jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-05-08 04:17:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2 from johnlanni/init

Browse Source 
add cmd & scripts
This commit is contained in:
澄潭
2022-11-01 14:38:21 +08:00
committed by GitHub
parent b57a8e141c 1d9c2dec62
commit e99939c394
71 changed files with 14636 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
external
out
*.tgz

50
Makefile Normal file
View File

@@ -0,0 +1,50 @@
SHELL := /bin/bash
# allow optional per-repo overrides
-include Makefile.overrides.mk
# Set the environment variable BUILD_WITH_CONTAINER to use a container
# to build the repo. The only dependencies in this mode are to have make and
# docker. If you'd rather build with a local tool chain instead, you'll need to
# figure out all the tools you need in your environment to make that work.
export BUILD_WITH_CONTAINER ?= 0
ifeq ($(BUILD_WITH_CONTAINER),1)
# An export free of arugments in a Makefile places all variables in the Makefile into the
# environment. This is needed to allow overrides from Makefile.overrides.mk.
export
$(shell $(shell pwd)/script/setup_env.sh)
RUN = ./script/run.sh
MAKE_DOCKER = $(RUN) make --no-print-directory -e -f Makefile.core.mk
%:
@$(MAKE_DOCKER) $@
default:
@$(MAKE_DOCKER)
shell:
@$(RUN) /bin/bash
.PHONY: default shell
else
# If we are not in build container, we need a workaround to get environment properly set
# Write to file, then include
$(shell mkdir -p out)
$(shell $(shell pwd)/script/setup_env.sh envfile > out/.env)
include out/.env
# An export free of arugments in a Makefile places all variables in the Makefile into the
# environment. This behavior may be surprising to many that use shell often, which simply
# displays the existing environment
export
export GOBIN ?= $(GOPATH)/bin
include Makefile.core.mk
endif

117
Makefile.core.mk Normal file
View File

@@ -0,0 +1,117 @@
SHELL := /bin/bash -o pipefail
export BASE_VERSION ?= 2022-10-27T19-02-22
export HUB ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
GO ?= go
GOARCH_LOCAL := $(TARGET_ARCH)
GOOS_LOCAL := $(TARGET_OS)
RELEASE_LDFLAGS='-extldflags -static -s -w'
export OUT:=$(TARGET_OUT)
export OUT_LINUX:=$(TARGET_OUT_LINUX)
# If tag not explicitly set in users' .istiorc.mk or command line, default to the git sha.
TAG ?= $(shell git rev-parse --verify HEAD)
ifeq ($(TAG),)
$(error "TAG cannot be empty")
endif
VARIANT :=
ifeq ($(VARIANT),)
TAG_VARIANT:=${TAG}
else
TAG_VARIANT:=${TAG}-${VARIANT}
endif
HIGRESS_DOCKER_BUILD_TOP:=${OUT_LINUX}/docker_build
BINARIES:=./cmd/higress
$(OUT):
@mkdir -p $@
submodule:
git submodule update --init
prebuild: submodule
./script/prebuild.sh
.PHONY: build
build: prebuild $(OUT)
GOOS=$(GOOS_LOCAL) GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) script/gobuild.sh $(OUT)/ $(BINARIES)
.PHONY: build-linux
build-linux: prebuild $(OUT)
GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) script/gobuild.sh $(OUT_LINUX)/ $(BINARIES)
# Create targets for OUT_LINUX/binary
# There are two use cases here:
# * Building all docker images (generally in CI). In this case we want to build everything at once, so they share work
# * Building a single docker image (generally during dev). In this case we just want to build the single binary alone
BUILD_ALL ?= true
define build-linux
.PHONY: $(OUT_LINUX)/$(shell basename $(1))
ifeq ($(BUILD_ALL),true)
$(OUT_LINUX)/$(shell basename $(1)): build-linux
else
$(OUT_LINUX)/$(shell basename $(1)): $(OUT_LINUX)
GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) script/gobuild.sh $(OUT_LINUX)/ -tags=$(2) $(1)
endif
endef
$(foreach bin,$(BINARIES),$(eval $(call build-linux,$(bin),"")))
# Create helper targets for each binary, like "pilot-discovery"
# As an optimization, these still build everything
$(foreach bin,$(BINARIES),$(shell basename $(bin))): build
ifneq ($(OUT_LINUX),$(LOCAL_OUT))
# if we are on linux already, then this rule is handled by build-linux above, which handles BUILD_ALL variable
$(foreach bin,$(BINARIES),${LOCAL_OUT}/$(shell basename $(bin))): build
endif
.PHONY: push
# for now docker is limited to Linux compiles - why ?
include docker/docker.mk
docker-build: docker.higress ## Build and push docker images to registry defined by $HUB and $TAG
export PARENT_GIT_TAG:=$(shell git describe --tags)
export PARENT_GIT_REVISION:=$(TAG)
export ENVOY_TAR_PATH:=/home/package/envoy.tar.gz
build-istio: prebuild
cd external/istio; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
external/package/envoy.tar.gz:
cd external/proxy; BUILD_WITH_CONTAINER=1 make test_release
build-gateway: prebuild external/package/envoy.tar.gz
cd external/istio; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
helm-push:
cd helm; tar -zcf higress.tgz higress; helm push higress.tgz "oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts"
helm-push-istio:
cd helm/istio; helm dependency update
cd helm; tar -zcf istio.tgz istio; helm push istio.tgz "oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts"
DIRS_TO_CLEAN := $(OUT)
DIRS_TO_CLEAN += $(OUT_LINUX)
clean-higress: ## Cleans all the intermediate files and folders previously generated.
rm -rf $(DIRS_TO_CLEAN)
clean-istio:
rm -rf external/istio/out
clean-gateway: clean-istio
rm -rf external/proxy/out
rm external/package/envoy.tar.gz
clean: clean-higress clean-gateway

16
Makefile.overrides.mk Normal file
View File

@@ -0,0 +1,16 @@
.DEFAULT_GOAL := default
# This repository has been enabled for BUILD_WITH_CONTAINER=1. Some
# test cases fail within Docker, and Mac + Docker isn't quite perfect.
# For more information see: https://github.com/istio/istio/pull/19322/
BUILD_WITH_CONTAINER ?= 0
CONTAINER_OPTIONS = --mount type=bind,source=/tmp,destination=/tmp --net=host
ifeq ($(BUILD_WITH_CONTAINER),1)
# create phony targets for the top-level items in the repo
PHONYS := $(shell ls | grep -v Makefile)
.PHONY: $(PHONYS)
$(PHONYS):
@$(MAKE_DOCKER) $@
endif

