jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-02-26 05:30:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: jiazhizhong:v0.6.1
Branches Tags
jiazhizhong:main jiazhizhong:add-release-notes jiazhizhong:release-2.1.x jiazhizhong:release-2.2.0 jiazhizhong:feat/claude-code-mode jiazhizhong:update-helm-readme-zh jiazhizhong:sync-crds jiazhizhong:cr7258-patch-1 jiazhizhong:rust_wasm_build jiazhizhong:release-1.x
jiazhizhong:v2.1.11 jiazhizhong:v2.2.0 jiazhizhong:v2.1.10 jiazhizhong:v2.1.9 jiazhizhong:v2.1.9-rc.1 jiazhizhong:v2.1.8 jiazhizhong:v2.1.7 jiazhizhong:v2.1.6 jiazhizhong:v2.1.5 jiazhizhong:v2.1.5-rc.1 jiazhizhong:v2.1.4 jiazhizhong:v2.1.3 jiazhizhong:v2.1.2 jiazhizhong:v2.1.2-rc.1 jiazhizhong:wasm-go-ai-proxy-v1.0.0 jiazhizhong:v2.1.1 jiazhizhong:v2.1.1-rc.1 jiazhizhong:v2.1.0 jiazhizhong:v2.1.0-rc.2 jiazhizhong:v2.1.0-rc.1 jiazhizhong:v2.0.7 jiazhizhong:plugins/wasm-go/v1.4.3 jiazhizhong:v2.0.6 jiazhizhong:v2.0.6-rc.3 jiazhizhong:v2.0.5 jiazhizhong:v2.0.6-rc.2 jiazhizhong:v2.0.6-rc.1 jiazhizhong:v2.0.4 jiazhizhong:wasm-go-ai-security-guard-v1.0.0 jiazhizhong:v2.0.3 jiazhizhong:v2.0.2 jiazhizhong:v2.0.1 jiazhizhong:v2.0.0 jiazhizhong:v2.0.0-rc.1 jiazhizhong:latest jiazhizhong:wasm-go-ext-auth-v1.0.0 jiazhizhong:v1.4.2 jiazhizhong:plugins/wasm-go/v1.4.2 jiazhizhong:wasm-go-cluster-key-rate-limit-v1.0.0 jiazhizhong:wasm-go-custom-response-v1.0.0 jiazhizhong:v1.4.1 jiazhizhong:plugins/wasm-go/v1.4.0 jiazhizhong:v1.4.0 jiazhizhong:v1.4.0-rc.1 jiazhizhong:v1.3.6 jiazhizhong:v1.3.5 jiazhizhong:plugins/wasm-go/v1.3.5 jiazhizhong:v1.3.4 jiazhizhong:v1.3.4-rc.2 jiazhizhong:v1.3.4-rc.1 jiazhizhong:v1.3.3 jiazhizhong:v1.3.2 jiazhizhong:plugins/wasm-go/v1.3.2 jiazhizhong:plugins/wasm-go/v1.3.1 jiazhizhong:v1.3.1 jiazhizhong:v1.3.0 jiazhizhong:v1.2.0 jiazhizhong:v1.1.2 jiazhizhong:v1.1.1 jiazhizhong:v1.1.0 jiazhizhong:v1.0.1 jiazhizhong:v1.0.0 jiazhizhong:v1.0.0-rc.4 jiazhizhong:v0.7.4 jiazhizhong:v0.7.3 jiazhizhong:v1.0.0-rc.3 jiazhizhong:v1.0.0-rc.2 jiazhizhong:v1.0.0-rc jiazhizhong:v0.7.2 jiazhizhong:v0.7.1 jiazhizhong:v0.7.0 jiazhizhong:v0.6.2 jiazhizhong:v0.6.1 jiazhizhong:v0.6.0 jiazhizhong:v0.5.3 jiazhizhong:v0.5.2 jiazhizhong:v0.5.1 jiazhizhong:v0.5.0
