" +{{- end }} + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" + - name: ISTIOD_ADDR + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + {{- if not .Values.global.kind }} + resources: +{{- if .Values.pilot.resources }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + {{- end }} + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config + mountPath: /etc/istio/config + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + {{- end }} + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} +{{- end }} - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.controller.securityContext | nindent 12 }} @@ -95,3 +224,36 @@ spec: volumes: - name: log emptyDir: {} + {{- if not .Values.global.enableMesh }} + - name: config + configMap: + name: higress-config + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/helm/higress/templates/controller-role.yaml b/helm/higress/templates/controller-role.yaml new file mode 100644 index 000000000..e7ad15817 --- /dev/null +++ b/helm/higress/templates/controller-role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "controller.labels" . | nindent 4 }} +rules: +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/helm/higress/templates/controller-rolebinding.yaml b/helm/higress/templates/controller-rolebinding.yaml new file mode 100644 index 000000000..a4a821c77 --- /dev/null +++ b/helm/higress/templates/controller-rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "controller.serviceAccountName" . }} +subjects: + - kind: ServiceAccount + name: {{ include "controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/helm/higress/templates/controller-service.yaml b/helm/higress/templates/controller-service.yaml index 2afc13fa8..472ffe04e 100644 --- a/helm/higress/templates/controller-service.yaml +++ b/helm/higress/templates/controller-service.yaml @@ -8,5 +8,20 @@ spec: type: {{ .Values.controller.service.type }} ports: {{- toYaml .Values.controller.ports | nindent 4 }} + {{- if not .Values.global.enableMesh }} + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + {{- end }} selector: {{- include "controller.selectorLabels" . | nindent 4 }} diff --git a/helm/higress/templates/deployment.yaml b/helm/higress/templates/deployment.yaml index ba0a4e654..09416f685 100644 --- a/helm/higress/templates/deployment.yaml +++ b/helm/higress/templates/deployment.yaml @@ -122,7 +122,7 @@ spec: - name: ENABLE_INGRESS_GATEWAY_SDS value: "false" - name: JWT_POLICY - value: {{ .Values.gateway.jwtPolicy }} + value: {{ .Values.global.jwtPolicy }} - name: ISTIO_META_HTTP10 value: "1" - name: ISTIO_META_CLUSTER_ID @@ -166,7 +166,7 @@ spec: {{- toYaml .Values.gateway.resources | nindent 12 }} {{- end }} volumeMounts: - {{- if eq .Values.gateway.jwtPolicy "third-party-jwt" }} + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token mountPath: /var/run/secrets/tokens readOnly: true @@ -198,7 +198,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: - {{- if eq .Values.gateway.jwtPolicy "third-party-jwt" }} + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: diff --git a/helm/higress/values.yaml b/helm/higress/values.yaml index 6f3d52a47..4a6a33a7e 100644 --- a/helm/higress/values.yaml +++ b/helm/higress/values.yaml @@ -3,13 +3,356 @@ global: # for internal usage only, not to be configured by users. autoscalingv2API: true kind: false + enableMesh: false + # Used to locate istiod. + istioNamespace: higress-system + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: false + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress + # Default tag for Istio images. + tag: 0.5.4 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: false + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: true + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + stackdriver: + # enables trace output to stdout. + debug: false + # The global default max number of message events per span. + maxNumberOfMessageEvents: 200 + # The global default max number of annotation events per span. + maxNumberOfAnnotations: 200 + # The global default max number of attributes per span. + maxNumberOfAttributes: 200 + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + + # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. + useMCP: false + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress ingressClass: "" watchNamespace: "" enableStatus: false clusterName: "" -istioNamespace: "istio-system" -meshConfig: {} +istioNamespace: "higress-system" +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + enablePrometheusMerge: true + # Config for the default ProxyConfig. + # Initially using directly the proxy metadata - can also be activated using annotations + # on the pod. This is an unsupported low-level API, pending review and decisions on + # enabling the feature. Enabling the DNS listener is safe - and allows further testing + # and gradual adoption by setting capture only on specific workloads. It also allows + # VMs to use other DNS options, like dnsmasq or unbound. + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + + rootNamespace: + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # TODO: the intent is to eventually have this enabled by default when security is used. + # It is not clear if user should normally need to configure - the metadata is typically + # used as an escape and to control testing and rollout, but it is not intended as a long-term + # stable API. + + # What we may configure in mesh config is the ".global" - and use of other suffixes. + # No hurry to do this in 1.6, we're trying to prove the code. + gateway: name: "higress-gateway" replicas: 2 @@ -35,10 +378,6 @@ gateway: # Pod environment variables env: {} - # Configure the policy for validating JWT, it is used for istio authentication. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - hostNetwork: false # Labels to apply to all resources @@ -190,3 +529,73 @@ controller: maxReplicas: 5 targetCPUUtilizationPercentage: 80 +## Discovery Settings +pilot: + autoscaleEnabled: false + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress + tag: 0.5.4 + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + env: + PILOT_SCOPE_GATEWAY_TO_NAMESPACE: "true" + PILOT_ENABLE_METADATA_EXCHANGE: "false" + PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY: "false" + VALIDATION_ENABLED: "false" + + cpu: + targetAverageUtilization: 80 + + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specificed + # the default MCP is assumed. + configSource: + subscribedResources: [] + + plugins: [] + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} diff --git a/helm/kind/higress/Chart.yaml b/helm/kind/higress/Chart.yaml index 4c50e7725..32907c953 100644 --- a/helm/kind/higress/Chart.yaml +++ b/helm/kind/higress/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.5.4 +appVersion: 0.6.0 description: Helm chart for deploying higress gateways icon: https://higress.io/img/higress_logo_small.png keywords: @@ -11,6 +11,6 @@ sources: dependencies: - name: higress repository: "file://../../higress" - version: 0.5.4 + version: 0.6.0 type: application -version: 0.5.4 +version: 0.6.0