434
cmd/higress/bootstrap/server.go Normal file
View File

@@ -0,0 +1,434 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package bootstrap
import (
"fmt"
"net"
"net/http"
"time"
"github.com/alibaba/higress/ingress/kube/common"
prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
"google.golang.org/grpc"
"google.golang.org/grpc/reflection"
"istio.io/api/mesh/v1alpha1"
configaggregate "istio.io/istio/pilot/pkg/config/aggregate"
istiogrpc "istio.io/istio/pilot/pkg/grpc"
"istio.io/istio/pilot/pkg/model"
"istio.io/istio/pilot/pkg/server"
"istio.io/istio/pilot/pkg/serviceregistry/aggregate"
kubecontroller "istio.io/istio/pilot/pkg/serviceregistry/kube/controller"
"istio.io/istio/pilot/pkg/xds"
"istio.io/istio/pkg/config"
"istio.io/istio/pkg/config/constants"
"istio.io/istio/pkg/config/mesh"
"istio.io/istio/pkg/config/schema/collection"
"istio.io/istio/pkg/config/schema/collections"
"istio.io/istio/pkg/config/schema/gvk"
"istio.io/istio/pkg/keepalive"
kubelib "istio.io/istio/pkg/kube"
"istio.io/pkg/env"
"istio.io/pkg/ledger"
"istio.io/pkg/log"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/cache"
ingressconfig "github.com/alibaba/higress/ingress/config"
"github.com/alibaba/higress/ingress/mcp"
)
type XdsOptions struct {
// DebounceAfter is the delay added to events to wait after a registry/config event for debouncing.
// This will delay the push by at least this interval, plus the time getting subsequent events. If no change is
// detected the push will happen, otherwise we'll keep delaying until things settle.
DebounceAfter time.Duration
// DebounceMax is the maximum time to wait for events while debouncing. Defaults to 10 seconds. If events keep
// showing up with no break for this time, we'll trigger a push.
DebounceMax time.Duration
// EnableEDSDebounce indicates whether EDS pushes should be debounced.
EnableEDSDebounce bool
}
// RegistryOptions provide configuration options for the configuration controller. If FileDir is set, that directory will
// be monitored for CRD yaml files and will update the controller as those files change (This is used for testing
// purposes). Otherwise, a CRD client is created based on the configuration.
type RegistryOptions struct {
// If FileDir is set, the below kubernetes options are ignored
FileDir string
Registries []string
// Kubernetes controller options
KubeOptions kubecontroller.Options
// ClusterRegistriesNamespace specifies where the multi-cluster secret resides
ClusterRegistriesNamespace string
KubeConfig string
// DistributionTracking control
DistributionCacheRetention time.Duration
// DistributionTracking control
DistributionTrackingEnabled bool
}
type ServerArgs struct {
Debug bool
MeshId string
RegionId string
NativeIstio bool
HttpAddress string
GrpcAddress string
IngressClass string
EnableStatus bool
WatchNamespace string
GrpcKeepAliveOptions *keepalive.Options
XdsOptions XdsOptions
RegistryOptions RegistryOptions
KeepStaleWhenEmpty bool
GatewaySelectorKey string
GatewaySelectorValue string
}
type readinessProbe func() (bool, error)
type Server struct {
*ServerArgs
environment *model.Environment
kubeClient kubelib.Client
configController model.ConfigStoreCache
configStores []model.ConfigStoreCache
httpServer *http.Server
httpMux *http.ServeMux
grpcServer *grpc.Server
xdsServer *xds.DiscoveryServer
server server.Instance
readinessProbes map[string]readinessProbe
}
var (
PodNamespace = env.RegisterStringVar("POD_NAMESPACE", "higress-system", "").Get()
PodName = env.RegisterStringVar("POD_NAME", "", "").Get()
)
func NewServer(args *ServerArgs) (*Server, error) {
e := &model.Environment{
PushContext: model.NewPushContext(),
DomainSuffix: constants.DefaultKubernetesDomain,
MCPMode: true,
}
e.SetLedger(buildLedger(args.RegistryOptions))
ac := aggregate.NewController(aggregate.Options{
MeshHolder: e,
})
e.ServiceDiscovery = ac
s := &Server{
ServerArgs: args,
httpMux: http.NewServeMux(),
environment: e,
readinessProbes: make(map[string]readinessProbe),
server: server.New(),
}
s.environment.Watcher = mesh.NewFixedWatcher(&v1alpha1.MeshConfig{})
s.environment.Init()
initFuncList := []func() error{
s.initKubeClient,
s.initXdsServer,
s.initHttpServer,
s.initConfigController,
s.initRegistryEventHandlers,
}
for _, f := range initFuncList {
if err := f(); err != nil {
return nil, err
}
}
s.server.RunComponent(func(stop <-chan struct{}) error {
s.kubeClient.RunAndWait(stop)
return nil
})
s.readinessProbes["xds"] = func() (bool, error) {
return s.xdsServer.IsServerReady(), nil
}
return s, nil
}
var IngressIR = collection.NewSchemasBuilder().
MustAdd(collections.IstioExtensionsV1Alpha1Wasmplugins).
MustAdd(collections.IstioNetworkingV1Alpha3Destinationrules).
MustAdd(collections.IstioNetworkingV1Alpha3Envoyfilters).
MustAdd(collections.IstioNetworkingV1Alpha3Gateways).
MustAdd(collections.IstioNetworkingV1Alpha3Serviceentries).
MustAdd(collections.IstioNetworkingV1Alpha3Virtualservices).
Build()
// initRegistryEventHandlers sets up event handlers for config updates
func (s *Server) initRegistryEventHandlers() error {
log.Info("initializing registry event handlers")
configHandler := func(prev config.Config, curr config.Config, event model.Event) {
// For update events, trigger push only if spec has changed.
pushReq := &model.PushRequest{
Full: true,
ConfigsUpdated: map[model.ConfigKey]struct{}{{
Kind: curr.GroupVersionKind,
Name: curr.Name,
Namespace: curr.Namespace,
}: {}},
Reason: []model.TriggerReason{model.ConfigUpdate},
}
s.xdsServer.ConfigUpdate(pushReq)
}
schemas := IngressIR.All()
for _, schema := range schemas {
s.configController.RegisterEventHandler(schema.Resource().GroupVersionKind(), configHandler)
}
return nil
}
func (s *Server) initConfigController() error {
ns := PodNamespace
options := common.Options{
Enable: true,
ClusterId: string(s.RegistryOptions.KubeOptions.ClusterID),
IngressClass: s.IngressClass,
WatchNamespace: s.WatchNamespace,
EnableStatus: s.EnableStatus,
SystemNamespace: ns,
GatewaySelectorKey: s.GatewaySelectorKey,
GatewaySelectorValue: s.GatewaySelectorValue,
}
if options.ClusterId == "Kubernetes" {
options.ClusterId = ""
}
ingressConfig := ingressconfig.NewIngressConfig(s.kubeClient, s.xdsServer, ns, options.ClusterId)
ingressController := ingressConfig.AddLocalCluster(options)
s.configStores = append(s.configStores, ingressConfig)
// Wrap the config controller with a cache.
aggregateConfigController, err := configaggregate.MakeCache(s.configStores)
if err != nil {
return err
}
s.configController = aggregateConfigController
// Create the config store.
s.environment.IstioConfigStore = model.MakeIstioStore(s.configController)
s.environment.IngressStore = ingressConfig
// Defer starting the controller until after the service is created.
s.server.RunComponent(func(stop <-chan struct{}) error {
ingressConfig.InitializeCluster(ingressController, stop)
go s.configController.Run(stop)
return nil
})
return nil
}
func (s *Server) Start(stop <-chan struct{}) error {
if err := s.server.Start(stop); err != nil {
return err
}
if !s.waitForCacheSync(stop) {
return fmt.Errorf("failed to sync cache")
}
// Inform Discovery Server so that it can start accepting connections.
s.xdsServer.CachesSynced()
grpcListener, err := net.Listen("tcp", s.GrpcAddress)
if err != nil {
return err
}
go func() {
log.Infof("starting gRPC discovery service at %s", grpcListener.Addr())
if err := s.grpcServer.Serve(grpcListener); err != nil {
log.Errorf("error serving GRPC server: %v", err)
}
}()
httpListener, err := net.Listen("tcp", s.HttpAddress)
if err != nil {
return err
}
go func() {
log.Infof("starting HTTP service at %s", httpListener.Addr())
if err := s.httpServer.Serve(httpListener); err != nil {
log.Errorf("error serving http server: %v", err)
}
}()
s.waitForShutDown(stop)
return nil
}
func (s *Server) waitForShutDown(stop <-chan struct{}) {
go func() {
<-stop
stopped := make(chan struct{})
go func() {
// Some grpcServer implementations do not support GracefulStop. Unfortunately, this is not
// exposed; they just panic. To avoid this, we will recover and do a standard Stop when its not
// support.
defer func() {
if r := recover(); r != nil {
s.grpcServer.Stop()
close(stopped)
}
}()
s.grpcServer.GracefulStop()
close(stopped)
}()
timer := time.NewTimer(time.Second * 2)
select {
case <-timer.C:
s.grpcServer.Stop()
case <-stopped:
timer.Stop()
}
s.xdsServer.Shutdown()
}()
}
func (s *Server) WaitUntilCompletion() {
s.server.Wait()
}
func (s *Server) initXdsServer() error {
log.Info("init xds server")
s.xdsServer = xds.NewDiscoveryServer(s.environment, nil, PodName, PodNamespace, s.RegistryOptions.KubeOptions.ClusterAliases)
s.xdsServer.McpGenerators[gvk.WasmPlugin.String()] = &mcp.WasmpluginGenerator{Server: s.xdsServer}
s.xdsServer.McpGenerators[gvk.DestinationRule.String()] = &mcp.DestinationRuleGenerator{Server: s.xdsServer}
s.xdsServer.McpGenerators[gvk.EnvoyFilter.String()] = &mcp.EnvoyFilterGenerator{Server: s.xdsServer}
s.xdsServer.McpGenerators[gvk.Gateway.String()] = &mcp.GatewayGenerator{Server: s.xdsServer}
s.xdsServer.McpGenerators[gvk.VirtualService.String()] = &mcp.VirtualServiceGenerator{Server: s.xdsServer}
s.xdsServer.ProxyNeedsPush = func(proxy *model.Proxy, req *model.PushRequest) bool {
return true
}
s.server.RunComponent(func(stop <-chan struct{}) error {
log.Infof("Starting ADS server")
s.xdsServer.Start(stop)
return nil
})
s.initGrpcServer()
return nil
}
func (s *Server) initGrpcServer() error {
interceptors := []grpc.UnaryServerInterceptor{
// setup server prometheus monitoring (as final interceptor in chain)
prometheus.UnaryServerInterceptor,
}
grpcOptions := istiogrpc.ServerOptions(s.GrpcKeepAliveOptions, interceptors...)
s.grpcServer = grpc.NewServer(grpcOptions...)
s.xdsServer.Register(s.grpcServer)
reflection.Register(s.grpcServer)
return nil
}
func (s *Server) initKubeClient() error {
if s.kubeClient != nil {
// Already initialized by startup arguments
return nil
}
kubeRestConfig, err := kubelib.DefaultRestConfig(s.RegistryOptions.KubeConfig, "", func(config *rest.Config) {
config.QPS = s.RegistryOptions.KubeOptions.KubernetesAPIQPS
config.Burst = s.RegistryOptions.KubeOptions.KubernetesAPIBurst
})
if err != nil {
return fmt.Errorf("failed creating kube config: %v", err)
}
s.kubeClient, err = kubelib.NewClient(kubelib.NewClientConfigForRestConfig(kubeRestConfig))
if err != nil {
return fmt.Errorf("failed creating kube client: %v", err)
}
return nil
}
func (s *Server) initHttpServer() error {
s.httpServer = &http.Server{
Addr: s.HttpAddress,
Handler: s.httpMux,
IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout
ReadTimeout: 30 * time.Second,
}
s.xdsServer.AddDebugHandlers(s.httpMux, nil, true, nil)
s.httpMux.HandleFunc("/ready", s.readyHandler)
return nil
}
func (s *Server) readyHandler(w http.ResponseWriter, _ *http.Request) {
for name, fn := range s.readinessProbes {
if ready, err := fn(); !ready {
log.Warnf("%s is not ready: %v", name, err)
w.WriteHeader(http.StatusServiceUnavailable)
return
}
}
w.WriteHeader(http.StatusOK)
}
// cachesSynced checks whether caches have been synced.
func (s *Server) cachesSynced() bool {
if !s.configController.HasSynced() {
return false
}
return true
}
func (s *Server) waitForCacheSync(stop <-chan struct{}) bool {
start := time.Now()
log.Info("Waiting for caches to be synced")
if !cache.WaitForCacheSync(stop, s.cachesSynced) {
log.Errorf("Failed waiting for cache sync")
return false
}
log.Infof("All controller caches have been synced up in %v", time.Since(start))
// At this point, we know that all update events of the initial state-of-the-world have been
// received. We wait to ensure we have committed at least this many updates. This avoids a race
// condition where we are marked ready prior to updating the push context, leading to incomplete
// pushes.
expected := s.xdsServer.InboundUpdates.Load()
if !cache.WaitForCacheSync(stop, func() bool { return s.pushContextReady(expected) }) {
log.Errorf("Failed waiting for push context initialization")
return false
}
return true
}
// pushContextReady indicates whether pushcontext has processed all inbound config updates.
func (s *Server) pushContextReady(expected int64) bool {
committed := s.xdsServer.CommittedUpdates.Load()
if committed < expected {
log.Debugf("Waiting for pushcontext to process inbound updates, inbound: %v, committed : %v", expected, committed)
return false
}
return true
}
func buildLedger(ca RegistryOptions) ledger.Ledger {
var result ledger.Ledger
if ca.DistributionTrackingEnabled {
result = ledger.Make(ca.DistributionCacheRetention)
} else {
result = &model.DisabledLedger{}
}
return result
}