...
compare: jiazhizhong:v0.7.0
Branches Tags
jiazhizhong:main jiazhizhong:add-release-notes jiazhizhong:release-2.1.x jiazhizhong:release-2.2.0 jiazhizhong:feat/claude-code-mode jiazhizhong:update-helm-readme-zh jiazhizhong:sync-crds jiazhizhong:cr7258-patch-1 jiazhizhong:rust_wasm_build jiazhizhong:release-1.x
jiazhizhong:v2.1.11 jiazhizhong:v2.2.0 jiazhizhong:v2.1.10 jiazhizhong:v2.1.9 jiazhizhong:v2.1.9-rc.1 jiazhizhong:v2.1.8 jiazhizhong:v2.1.7 jiazhizhong:v2.1.6 jiazhizhong:v2.1.5 jiazhizhong:v2.1.5-rc.1 jiazhizhong:v2.1.4 jiazhizhong:v2.1.3 jiazhizhong:v2.1.2 jiazhizhong:v2.1.2-rc.1 jiazhizhong:wasm-go-ai-proxy-v1.0.0 jiazhizhong:v2.1.1 jiazhizhong:v2.1.1-rc.1 jiazhizhong:v2.1.0 jiazhizhong:v2.1.0-rc.2 jiazhizhong:v2.1.0-rc.1 jiazhizhong:v2.0.7 jiazhizhong:plugins/wasm-go/v1.4.3 jiazhizhong:v2.0.6 jiazhizhong:v2.0.6-rc.3 jiazhizhong:v2.0.5 jiazhizhong:v2.0.6-rc.2 jiazhizhong:v2.0.6-rc.1 jiazhizhong:v2.0.4 jiazhizhong:wasm-go-ai-security-guard-v1.0.0 jiazhizhong:v2.0.3 jiazhizhong:v2.0.2 jiazhizhong:v2.0.1 jiazhizhong:v2.0.0 jiazhizhong:v2.0.0-rc.1 jiazhizhong:latest jiazhizhong:wasm-go-ext-auth-v1.0.0 jiazhizhong:v1.4.2 jiazhizhong:plugins/wasm-go/v1.4.2 jiazhizhong:wasm-go-cluster-key-rate-limit-v1.0.0 jiazhizhong:wasm-go-custom-response-v1.0.0 jiazhizhong:v1.4.1 jiazhizhong:plugins/wasm-go/v1.4.0 jiazhizhong:v1.4.0 jiazhizhong:v1.4.0-rc.1 jiazhizhong:v1.3.6 jiazhizhong:v1.3.5 jiazhizhong:plugins/wasm-go/v1.3.5 jiazhizhong:v1.3.4 jiazhizhong:v1.3.4-rc.2 jiazhizhong:v1.3.4-rc.1 jiazhizhong:v1.3.3 jiazhizhong:v1.3.2 jiazhizhong:plugins/wasm-go/v1.3.2 jiazhizhong:plugins/wasm-go/v1.3.1 jiazhizhong:v1.3.1 jiazhizhong:v1.3.0 jiazhizhong:v1.2.0 jiazhizhong:v1.1.2 jiazhizhong:v1.1.1 jiazhizhong:v1.1.0 jiazhizhong:v1.0.1 jiazhizhong:v1.0.0 jiazhizhong:v1.0.0-rc.4 jiazhizhong:v0.7.4 jiazhizhong:v0.7.3 jiazhizhong:v1.0.0-rc.3 jiazhizhong:v1.0.0-rc.2 jiazhizhong:v1.0.0-rc jiazhizhong:v0.7.2 jiazhizhong:v0.7.1 jiazhizhong:v0.7.0 jiazhizhong:v0.6.2 jiazhizhong:v0.6.1 jiazhizhong:v0.6.0 jiazhizhong:v0.5.3 jiazhizhong:v0.5.2 jiazhizhong:v0.5.1 jiazhizhong:v0.5.0