129
cmd/higress/main.go Normal file
View File

@@ -0,0 +1,129 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"os"
"time"
"github.com/spf13/cobra"
"istio.io/istio/pilot/pkg/features"
"istio.io/istio/pkg/cmd"
"istio.io/istio/pkg/config/constants"
"istio.io/istio/pkg/keepalive"
"istio.io/pkg/log"
"istio.io/pkg/version"
"github.com/alibaba/higress/cmd/higress/bootstrap"
)
var (
probeAddr string
enableLeaderElection bool
serverArgs *bootstrap.ServerArgs
loggingOptions = log.DefaultOptions()
rootCmd = &cobra.Command{
Use: "higress",
}
serveCmd = &cobra.Command{
Use: "serve",
Aliases: []string{"serve"},
Short: "Starts the ingress controller",
Example: "higress serve",
PreRunE: func(c *cobra.Command, args []string) error {
if err := log.Configure(loggingOptions); err != nil {
return err
}
return nil
},
RunE: func(c *cobra.Command, args []string) error {
cmd.PrintFlags(c.Flags())
log.Infof("Version %s", version.Info.String())
stop := make(chan struct{})
server, err := bootstrap.NewServer(serverArgs)
if err != nil {
return err
}
server.Start(stop)
cmd.WaitSignal(stop)
server.WaitUntilCompletion()
return nil
},
}
)
func init() {
serverArgs = &bootstrap.ServerArgs{
Debug: true,
NativeIstio: true,
HttpAddress: ":8888",
GrpcAddress: ":15051",
GrpcKeepAliveOptions: keepalive.DefaultOption(),
XdsOptions: bootstrap.XdsOptions{
DebounceAfter: features.DebounceAfter,
DebounceMax: features.DebounceMax,
EnableEDSDebounce: features.EnableEDSDebounce,
},
}
serveCmd.PersistentFlags().StringVar(&serverArgs.GatewaySelectorKey, "gatewaySelectorKey", "higress", "gateway resource selector label key")
serveCmd.PersistentFlags().StringVar(&serverArgs.GatewaySelectorValue, "gatewaySelectorValue", "higress-gateway", "gateway resource selector label value")
serveCmd.PersistentFlags().BoolVar(&serverArgs.EnableStatus, "enableStatus", false, "enable the ingress status syncer which use to update the ip in ingress's status")
serveCmd.PersistentFlags().StringVar(&serverArgs.IngressClass, "ingressClass", "", "if not empty, only watch the ingresses have the specified class, otherwise watch all ingresses")
serveCmd.PersistentFlags().StringVar(&serverArgs.WatchNamespace, "watchNamespace", "", "if not empty, only wath the ingresses in the specified namespace, otherwise watch in all namespacees")
serveCmd.PersistentFlags().BoolVar(&serverArgs.Debug, "debug", serverArgs.Debug, "if true, enables more debug http api")
serveCmd.PersistentFlags().StringVar(&serverArgs.HttpAddress, "httpAddress", serverArgs.HttpAddress, "the http address")
serveCmd.PersistentFlags().StringVar(&serverArgs.GrpcAddress, "grpcAddress", serverArgs.GrpcAddress, "the grpc address")
serveCmd.PersistentFlags().BoolVar(&serverArgs.KeepStaleWhenEmpty, "keepStaleWhenEmpty", false, "keep the stale service entry when there are no endpoints in the service")
serveCmd.PersistentFlags().StringVar(&serverArgs.RegistryOptions.ClusterRegistriesNamespace, "clusterRegistriesNamespace",
serverArgs.RegistryOptions.ClusterRegistriesNamespace, "Namespace for ConfigMap which stores clusters configs")
serveCmd.PersistentFlags().StringVar(&serverArgs.RegistryOptions.KubeConfig, "kubeconfig", "",
"Use a Kubernetes configuration file instead of in-cluster configuration")
// RegistryOptions Controller options
serveCmd.PersistentFlags().DurationVar(&serverArgs.RegistryOptions.KubeOptions.ResyncPeriod, "resync", 60*time.Second,
"Controller resync interval")
serveCmd.PersistentFlags().StringVar(&serverArgs.RegistryOptions.KubeOptions.DomainSuffix, "domain", constants.DefaultKubernetesDomain,
"DNS domain suffix")
serveCmd.PersistentFlags().StringVar((*string)(&serverArgs.RegistryOptions.KubeOptions.ClusterID), "clusterID", "Kubernetes",
"The ID of the cluster that this instance resides")
serveCmd.PersistentFlags().StringToStringVar(&serverArgs.RegistryOptions.KubeOptions.ClusterAliases, "clusterAliases", map[string]string{},
"Alias names for clusters")
serveCmd.PersistentFlags().Float32Var(&serverArgs.RegistryOptions.KubeOptions.KubernetesAPIQPS, "kubernetesApiQPS", 80.0,
"Maximum QPS when communicating with the kubernetes API")
serveCmd.PersistentFlags().IntVar(&serverArgs.RegistryOptions.KubeOptions.KubernetesAPIBurst, "kubernetesApiBurst", 160,
"Maximum burst for throttle when communicating with the kubernetes API")
loggingOptions.AttachCobraFlags(serveCmd)
serverArgs.GrpcKeepAliveOptions.AttachCobraFlags(serveCmd)
rootCmd.AddCommand(serveCmd)
}
func main() {
log.EnableKlogWithCobra()
if err := rootCmd.Execute(); err != nil {
log.Error(err)
os.Exit(-1)
}
}

17
docker/Dockerfile.higress Normal file
View File

@@ -0,0 +1,17 @@
# BASE_DISTRIBUTION is used to switch between the old base distribution and distroless base images
ARG BASE_DISTRIBUTION=debug
# Version is the base image version from the TLD Makefile
ARG BASE_VERSION=latest
ARG HUB
# The following section is used as base image if BASE_DISTRIBUTION=debug
FROM ${HUB}/base:${BASE_VERSION}
ARG TARGETARCH
COPY ${TARGETARCH:-amd64}/higress /usr/local/bin/higress
USER 1337:1337
ENTRYPOINT ["/usr/local/bin/higress"]

60
docker/docker-copy.sh Executable file
View File

@@ -0,0 +1,60 @@
#!/bin/bash
INPUTS=("${@}")
TARGET_ARCH=${TARGET_ARCH:-amd64}
DOCKER_WORKING_DIR=${INPUTS[${#INPUTS[@]}-1]}
FILES=("${INPUTS[@]:0:${#INPUTS[@]}-1}")
set -eu;
function may_copy_into_arch_named_sub_dir() {
FILE=${1}
COPY_ARCH_RELATED=${COPY_ARCH_RELATED:-1}
FILE_INFO=$(file "${FILE}" || true)
# when file is an `ELF 64-bit LSB`,
# will put an arch named sub dir
# like
# arm64/
# amd64/
if [[ ${FILE_INFO} == *"ELF 64-bit LSB"* ]]; then
chmod 755 "${FILE}"
case ${FILE_INFO} in
*x86-64*)
mkdir -p "${DOCKER_WORKING_DIR}/amd64/" && cp -rp "${FILE}" "${DOCKER_WORKING_DIR}/amd64/"
;;
*aarch64*)
mkdir -p "${DOCKER_WORKING_DIR}/arm64/" && cp -rp "${FILE}" "${DOCKER_WORKING_DIR}/arm64/"
;;
*)
cp -rp "${FILE}" "${DOCKER_WORKING_DIR}"
;;
esac
if [[ ${COPY_ARCH_RELATED} == 1 ]]; then
# if other arch files exists, should copy too.
for ARCH in "amd64" "arm64"; do
# like file `out/linux_amd64/pilot-discovery`
# should check `out/linux_arm64/pilot-discovery` exists then do copy
FILE_ARCH_RELATED=${FILE/linux_${TARGET_ARCH}/linux_${ARCH}}
if [[ ${FILE_ARCH_RELATED} != "${FILE}" && -f ${FILE_ARCH_RELATED} ]]; then
COPY_ARCH_RELATED=0 may_copy_into_arch_named_sub_dir "${FILE_ARCH_RELATED}"
fi
done
fi
else
cp -rp "${FILE}" "${DOCKER_WORKING_DIR}"
fi
}
for FILE in "${FILES[@]}"; do
may_copy_into_arch_named_sub_dir "${FILE}"
done
ls "${DOCKER_WORKING_DIR}";

17
docker/docker.mk Normal file
View File

@@ -0,0 +1,17 @@
docker.higress: BUILD_ARGS=--build-arg BASE_VERSION=${BASE_VERSION} --build-arg HUB=${HUB}
docker.higress: $(OUT_LINUX)/higress
docker.higress: docker/Dockerfile.higress
$(HIGRESS_DOCKER_RULE)
# DOCKER_BUILD_VARIANTS ?=debug distroless
# Base images have two different forms:
# * "debug", suffixed as -debug. This is a ubuntu based image with a bunch of debug tools
# * "distroless", suffixed as -distroless. This is distroless image - no shell. proxyv2 uses a custom one with iptables added
# * "default", no suffix. This is currently "debug"
DOCKER_BUILD_VARIANTS ?= default
DOCKER_ALL_VARIANTS ?= debug distroless
# If INCLUDE_UNTAGGED_DEFAULT is set, then building the "DEFAULT_DISTRIBUTION" variant will publish both <tag>-<variant> and <tag>
# This can be done with DOCKER_BUILD_VARIANTS="default debug" as well, but at the expense of building twice vs building once and tagging twice
INCLUDE_UNTAGGED_DEFAULT ?= false
DEFAULT_DISTRIBUTION=debug
HIGRESS_DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(HIGRESS_DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./docker/docker-copy.sh $^ $(HIGRESS_DOCKER_BUILD_TOP)/$@ && cd $(HIGRESS_DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/$(subst docker.,,$@):$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile$(suffix $@) . ); )

7
helm/base/Chart.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
appVersion: 1.12.0
description: Helm chart for deploying Istio cluster resources and CRDs
name: base
sources:
- http://github.com/alibaba/higress
version: 1.12.0

8499
helm/base/crds/crd-all.gen.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

48
helm/base/crds/crd-operator.yaml Normal file
View File

@@ -0,0 +1,48 @@
# SYNC WITH manifests/charts/istio-operator/templates
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
conversion:
strategy: None
group: install.istio.io
names:
kind: IstioOperator
listKind: IstioOperatorList
plural: istiooperators
singular: istiooperator
shortNames:
- iop
- io
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Istio control plane revision
jsonPath: .spec.revision
name: Revision
type: string
- description: IOP current state
jsonPath: .status.status
name: Status
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
name: v1alpha1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---

5
helm/base/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,5 @@
Istio base successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

178
helm/base/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,178 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list", "create", "delete"]
# Used for MCS serviceimport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-{{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
{{- if or .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}
---

37
helm/base/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,37 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-{{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}
---

4
helm/base/templates/crds.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{- if .Values.base.enableCRDTemplates }}
{{ .Files.Get "crds/crd-all.gen.yaml" }}
{{ .Files.Get "crds/crd-operator.yaml" }}
{{- end }}

43
helm/base/templates/default.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if not (eq .Values.defaultRevision "") }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istiod-default-validator
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
istio.io/rev: {{ .Values.defaultRevision }}
webhooks:
- name: validation.istio.io
clientConfig:
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
{{- if (eq .Values.defaultRevision "default") }}
name: istiod
{{- else }}
name: istiod-{{ .Values.defaultRevision }}
{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}

30
helm/base/templates/endpoints.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod-remote
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
{{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
{{- end }}
---
{{- end }}

16
helm/base/templates/reader-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,16 @@
# This service account aggregates reader permissions for the revisions in a given cluster
# Should be used for remote secret creation.
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}

25
helm/base/templates/role.yaml Normal file
View File

@@ -0,0 +1,25 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

21
helm/base/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,21 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}

19
helm/base/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,19 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}

37
helm/base/templates/services.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
# when istiod is enabled in remote cluster, we can't use istiod service name
apiVersion: v1
kind: Service
metadata:
name: istiod-remote
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
clusterIP: None
{{- else }}
# when istiod isn't enabled in remote cluster, we can use istiod service name
apiVersion: v1
kind: Service
metadata:
name: istiod
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
# if the remotePilotAddress is IP addr, we use clusterIP: None.
# else, we use externalName
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
clusterIP: None
{{- else }}
type: ExternalName
externalName: {{ .Values.global.remotePilotAddress }}
{{- end }}
{{- end }}
---
{{- end }}

29
helm/base/values.yaml Normal file
View File

@@ -0,0 +1,29 @@
global:
# ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# Used to locate istiod.
istioNamespace: istio-system
istiod:
enableAnalysis: false
configValidation: true
externalIstiod: false
remotePilotAddress: ""
base:
# Used for helm2 to add the CRDs to templates.
enableCRDTemplates: false
# Validation webhook configuration url
# For example: https://$remotePilotAddress:15017/validate
validationURL: ""
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true
defaultRevision: "default"

12
helm/higress/Chart.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v2
appVersion: 0.5.0
description: Helm chart for deploying higress gateways
icon: https://higress.io/img/higress_logo_small.png
keywords:
- higress
- gateways
name: higress
sources:
- http://github.com/alibaba/higress
type: application
version: 0.5.0

97
helm/higress/crds/mcp-bridge.yaml Normal file
View File

@@ -0,0 +1,97 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: mcpbridges.istio.aliyun.cloud.com
spec:
group: istio.aliyun.cloud.com
names:
kind: McpBridge
listKind: McpBridgeList
plural: mcpbridges
singular: mcpbridge
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: McpBridge is the Schema for the mcpbridges API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: McpBridgeSpec defines the desired state of McpBridge
properties:
registries:
items:
properties:
consulNamespace:
type: string
domain:
type: string
nacosAccessKey:
type: string
nacosAddressServer:
type: string
nacosGroups:
items:
type: string
type: array
nacosNamespace:
type: string
nacosNamespaceId:
type: string
nacosRefreshInterval:
description: A Duration represents the elapsed time between
two instants as an int64 nanosecond count. The representation
limits the largest representable duration to approximately
290 years.
format: int64
type: integer
nacosScretKey:
type: string
name:
type: string
port:
format: int64
type: integer
type:
type: string
zkServicesPath:
items:
type: string
type: array
required:
- domain
- port
- type
type: object
type: array
type: object
status:
description: McpBridgeStatus defines the observed state of McpBridge
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

5
helm/higress/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,5 @@
Higress successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

89
helm/higress/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,89 @@
{{- define "gateway.name" -}}
{{- .Values.gateway.name | default "higress-gateway" -}}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gateway.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- define "gateway.labels" -}}
helm.sh/chart: {{ include "gateway.chart" . }}
{{ include "gateway.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
{{- range $key, $val := .Values.gateway.labels }}
{{- if not (or (eq $key "app") (eq $key "higress")) }}
{{ $key | quote }}: {{ $val | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "gateway.selectorLabels" -}}
{{- if hasKey .Values.gateway.labels "app" }}
{{- with .Values.gateway.labels.app }}app: {{.|quote}}
{{- end}}
{{- else }}app: {{ include "gateway.name" . }}
{{- end }}
{{- if hasKey .Values.gateway.labels "higress" }}
{{- with .Values.gateway.labels.higress }}
higress: {{.|quote}}
{{- end}}
{{- else }}
higress: {{ .Release.Namespace }}-{{ include "gateway.name" . }}
{{- end }}
{{- end }}
{{- define "gateway.serviceAccountName" -}}
{{- if .Values.gateway.serviceAccount.create }}
{{- .Values.gateway.serviceAccount.name | default (include "gateway.name" .) }}
{{- else }}
{{- .Values.gateway.serviceAccount.name | default "default" }}
{{- end }}
{{- end }}
{{- define "controller.name" -}}
{{- .Values.controller.name | default "higress-controller" -}}
{{- end }}
{{- define "controller.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- define "controller.labels" -}}
helm.sh/chart: {{ include "controller.chart" . }}
{{ include "controller.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ include "controller.name" . }}
{{- end }}
{{- define "controller.selectorLabels" -}}
{{- if hasKey .Values.controller.labels "app" }}
{{- with .Values.controller.labels.app }}app: {{.|quote}}
{{- end}}
{{- else }}app: {{ include "controller.name" . }}
{{- end }}
{{- if hasKey .Values.controller.labels "higress" }}
{{- with .Values.controller.labels.higress }}
higress: {{.|quote}}
{{- end}}
{{- else }}
higress: {{ include "controller.name" . }}
{{- end }}
{{- end }}
{{- define "controller.serviceAccountName" -}}
{{- if .Values.controller.serviceAccount.create }}
{{- .Values.controller.serviceAccount.name | default (include "controller.name" .) }}
{{- else }}
{{- .Values.controller.serviceAccount.name | default "default" }}
{{- end }}
{{- end }}

41
helm/higress/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
accessLogEncoding: TEXT
accessLogFile: "/dev/stdout"
accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
'
dnsRefreshRate: 200s
enableAutoMtls: false
enablePrometheusMerge: false
protocolDetectionTimeout: 100ms
defaultConfig:
discoveryAddress: {{ printf "istiod.%s.svc" .Values.istioNamespace }}:15012
proxyStatsMatcher:
inclusionRegexps:
- ".*"
{{- end }}
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
{{- $originalMesh := include "mesh" . | fromYaml }}
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
apiVersion: v1
kind: ConfigMap
metadata:
name: higress-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
data:
mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---

47
helm/higress/templates/controller-clusterrole.yaml Normal file
View File

@@ -0,0 +1,47 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "controller.serviceAccountName" . }}-{{ .Release.Namespace }}
labels:
{{- include "controller.labels" . | nindent 4 }}
rules:
# ingress controller
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
- apiGroups: ["istio.aliyun.cloud.com"]
resources: ["mcpbridges"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]

15
helm/higress/templates/controller-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "controller.serviceAccountName" . }}-{{ .Release.Namespace }}
labels:
{{- include "controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "controller.serviceAccountName" . }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ include "controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

89
helm/higress/templates/controller-deployment.yaml Normal file
View File

@@ -0,0 +1,89 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "controller.name" . }}
labels:
{{- include "controller.labels" . | nindent 4 }}
spec:
{{- if not .Values.controller.autoscaling.enabled }}
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "controller.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.controller.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "controller.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.controller.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "controller.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.controller.securityContext | nindent 12 }}
image: "{{ .Values.hub }}/{{ .Values.controller.image }}:{{ .Values.controller.tag | default .Chart.AppVersion }}"
args:
- "serve"
- --gatewaySelectorKey=higress
- --gatewaySelectorValue={{ .Release.Namespace }}-{{ include "gateway.name" . }}
- --enableStatus={{ .Values.enableStatus }}
{{- if .Values.ingressClass }}
- --ingressClass={{ .Values.ingressClass }}
{{- end }}
{{- if .Values.watchNamespace }}
- --watchNamespace={{ .Values.watchNamespace }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.controller.env }}
{{- range $key, $val := .Values.controller.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
ports:
{{- range $idx, $port := .Values.controller.ports }}
- name: {{ $port.name }}
containerPort: {{ $port.port }}
protocol: {{ $port.protocol }}
{{- end }}
readinessProbe:
{{- toYaml .Values.controller.probe | nindent 12 }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