40 Commits
v0.6.1 ... v0.7.0

Author SHA1 Message Date
澄潭
614ac55f27 release 0.7.0 (#243) 2023-03-16 13:58:29 +08:00
澄潭
6e8f17e41f Update README.md 2023-03-10 14:13:19 +08:00
澄潭
0d14c3c6ce Update README_EN.md 2023-03-09 19:00:57 +08:00
澄潭
c1244dd1e1 Update README.md 2023-03-09 18:59:48 +08:00
Qianglin Li
d99042747b optimize createRuleKey func (#240) 
Signed-off-by: charlie <qianglin98@qq.com>
 2023-03-09 17:19:16 +08:00
cobb-tx
f58f977f80 feat:Support SkyWalking to collect metrics (#238) 
Signed-off-by: cobb-tx 464693850@qq.com
 2023-03-08 16:52:51 +08:00
Qianglin Li
ff560b8d25 feat: add more precedence rules for route matching (#214) 
Signed-off-by: charlie <qianglin98@qq.com>
 2023-03-08 10:29:32 +08:00
Kent Dong
7f6b157a19 feat: Remove redundant helm charts and add console as a dependency (#223) 2023-03-07 11:37:00 +08:00
Kent Dong
7e2c039fc2 cleanup: Remove redundant building configurations (#224) 2023-03-03 17:56:50 +08:00
Shiqi Wang
39931ab854 e2e: add testcases for whitelist-source-range annotations (#220) 
Co-authored-by: Xunzhuo <bitliu@tencent.com>
 2023-03-03 17:55:47 +08:00
悟空
d013d66205 feat: tinygo version default 0.27.0 (#222) 2023-03-01 14:03:48 +08:00
Xunzhuo
8c95fd938e feat(test): set global info for suite tests (#219) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-27 17:04:30 +08:00
Shiqi Wang
691493e945 docs: translate the document of jwt-auth plugin readme to English. (#213) 
Co-authored-by: Shiqi Wang <shiqi.wang1@huawei.com>
 2023-02-27 11:00:40 +08:00
悟空
bd381b3536 feat: 使用多阶段构建优化 wasm-go 构建流程 (#192) 2023-02-24 12:26:31 +08:00
Lisheng Zheng
e839052a9e e2e: add test cases for url redirect annotations (#216) 2023-02-24 11:03:32 +08:00
Lisheng Zheng
b41f4ce886 e2e: add http route permanet direct cases (#209) 2023-02-23 11:44:41 +08:00
Kent Dong
e6744a1902 doc: Use helm repo instead of OCI image as the installation source (#210) 2023-02-22 22:20:32 +08:00
Kent Dong
7bc383ed29 feat: Support deploying helm charts to Aliyun OSS when creating a new tag (#202) 2023-02-21 14:47:16 +08:00
Lisheng Zheng
0af6fb16f8 e2e: append the correct test cases (#206) 2023-02-21 13:22:14 +08:00
澄潭
442bdf9355 Enhance the compatibility of wasm-go sdk for route matching (#205) 2023-02-20 20:14:55 +08:00
澄潭
24dd5e9a6e Update README_EN.md 2023-02-16 20:27:53 +08:00
澄潭
3b54926d89 Update README.md 2023-02-16 20:26:43 +08:00
charlie
e89e330e23 feat: support match annotation (#188) 
Signed-off-by: charlie <qianglin98@qq.com>
 2023-02-16 16:31:22 +08:00
Xunzhuo
56e805f768 e2e: add cors forbidden origin case (#187) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-15 10:06:27 +08:00
charlie
e0807dce0b feat: add an annotation for ignoring URI case in HTTP match (#174) 
Signed-off-by: charlie <qianglin98@qq.com>
 2023-02-14 19:52:17 +08:00
Hinsteny Hisoka
6efa393e7d Add e2e test for cors annotations #171 (#179) 
Co-authored-by: Xunzhuo <bitliu@tencent.com>
 2023-02-14 11:46:48 +08:00
悟空
cdcfe24a3d feat: add Makefile for building wasm-go easier (#184) 2023-02-14 09:59:33 +08:00
澄潭
1b7723bac5 release 0.6.2 (#186) 2023-02-13 19:22:32 +08:00
澄潭
f402f86374 Update Dockerfile.higress 2023-02-10 17:36:36 +08:00
Xunzhuo
7726d5d138 e2e: add rewrite hostname testcase (#182) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-08 14:11:49 +08:00
Xunzhuo
50e7bfddee e2e: add canary header traffic split (#180) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-08 14:09:54 +08:00
Xunzhuo
9400f7bf07 refactor: higress test framework (#178) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-07 15:28:40 +08:00
Xunzhuo
40f4d7845d e2e: add http rewrite path testcase (#177) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-07 14:40:18 +08:00
Xunzhuo
d84c9e67c3 chore: go mod tidy (#164) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-07 13:34:55 +08:00
澄潭
71f5dcd123 Update CODEOWNERS 2023-02-06 18:56:24 +08:00
Xunzhuo
245c807b85 doc: add workflow image to ingress-conformance test (#173) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-06 17:16:28 +08:00
Xunzhuo
c88ee327ba doc: add arch image to ingress-conformance test (#170) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-06 16:42:17 +08:00
Xunzhuo
ca0d62c91a chore: some clean-up to e2e tests (#162) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-06 13:30:51 +08:00
Xunzhuo
b000bc6ce9 e2e: add host match routing e2e case (#160) 
Signed-off-by: bitliu <bitliu@tencent.com>
 2023-02-06 12:42:43 +08:00
xcbeyond
1b8ec8d204 optimize: add ignore .vscode dir. (#159) 2023-02-05 14:17:24 +08:00
145 changed files with 4520 additions and 16456 deletions
Expand all files Collapse all files