12
helm/higress/templates/controller-service.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "controller.name" . }}
labels:
{{- include "controller.labels" . | nindent 4 }}
spec:
type: {{ .Values.controller.service.type }}
ports:
{{- toYaml .Values.controller.ports | nindent 4 }}
selector:
{{- include "controller.selectorLabels" . | nindent 4 }}

9
helm/higress/templates/controller-serviceaccont.yaml Normal file
View File

@@ -0,0 +1,9 @@
{{- if .Values.controller.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "controller.labels" . | nindent 4 }}
{{- end }}

208
helm/higress/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,208 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.gateway.annotations | toYaml | nindent 4 }}
spec:
{{- if not .Values.gateway.autoscaling.enabled }}
replicas: {{ .Values.gateway.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.gateway.rollingMaxSurge }}
maxUnavailable: {{ .Values.gateway.rollingMaxUnavailable }}
template:
metadata:
{{- with .Values.gateway.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
sidecar.istio.io/inject: "false"
{{- with .Values.gateway.revision }}
istio.io/rev: {{ . }}
{{- end }}
{{- include "gateway.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.gateway.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "gateway.serviceAccountName" . }}
securityContext:
{{- if .Values.gateway.securityContext }}
{{- toYaml .Values.gateway.securityContext | nindent 8 }}
{{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
{{- end }}
containers:
- name: higress-gateway
image: "{{ .Values.hub }}/{{ .Values.gateway.image }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}"
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=all:info
- --serviceCluster=higress-gateway
securityContext:
{{- if .Values.gateway.containerSecurityContext }}
{{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
{{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
{{- else }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 0
runAsGroup: 1337
runAsNonRoot: false
allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
{{- end }}
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: PROXY_XDS_VIA_AGENT
value: "true"
- name: ENABLE_INGRESS_GATEWAY_SDS
value: "false"
- name: JWT_POLICY
value: first-party-jwt
- name: ISTIO_META_HTTP10
value: "1"
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.clusterName | default `Kubernetes` }}"
- name: INSTANCE_NAME
value: "higress-gateway"
{{- with .Values.gateway.networkGateway }}
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
value: "{{.}}"
{{- end }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 3
resources:
{{- toYaml .Values.gateway.resources | nindent 12 }}
volumeMounts:
- name: config
mountPath: /etc/istio/config
- name: istio-ca-root-cert
mountPath: /var/run/secrets/istio
- name: istio-data
mountPath: /var/lib/istio/data
- name: podinfo
mountPath: /etc/istio/pod
- name: proxy-socket
mountPath: /etc/istio/proxy
{{- with .Values.gateway.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.gateway.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.gateway.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: istio-ca-root-cert
configMap:
name: istio-ca-root-cert
- name: config
configMap:
name: higress-config
- name: istio-data
emptyDir: {}
- name: proxy-socket
emptyDir: {}
- name: podinfo
downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.labels
path: labels
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
- path: cpu-request
resourceFieldRef:
containerName: higress-gateway
divisor: 1m
resource: requests.cpu
- path: cpu-limit
resourceFieldRef:
containerName: higress-gateway
divisor: 1m
resource: limits.cpu

17
helm/higress/templates/global-gateway.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: global
namespace: {{ .Release.Namespace }}
spec:
selector:
higress: {{ .Release.Namespace }}-{{ include "gateway.name" . }}
servers:
- hosts:
- "*"
port:
name: http-80
number: 80
protocol: HTTP
---

28
helm/higress/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if .Values.gateway.autoscaling.enabled }}
apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.gateway.annotations | toYaml | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "gateway.name" . }}
minReplicas: {{ .Values.gateway.autoscaling.minReplicas }}
maxReplicas: {{ .Values.gateway.autoscaling.maxReplicas }}
metrics:
{{- if .Values.gateway.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
averageUtilization: {{ .Values.gateway.autoscaling.targetCPUUtilizationPercentage }}
type: Utilization
{{- end }}
{{- end }}

25
helm/higress/templates/role.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
{{- if .Values.gateway.rbac.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "gateway.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gateway.serviceAccountName" . }}
{{- end }}

45
helm/higress/templates/service.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if not (eq .Values.gateway.service.type "None") }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.gateway.networkGateway }}
topology.istio.io/network: "{{.}}"
{{- end }}
annotations:
{{- merge (deepCopy .Values.gateway.service.annotations) .Values.gateway.annotations | toYaml | nindent 4 }}
spec:
{{- with .Values.gateway.service.loadBalancerIP }}
loadBalancerIP: "{{ . }}"
{{- end }}
{{- with .Values.gateway.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.gateway.service.externalTrafficPolicy }}
externalTrafficPolicy: "{{ . }}"
{{- end }}
type: {{ .Values.gateway.service.type }}
ports:
{{- if .Values.gateway.networkGateway }}
- name: status-port
port: 15021
targetPort: 15021
- name: tls
port: 15443
targetPort: 15443
- name: tls-istiod
port: 15012
targetPort: 15012
- name: tls-webhook
port: 15017
targetPort: 15017
{{- else }}
{{ .Values.gateway.service.ports | toYaml | indent 4 }}
{{- end }}
selector:
{{- include "gateway.selectorLabels" . | nindent 4 }}
{{- end }}

13
helm/higress/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.gateway.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.gateway.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

183
helm/higress/values.yaml Normal file
View File

@@ -0,0 +1,183 @@
hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
ingressClass: ""
watchNamespace: ""
enableStatus: false
clusterName: ""
istioNamespace: "istio-system"
meshConfig: {}
gateway:
name: "higress-gateway"
replicaCount: 2
image: gateway
tag: ""
# revision declares which revision this gateway is a part of
revision: ""
rbac:
# If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
# when using http://gateway-api.org/.
enabled: true
serviceAccount:
# If set, a service account will be created. Otherwise, the default is used
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set, the release name is used
name: ""
# Pod environment variables
env: {}
# Labels to apply to all resources
labels: {}
# Annotations to apply to all resources
annotations: {}
podAnnotations:
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
inject.istio.io/templates: "gateway"
sidecar.istio.io/inject: "true"
# Define the security context for the pod.
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
securityContext: ~
containerSecurityContext: ~
service:
# Type of service. Set to "None" to disable the service entirely
type: LoadBalancer
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
annotations: {}
loadBalancerIP: ""
loadBalancerSourceRanges: []
externalTrafficPolicy: ""
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
resources:
requests:
cpu: 2000m
memory: 2048Mi
limits:
cpu: 2000m
memory: 2048Mi
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
# If specified, the gateway will act as a network gateway for the given network.
networkGateway: ""
controller:
name: "higress-controller"
replicaCount: 1
image: higress
tag: ""
env: {}
replicaCount: 1
labels: {}
probe: {
httpGet: {
path: /ready,
port: 8888,
},
initialDelaySeconds: 1,
periodSeconds: 3,
timeoutSeconds: 5
}
imagePullSecrets: []
rbac:
create: true
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
ports: [
{
"name": "http",
"protocol": "TCP",
"port": 8888,
"targetPort": 8888,
},
{
"name": "grpc",
"protocol": "TCP",
"port": 15051,
"targetPort": 15051,
}
]
service:
type: ClusterIP
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources:
requests:
cpu: 500m
memory: 2048Mi
limits:
cpu: 1000m
memory: 2048Mi
nodeSelector: {}
tolerations: []
affinity: {}
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80

9
helm/istio/Chart.lock Normal file
View File

@@ -0,0 +1,9 @@
dependencies:
- name: base
repository: file://../base
version: 1.12.0
- name: istiod
repository: file://../istiod
version: 1.12.0
digest: sha256:12dd680ac6eee11750941f56aab434cc35c5df09ac784a5ef8f5b84e0984f8c7
generated: "2022-10-31T14:49:23.29643+08:00"

15
helm/istio/Chart.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v2
appVersion: 1.12.0
description: Helm chart for deploying higress istio
name: istio
sources:
- http://github.com/alibaba/higress
dependencies:
- name: base
repository: "file://../base"
version: 1.12.0
- name: istiod
repository: "file://../istiod"
version: 1.12.0
type: application
version: 1.12.0

7
helm/istiod/Chart.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
appVersion: 1.12.0
description: Helm chart for istio control plane
name: istiod
sources:
- http://github.com/alibaba/higress
version: 1.12.0

21
helm/istiod/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,21 @@
"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}
Next steps:
* Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
* Try out our tasks to get started on common configurations:
* https://istio.io/latest/docs/tasks/traffic-management
* https://istio.io/latest/docs/tasks/security/
* https://istio.io/latest/docs/tasks/policy-enforcement/
* https://istio.io/latest/docs/tasks/policy-enforcement/
* Review the list of actively supported releases, CVE publications and our hardening guide:
* https://istio.io/latest/docs/releases/supported-releases/
* https://istio.io/latest/news/security/
* https://istio.io/latest/docs/ops/best-practices/security/
For further documentation see https://istio.io website
Tell us how your install/upgrade experience went at https://forms.gle/FegQbc9UvePd4Z9z7

26
helm/istiod/templates/autoscale.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
spec:
maxReplicas: {{ .Values.pilot.autoscaleMax }}
minReplicas: {{ .Values.pilot.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
---
{{- end }}

134
helm/istiod/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,134 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update", "patch"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: [ "get", "watch", "list", "create", "delete"]
# Used for MCS serviceimport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
---
{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
- apiGroups: ["apps"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "deployments" ]
- apiGroups: [""]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "services" ]
{{- end }}

33
helm/istiod/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
---
{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
{{- end }}

14
helm/istiod/templates/configmap-jwks.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.pilot.jwksResolverExtraRootCA }}
apiVersion: v1
kind: ConfigMap
metadata:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
data:
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
{{- end }}

107
helm/istiod/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,107 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
configSources:
- address: k8s://
- address: {{ .Values.higress.xds }}
defaultConfig:
{{- if .Values.global.meshID }}
meshId: {{ .Values.global.meshID }}
{{- end }}
tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }}
lightstep:
# Address of the LightStep Satellite pool
address: {{ .Values.global.tracer.lightstep.address }}
# Access Token used to communicate with the Satellite pool
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
zipkin:
# Address of the Zipkin collector
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
datadog:
# Address of the Datadog Agent
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
stackdriver:
# enables trace output to stdout.
{{- if $.Values.global.tracer.stackdriver.debug }}
debug: {{ $.Values.global.tracer.stackdriver.debug }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
# The global default max number of attributes per span.
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
# The global default max number of annotation events per span.
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
# The global default max number of message events per span.
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
{{- end }}
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
{{- else }}
{}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
{{- else }}
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
{{- end }}
{{- else }}
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
{{- end }}
proxyStatsMatcher:
inclusionRegexps:
- ".*"
{{- end }}
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
{{- $originalMesh := include "mesh" . | fromYaml }}
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
{{- if .Values.pilot.configMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
{{- if .Values.global.meshNetworks }}
networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
{{- else }}
networks: {}
{{- end }}
mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---
{{- end }}

224
helm/istiod/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,224 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
istio: pilot
release: {{ .Release.Name }}
{{- range $key, $val := .Values.pilot.deploymentLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
spec:
{{- if not .Values.pilot.autoscaleEnabled }}
{{- if .Values.pilot.replicaCount }}
replicas: {{ .Values.pilot.replicaCount }}
{{- end }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
selector:
matchLabels:
{{- if ne .Values.revision "" }}
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
{{- else }}
istio: pilot
{{- end }}
template:
metadata:
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot"
{{- if ne .Values.revision "" }}
istio: istiod
{{- else }}
istio: pilot
{{- end }}
{{- range $key, $val := .Values.pilot.podLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if .Values.pilot.podAnnotations }}
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.pilot.nodeSelector }}
nodeSelector:
{{ toYaml .Values.pilot.nodeSelector | indent 8 }}
{{- end }}
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
securityContext:
fsGroup: 1337
containers:
- name: discovery
{{- if contains "/" .Values.pilot.image }}
image: "{{ .Values.pilot.image }}"
{{- else }}
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
args:
- "discovery"
- --monitoringAddr=:15014
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --domain
- {{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.oneNamespace }}
- "-a"
- {{ .Release.Namespace }}
{{- end }}
{{- if .Values.pilot.plugins }}
- --plugins={{ .Values.pilot.plugins }}
{{- end }}
- --keepaliveMaxServerConnectionAge
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: REVISION
value: "{{ .Values.revision | default `default` }}"
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
{{- if .Values.pilot.env }}
{{- range $key, $val := .Values.pilot.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.pilot.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.pilot.traceSampling }}"
{{- end }}
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
- name: ISTIOD_ADDR
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
resources:
{{- if .Values.pilot.resources }}
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
{{- end }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: istio
mountPath: /etc/istio/config
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
{{- end }}
volumes:
- name: istio
configMap:
name: istio
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ .Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
{{- end }}
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- end }}
---

67
helm/istiod/templates/istiod-injector-configmap.yaml Normal file
View File

@@ -0,0 +1,67 @@
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
values: |-
{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
# and istiod webhook functionality.
#
# New fields should not use Values - it is a 'primary' config object, users should be able
# to fine tune it or use it with kube-inject.
config: |-
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
{{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
defaultTemplates:
{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
- {{ . }}
{{- end }}
{{- else }}
defaultTemplates: [sidecar]
{{- end }}
policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
injectedAnnotations:
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
"{{ $key }}": "{{ $val }}"
{{- end }}
{{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
This should make it obvious that their installation is broken.
*/}}
template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
templates:
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
sidecar: |
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
gateway: |
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
grpc-simple: |
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
grpc-agent: |
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
{{- end }}
{{- with .Values.sidecarInjectorWebhook.templates }}
{{ toYaml . | trim | indent 6 }}
{{- end }}
{{- end }}

144
helm/istiod/templates/mutatingwebhook.yaml Normal file
View File

@@ -0,0 +1,144 @@
{{- /* Core defines the common configuration used by all webhook segments */}}
{{- define "core" }}
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
a unique prefix to each. */}}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: "{{ .Values.istiodRemote.injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "{{ .Values.istiodRemote.injectionPath }}"
port: 443
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
{{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq .Release.Namespace "istio-system"}}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- else }}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ .Release.Name }}
webhooks:
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
{{- /* Webhooks for default revision */}}
{{- if (eq .Values.revision "") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
{{- end }}

25
helm/istiod/templates/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
istio: pilot
spec:
minAvailable: 1
selector:
matchLabels:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }}
{{- else }}
istio: pilot
{{- end }}
---
{{- end }}

54
helm/istiod/templates/reader-clusterrole.yaml Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "list", "watch"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- if .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}

15
helm/istiod/templates/reader-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}

130
helm/istiod/templates/revision-tags.yaml Normal file
View File

@@ -0,0 +1,130 @@
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
{{- define "core" }}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: "{{ .Values.istiodRemote.injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "{{ .Values.istiodRemote.injectionPath }}"
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}
{{- range $tagName := $.Values.revisionTags }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq $.Release.Namespace "istio-system"}}
name: istio-revision-tag-{{ $tagName }}
{{- else }}
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
{{- end }}
labels:
istio.io/tag: {{ $tagName }}
istio.io/rev: {{ $.Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ $.Release.Name }}
webhooks:
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
{{- if (eq $tagName "default") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
{{- end }}

20
helm/istiod/templates/role.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

16
helm/istiod/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}

41
helm/istiod/templates/service.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: v1
kind: Service
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
{{- if .Values.pilot.serviceAnnotations }}
annotations:
{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: istiod
istio: pilot
release: {{ .Release.Name }}
spec:
ports:
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
selector:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }}
{{- else }}
# Label used by the 'default' service. For versioned deployments we match with app and version.
# This avoids default deployment picking the canary
istio: pilot
{{- end }}
---

15
helm/istiod/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
---

601
helm/istiod/templates/telemetryv2_1.10.yaml Normal file
View File

@@ -0,0 +1,601 @@
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
---
# Note: http stats filter is wasm enabled only in sidecars.
{{- if .Values.telemetry.v2.prometheus.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
---
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
---
{{- end }}
{{- if .Values.telemetry.v2.stackdriver.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "istio.stackdriver"
patch:
operation: INSERT_BEFORE
value:
name: istio.access_log
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: "envoy.wasm.access_log_policy" }
---
{{- end }}
{{- end }}
{{- end }}

601
helm/istiod/templates/telemetryv2_1.11.yaml Normal file
View File

@@ -0,0 +1,601 @@
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
---
# Note: http stats filter is wasm enabled only in sidecars.
{{- if .Values.telemetry.v2.prometheus.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
---
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
---
{{- end }}
{{- if .Values.telemetry.v2.stackdriver.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "istio.stackdriver"
patch:
operation: INSERT_BEFORE
value:
name: istio.access_log
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: "envoy.wasm.access_log_policy" }
---
{{- end }}
{{- end }}
{{- end }}

601
helm/istiod/templates/telemetryv2_1.12.yaml Normal file
View File

@@ -0,0 +1,601 @@
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
---
# Note: http stats filter is wasm enabled only in sidecars.
{{- if .Values.telemetry.v2.prometheus.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
---
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
---
{{- end }}
{{- if .Values.telemetry.v2.stackdriver.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "istio.stackdriver"
patch:
operation: INSERT_BEFORE
value:
name: istio.access_log
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: "envoy.wasm.access_log_policy" }
---
{{- end }}
{{- end }}
{{- end }}

56
helm/istiod/templates/validatingwebhookconfiguration.yaml Normal file
View File

@@ -0,0 +1,56 @@
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
webhooks:
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
# are rejecting invalid configs on a per-revision basis.
- name: rev.validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
caBundle: "" # patched at runtime when the webhook is ready.
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
- extensions.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
---
{{- end }}

545
helm/istiod/values.yaml Normal file
View File

@@ -0,0 +1,545 @@
higress:
xds: "xds://higress-controller.higress-system:15051"
#.Values.pilot for discovery and mesh wide config
## Discovery Settings
pilot:
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
tag: 1.12
# Can be a full hub/image:tag
image: pilot
traceSampling: 1.0
# Resources for a small pilot install
resources:
requests:
cpu: 500m
memory: 2048Mi
env:
PILOT_SCOPE_GATEWAY_TO_NAMESPACE: "true"
PILOT_ENABLE_METADATA_EXCHANGE: "false"
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY: "false"
VALIDATION_ENABLED: "false"
HIGRESS_CONTROLLER_SVC: "higress-controller.higress-system"
HIGRESS_CONTROLLER_PORT: "15051"
cpu:
targetAverageUtilization: 80
# if protocol sniffing is enabled for outbound
enableProtocolSniffingForOutbound: true
# if protocol sniffing is enabled for inbound
enableProtocolSniffingForInbound: true
nodeSelector: {}
podAnnotations: {}
serviceAnnotations: {}
# You can use jwksResolverExtraRootCA to provide a root certificate
# in PEM format. This will then be trusted by pilot when resolving
# JWKS URIs.
jwksResolverExtraRootCA: ""
# This is used to set the source of configuration for
# the associated address in configSource, if nothing is specificed
# the default MCP is assumed.
configSource:
subscribedResources: []
plugins: []
# The following is used to limit how long a sidecar can be connected
# to a pilot. It balances out load across pilot instances at the cost of
# increasing system churn.
keepaliveMaxServerConnectionAge: 30m
# Additional labels to apply to the deployment.
deploymentLabels: {}
## Mesh config settings
# Install the mesh config map, generated from values.yaml.
# If false, pilot wil use default values (by default) or user-supplied values.
configMap: true
# Additional labels to apply on the pod level for monitoring and logging configuration.
podLabels: {}
sidecarInjectorWebhook:
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
neverInjectSelector: []
alwaysInjectSelector: []
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
#
# annotations:
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
#
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
# injectedAnnotations:
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
injectedAnnotations: {}
# This enables injection of sidecar in all namespaces,
# with the exception of namespaces with "istio-injection:disabled" annotation
# Only one environment should have this enabled.
enableNamespacesByDefault: false
# Enable objectSelector to filter out pods with no need for sidecar before calling istiod.
# It is enabled by default as the minimum supported Kubernetes version is 1.15+
objectSelector:
enabled: true
autoInject: true
rewriteAppHTTPProbe: true
# Templates defines a set of custom injection templates that can be used. For example, defining:
#
# templates:
# hello: |
# metadata:
# labels:
# hello: world
#
# Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
# being injected with the hello=world labels.
# This is intended for advanced configuration only; most users should use the built in template
templates: {}
# Default templates specifies a set of default templates that are used in sidecar injection.
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
# To inject other additional templates, define it using the `templates` option, and add it to
# the default templates list.
# For example:
#
# templates:
# hello: |
# metadata:
# labels:
# hello: world
#
# defaultTemplates: ["sidecar", "hello"]
defaultTemplates: []
istiodRemote:
# Sidecar injector mutating webhook configuration clientConfig.url value.
# For example: https://$remotePilotAddress:15017/inject
# The host should not refer to a service running in the cluster; use a service reference by specifying
# the clientConfig.service field instead.
injectionURL: ""
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
injectionPath: "/inject"
telemetry:
enabled: true
v2:
# For Null VM case now.
# This also enables metadata exchange.
enabled: true
metadataExchange:
# Indicates whether to enable WebAssembly runtime for metadata exchange filter.
wasmEnabled: false
# Indicate if prometheus stats filter is enabled or not
prometheus:
enabled: true
# Indicates whether to enable WebAssembly runtime for stats filter.
wasmEnabled: false
# overrides stats EnvoyFilter configuration.
configOverride:
gateway: {}
inboundSidecar: {}
outboundSidecar: {}
# stackdriver filter settings.
stackdriver:
enabled: false
logging: false
monitoring: false
topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
disableOutbound: false
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
configOverride: {}
# e.g.
# disable_server_access_logging: false
# disable_host_header_fallback: true
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
accessLogPolicy:
enabled: false
# To reduce the number of successful logs, default log window duration is
# set to 12 hours.
logWindowDuration: "43200s"
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# Revision tags are aliases to Istio control plane revisions
revisionTags: []
# For Helm compatibility.
ownerName: ""
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
meshConfig:
enablePrometheusMerge: true
# Config for the default ProxyConfig.
# Initially using directly the proxy metadata - can also be activated using annotations
# on the pod. This is an unsupported low-level API, pending review and decisions on
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
# and gradual adoption by setting capture only on specific workloads. It also allows
# VMs to use other DNS options, like dnsmasq or unbound.
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace:
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# TODO: the intent is to eventually have this enabled by default when security is used.
# It is not clear if user should normally need to configure - the metadata is typically
# used as an escape and to control testing and rollout, but it is not intended as a long-term
# stable API.
# What we may configure in mesh config is the ".global" - and use of other suffixes.
# No hurry to do this in 1.6, we're trying to prove the code.
global:
# Used to locate istiod.
istioNamespace: istio-system
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
# Default tag for Istio images.
tag: 1.12
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# Enabled by default in master for maximising testing.
istiod:
enableAnalysis: false
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
omitSidecarInjectorConfigMap: false
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Configure whether Operator manages webhook configurations. The current behavior
# of Istiod is to manage its own webhook configurations.
# When this option is set as true, Istio Operator, instead of webhooks, manages the
# webhook configurations. When this option is set as false, webhooks manage their
# own webhook configurations.
operatorManageWebhooks: false
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
#podDNSSearchNamespaces:
#- global
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# istio ingress capture allowlist
# examples:
# Redirect only selected ports: --includeInboundPorts="80,8080"
excludeInboundPorts: ""
includeInboundPorts: "*"
# istio egress capture allowlist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
includeOutboundPorts: ""
excludeOutboundPorts: ""
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# Resources for the sidecar.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
tracer: "zipkin"
# Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
holdApplicationUntilProxyStarts: false
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxyv2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi
# configure remote pilot and istiod service and endpoint
remotePilotAddress: ""
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
# If not set explicitly, default to the Istio discovery address.
caAddress: ""
# Configure a remote cluster data plane controlled by an external istiod.
# When set to true, istiod is not deployed locally and only a subset of the other
# discovery charts are enabled.
externalIstiod: false
# Configure a remote cluster as the config cluster for an external istiod.
configCluster: false
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "first-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (only
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443
#
meshNetworks: {}
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: true
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Configuration for each of the supported tracers
tracer:
# Configuration for envoy to send trace data to LightStep.
# Disabled by default.
# address: the <host>:<port> of the satellite pool
# accessToken: required for sending data to the pool
#
datadog:
# Host:Port for submitting traces to the Datadog agent.
address: "$(HOST_IP):8126"
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
stackdriver:
# enables trace output to stdout.
debug: false
# The global default max number of message events per span.
maxNumberOfMessageEvents: 200
# The global default max number of annotation events per span.
maxNumberOfAnnotations: 200
# The global default max number of attributes per span.
maxNumberOfAttributes: 200
zipkin:
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
# zipkin service (port 9411) in the same namespace as the other istio components.
address: ""
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
useMCP: false
# The name of the CA for workload certificates.
# For example, when caName=GkeWorkloadCertificate, GKE workload certificates
# will be used as the certificates for workloads.
# The default value is "" and when caName="", the CA will be configured by other
# mechanisms (e.g., environmental variable CA_PROVIDER).
caName: ""
base:
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true

62
script/gobuild.sh Executable file
View File

@@ -0,0 +1,62 @@
#!/bin/bash
export GOPROXY="https://proxy.golang.com.cn,direct"
VERBOSE=${VERBOSE:-"0"}
V=""
if [[ "${VERBOSE}" == "1" ]];then
V="-x"
set -x
fi
SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
OUT=${1:?"output path"}
shift
set -e
BUILD_GOOS=${GOOS:-linux}
BUILD_GOARCH=${GOARCH:-amd64}
GOBINARY=${GOBINARY:-go}
GOPKG="$GOPATH/pkg"
BUILDINFO=${BUILDINFO:-""}
STATIC=${STATIC:-1}
LDFLAGS=${LDFLAGS:--extldflags -static}
GOBUILDFLAGS=${GOBUILDFLAGS:-""}
# Split GOBUILDFLAGS by spaces into an array called GOBUILDFLAGS_ARRAY.
IFS=' ' read -r -a GOBUILDFLAGS_ARRAY <<< "$GOBUILDFLAGS"
GCFLAGS=${GCFLAGS:-}
export CGO_ENABLED=${CGO_ENABLED:-0}
if [[ "${STATIC}" != "1" ]];then
LDFLAGS=""
fi
# BUILD LD_EXTRAFLAGS
LD_EXTRAFLAGS=""
# gather buildinfo if not already provided
# For a release build BUILDINFO should be produced
# at the beginning of the build and used throughout
if [[ -z ${BUILDINFO} ]];then
BUILDINFO=$(mktemp)
"${SCRIPTPATH}/report_build_info.sh" > "${BUILDINFO}"
fi
while read -r line; do
LD_EXTRAFLAGS="${LD_EXTRAFLAGS} -X ${line}"
done < "${BUILDINFO}"
OPTIMIZATION_FLAGS=(-trimpath)
if [ "${DEBUG}" == "1" ]; then
OPTIMIZATION_FLAGS=()
fi
time GOOS=${BUILD_GOOS} GOARCH=${BUILD_GOARCH} ${GOBINARY} build \
${V} "${GOBUILDFLAGS_ARRAY[@]}" ${GCFLAGS:+-gcflags "${GCFLAGS}"} \
-o "${OUT}" \
"${OPTIMIZATION_FLAGS[@]}" \
-pkgdir="${GOPKG}/${BUILD_GOOS}_${BUILD_GOARCH}" \
-ldflags "${LDFLAGS} ${LD_EXTRAFLAGS}" "${@}"

46
script/prebuild.sh Executable file
View File

@@ -0,0 +1,46 @@
#!/bin/bash
set -e
ENVOY_VERSION="${ENVOY_VERSION:=1.20}"
ISITO_VERSION="${ISTIO_VERSION:=1.12}"
WORK_DIR=`cd $(dirname "$0")/..;pwd`
cd $WORK_DIR
mkdir -p external/package
envoy_repos=("go-control-plane" "envoy")
for repo in ${envoy_repos[@]}; do
if [ -e external/$repo ];then
continue
fi
cp -r envoy/${ENVOY_VERSION}/$repo external/$repo
for patch in `ls -f envoy/${ENVOY_VERSION}/patches/$repo/*.patch`; do
patch -d external/$repo -p1 < $patch
done
cd external/$repo
echo "gitdir: /parent/.git/modules/envoy/${ENVOY_VERSION}/$repo" > .git
if [ -f "go.mod" ]; then
go mod tidy
fi
cd $WORK_DIR
done
istio_repos=("api" "client-go" "pkg" "istio" "proxy")
for repo in ${istio_repos[@]}; do
if [ -e external/$repo ];then
continue
fi
cp -r istio/${ISTIO_VERSION}/$repo external/$repo
for patch in `ls -f istio/${ISTIO_VERSION}/patches/$repo/*.patch`; do
patch -d external/$repo -p1 < $patch
done
cd external/$repo
echo "gitdir: /parent/.git/modules/istio/${ISTIO_VERSION}/$repo" > .git
if [ -f "go.mod" ]; then
go mod tidy
fi
cd $WORK_DIR
done

25
script/report_build_info.sh Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
if BUILD_GIT_REVISION=$(git rev-parse HEAD 2> /dev/null); then
if [[ -z "${IGNORE_DIRTY_TREE}" ]] && [[ -n "$(git status --porcelain 2>/dev/null)" ]]; then
BUILD_GIT_REVISION=${BUILD_GIT_REVISION}"-dirty"
fi
else
BUILD_GIT_REVISION=unknown
fi
# Check for local changes
tree_status="Clean"
if [[ -z "${IGNORE_DIRTY_TREE}" ]] && ! git diff-index --quiet HEAD --; then
tree_status="Modified"
fi
GIT_DESCRIBE_TAG=$(git describe --tags)
HUB=${HUB:-"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"}
# used by common/scripts/gobuild.sh
echo "istio.io/pkg/version.buildVersion=${VERSION:-$BUILD_GIT_REVISION}"
echo "istio.io/pkg/version.buildGitRevision=${BUILD_GIT_REVISION}"
echo "istio.io/pkg/version.buildStatus=${tree_status}"
echo "istio.io/pkg/version.buildTag=${GIT_DESCRIBE_TAG}"
echo "istio.io/pkg/version.buildHub=${HUB}"

44
script/run.sh Executable file
View File

@@ -0,0 +1,44 @@
#!/bin/bash
set -e
WD=$(dirname "$0")
WD=$(cd "$WD"; pwd)
# shellcheck disable=SC1090
source "${WD}/setup_env.sh"
# Override variables with container specific
export TARGET_OUT=${CONTAINER_TARGET_OUT}
export TARGET_OUT_LINUX=${CONTAINER_TARGET_OUT_LINUX}
export REPO_ROOT=/work
HUB="${HUB:-higress-registry.cn-hangzhou.cr.aliyuncs.com/higress}"
MOUNT_SOURCE="${MOUNT_SOURCE:-${PWD}}"
MOUNT_DEST="${MOUNT_DEST:-/work}"
read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
[[ -t 1 ]] && DOCKER_RUN_OPTIONS+=("-it")
# $CONTAINER_OPTIONS becomes an empty arg when quoted, so SC2086 is disabled for the
# following command only
# shellcheck disable=SC2086
"${CONTAINER_CLI}" run \
--rm \
"${DOCKER_RUN_OPTIONS[@]}" \
--init \
--sig-proxy=true \
${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \
$CONTAINER_OPTIONS \
--env-file <(env | grep -v ${ENV_BLOCKLIST}) \
-e IN_BUILD_CONTAINER=1 \
-e TZ="${TIMEZONE:-$TZ}" \
-e HUB="${HUB}" \
--mount "type=bind,source=${MOUNT_SOURCE},destination=/work" \
--mount "type=volume,source=go,destination=/go" \
--mount "type=volume,source=gocache,destination=/gocache" \
--mount "type=volume,source=cache,destination=/home/.cache" \
${CONDITIONAL_HOST_MOUNTS} \
-w "${MOUNT_DEST}" "${IMG}" "$@"

162
script/setup_env.sh Executable file
View File

@@ -0,0 +1,162 @@
#!/bin/bash
set -e
LOCAL_ARCH=$(uname -m)
export LOCAL_ARCH
# Pass environment set target architecture to build system
if [[ ${TARGET_ARCH} ]]; then
export TARGET_ARCH
elif [[ ${LOCAL_ARCH} == x86_64 ]]; then
export TARGET_ARCH=amd64
elif [[ ${LOCAL_ARCH} == armv8* ]]; then
export TARGET_ARCH=arm64
elif [[ ${LOCAL_ARCH} == arm64* ]]; then
export TARGET_ARCH=arm64
elif [[ ${LOCAL_ARCH} == aarch64* ]]; then
export TARGET_ARCH=arm64
elif [[ ${LOCAL_ARCH} == armv* ]]; then
export TARGET_ARCH=arm
elif [[ ${LOCAL_ARCH} == s390x ]]; then
export TARGET_ARCH=s390x
elif [[ ${LOCAL_ARCH} == ppc64le ]]; then
export TARGET_ARCH=ppc64le
else
echo "This system's architecture, ${LOCAL_ARCH}, isn't supported"
exit 1
fi
LOCAL_OS=$(uname)
export LOCAL_OS
# Pass environment set target operating-system to build system
if [[ ${TARGET_OS} ]]; then
export TARGET_OS
elif [[ $LOCAL_OS == Linux ]]; then
export TARGET_OS=linux
readlink_flags="-f"
elif [[ $LOCAL_OS == Darwin ]]; then
export TARGET_OS=darwin
readlink_flags=""
else
echo "This system's OS, $LOCAL_OS, isn't supported"
exit 1
fi
# Build image to use
if [[ "${IMAGE_VERSION:-}" == "" ]]; then
export IMAGE_VERSION=34b06c08ee613a15e08c5888ac269ad22f23d23e
fi
if [[ "${IMAGE_NAME:-}" == "" ]]; then
export IMAGE_NAME=build-tools
fi
export UID
DOCKER_GID="${DOCKER_GID:-$(grep '^docker:' /etc/group | cut -f3 -d:)}"
export DOCKER_GID
TIMEZONE=$(readlink "$readlink_flags" /etc/localtime | sed -e 's/^.*zoneinfo\///')
export TIMEZONE
export TARGET_OUT="${TARGET_OUT:-$(pwd)/out/${TARGET_OS}_${TARGET_ARCH}}"
export TARGET_OUT_LINUX="${TARGET_OUT_LINUX:-$(pwd)/out/linux_${TARGET_ARCH}}"
export CONTAINER_TARGET_OUT="${CONTAINER_TARGET_OUT:-/work/out/${TARGET_OS}_${TARGET_ARCH}}"
export CONTAINER_TARGET_OUT_LINUX="${CONTAINER_TARGET_OUT_LINUX:-/work/out/linux_${TARGET_ARCH}}"
export IMG="${IMG:-${HUB:-higress-registry.cn-hangzhou.cr.aliyuncs.com/higress}/${IMAGE_NAME}:${IMAGE_VERSION}}"
export CONTAINER_CLI="${CONTAINER_CLI:-docker}"
export ENV_BLOCKLIST="${ENV_BLOCKLIST:-^_\|PATH\|SHELL\|EDITOR\|TMUX\|USER\|HOME\|PWD\|TERM\|GO\|rvm\|SSH\|TMPDIR\|CC\|CXX\|MAKEFILE_LIST}"
# Remove functions from the list of exported variables, they mess up with the `env` command.
for f in $(declare -F -x | cut -d ' ' -f 3);
do
unset -f "${f}"
done
# Set conditional host mounts
export CONDITIONAL_HOST_MOUNTS=${CONDITIONAL_HOST_MOUNTS:-}
container_kubeconfig=''
# docker conditional host mount (needed for make docker push)
if [[ -d "${HOME}/.docker" ]]; then
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${HOME}/.docker,destination=/config/.docker,readonly "
fi
# gcloud conditional host mount (needed for docker push with the gcloud auth configure-docker)
if [[ -d "${HOME}/.config/gcloud" ]]; then
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${HOME}/.config/gcloud,destination=/config/.config/gcloud,readonly "
fi
# gitconfig conditional host mount (needed for git commands inside container)
if [[ -f "${HOME}/.gitconfig" ]]; then
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${HOME}/.gitconfig,destination=/home/.gitconfig,readonly "
fi
# .netrc conditional host mount (needed for git commands inside container)
if [[ -f "${HOME}/.netrc" ]]; then
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${HOME}/.netrc,destination=/home/.netrc,readonly "
fi
# echo ${CONDITIONAL_HOST_MOUNTS}
# This function checks if the file exists. If it does, it creates a randomly named host location
# for the file, adds it to the host KUBECONFIG, and creates a mount for it.
add_KUBECONFIG_if_exists () {
if [[ -f "$1" ]]; then
kubeconfig_random="$(od -vAn -N4 -tx /dev/random | tr -d '[:space:]' | cut -c1-8)"
container_kubeconfig+="/config/${kubeconfig_random}:"
CONDITIONAL_HOST_MOUNTS+="--mount type=bind,source=${1},destination=/config/${kubeconfig_random},readonly "
fi
}
# This function is designed for maximum compatibility with various platforms. This runs on
# any Mac or Linux platform with bash 4.2+. Please take care not to modify this function
# without testing properly.
#
# This function will properly handle any type of path including those with spaces using the
# loading pattern specified by *kubectl config*.
#
# testcase: "a:b c:d"
# testcase: "a b:c d:e f"
# testcase: "a b:c:d e"
parse_KUBECONFIG () {
TMPDIR=""
if [[ "$1" =~ ([^:]*):(.*) ]]; then
while true; do
rematch=${BASH_REMATCH[1]}
add_KUBECONFIG_if_exists "$rematch"
remainder="${BASH_REMATCH[2]}"
if [[ ! "$remainder" =~ ([^:]*):(.*) ]]; then
if [[ -n "$remainder" ]]; then
add_KUBECONFIG_if_exists "$remainder"
break
fi
fi
done
else
add_KUBECONFIG_if_exists "$1"
fi
}
KUBECONFIG=${KUBECONFIG:="$HOME/.kube/config"}
parse_KUBECONFIG "${KUBECONFIG}"
if [[ "${BUILD_WITH_CONTAINER:-1}" -eq "1" ]]; then
export KUBECONFIG="${container_kubeconfig%?}"
fi
# Avoid recursive calls to make from attempting to start an additional container
export BUILD_WITH_CONTAINER=0
# For non container build, we need to write env to file
if [[ "${1}" == "envfile" ]]; then
echo "TARGET_OUT_LINUX=${TARGET_OUT_LINUX}"
echo "TARGET_OUT=${TARGET_OUT}"
echo "TIMEZONE=${TIMEZONE}"
echo "LOCAL_OS=${LOCAL_OS}"
echo "TARGET_OS=${TARGET_OS}"
echo "LOCAL_ARCH=${LOCAL_ARCH}"
echo "TARGET_ARCH=${TARGET_ARCH}"
echo "BUILD_WITH_CONTAINER=0"
fi