48
.github/workflows/deploy-to-oss.yaml vendored Normal file
View File

@@ -0,0 +1,48 @@
name: Deploy Artifacts to OSS
on:
push:
tags:
- "v*.*.*"
jobs:
deploy-to-oss:
runs-on: ubuntu-latest
steps:
# Step 1
- name: Checkout
uses: actions/checkout@v3
# Step 2
- name: Download Helm Charts Index
uses: doggycool/ossutil-github-action@master
with:
ossArgs: 'cp -r -u oss://higress-website-cn-hongkong/helm-charts/index.yaml ./artifact/'
accessKey: ${{ secrets.ACCESS_KEYID }}
accessSecret: ${{ secrets.ACCESS_KEYSECRET }}
endpoint: oss-cn-hongkong.aliyuncs.com
# Step 3
- id: calc-version
name: Calculate Version Number
run: |
version=$(echo ${{ github.ref_name }} | cut -c2-)
echo "Version=$version"
echo "version=$version" >> $GITHUB_OUTPUT
# Step 4
- name: Build Artifact
uses: stefanprodan/kube-tools@v1
with:
helmv3: 3.7.2
command: |
helmv3 repo add higress.io https://higress.io/helm-charts
helmv3 package helm/core --debug --app-version ${{steps.calc-version.outputs.version}} --version ${{steps.calc-version.outputs.version}} -d ./artifact
helmv3 dependency build helm/higress
helmv3 package helm/higress --debug --app-version ${{steps.calc-version.outputs.version}} --version ${{steps.calc-version.outputs.version}} -d ./artifact
helmv3 repo index --url https://higress.io/helm-charts/ --merge ./artifact/index.yaml ./artifact
# Step 5
- name: Upload to OSS
uses: doggycool/ossutil-github-action@master
with:
ossArgs: 'cp -r -u ./artifact/ oss://higress-website-cn-hongkong/helm-charts/'
accessKey: ${{ secrets.ACCESS_KEYID }}
accessSecret: ${{ secrets.ACCESS_KEYSECRET }}
endpoint: oss-cn-hongkong.aliyuncs.com

2
.gitignore vendored
View File

@@ -6,8 +6,10 @@ out
.DS_Store
coverage.xml
.idea/
.vscode/
bazel-bin
bazel-out
bazel-testlogs
bazel-wasm-cpp
tools/bin/
helm/**/charts/**.tgz

12
CODEOWNERS
View File

@@ -1,4 +1,10 @@
# Top level
* @johnlanni @SpecialYang @Lynskylate @gengleilei @NameHaibinZhang
/api @johnlanni
/envoy @gengleilei @johnlanni @Lynskylate
/istio @SpecialYang @johnlanni
/pkg @SpecialYang @johnlanni
/plugins @johnlanni
/registry @NameHaibinZhang @johnlanni
/test @Xunzhuo
/tools @johnlanni @Xunzhuo
# TODO Add code reviewers for subdirectory.

43
Makefile.core.mk
View File

@@ -95,54 +95,43 @@ export PARENT_GIT_REVISION:=$(TAG)
export ENVOY_TAR_PATH:=/home/package/envoy.tar.gz
build-istio: prebuild
cd external/istio; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
external/package/envoy.tar.gz:
cd external/proxy; BUILD_WITH_CONTAINER=1 make test_release
build-gateway: prebuild external/package/envoy.tar.gz
cd external/istio; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
cd external/istio; rm -rf out; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.proxyv2" make docker
build-istio: prebuild
cd external/istio; rm -rf out; GOOS_LOCAL=linux TARGET_OS=linux TARGET_ARCH=amd64 BUILD_WITH_CONTAINER=1 DOCKER_BUILD_VARIANTS=default DOCKER_TARGETS="docker.pilot" make docker
pre-install:
cp api/kubernetes/customresourcedefinitions.gen.yaml helm/higress/crds
cd helm/istio; helm dependency update
cd helm/kind/higress; helm dependency update
cd helm/kind/istio; helm dependency update
cp api/kubernetes/customresourcedefinitions.gen.yaml helm/core/crds
define create_ns
kubectl get namespace | grep $(1) || kubectl create namespace $(1)
endef
install: pre-install
helm install higress helm/kind/higress -n higress-system --create-namespace
cd helm/higress; helm dependency build
helm install higress helm/higress -n higress-system --create-namespace --set 'global.kind=true'
ENVOY_LATEST_IMAGE_TAG ?= 0.6.0
ISTIO_LATEST_IMAGE_TAG ?= 0.6.0
ENVOY_LATEST_IMAGE_TAG ?= 0.7.0
ISTIO_LATEST_IMAGE_TAG ?= 0.7.0
install-dev: pre-install
helm install higress helm/higress -n higress-system --create-namespace --set-json='controller.tag="$(TAG)"' --set-json='gateway.replicas=1' --set-json='gateway.tag="$(ENVOY_LATEST_IMAGE_TAG)"' --set-json='global.kind=true'
helm install higress helm/core -n higress-system --create-namespace --set 'controller.tag=$(TAG)' --set 'gateway.replicas=1' --set 'gateway.tag=$(ENVOY_LATEST_IMAGE_TAG)' --set 'global.kind=true'
uninstall:
helm uninstall higress -n higress-system
upgrade: pre-install
helm upgrade higress helm/kind/higress -n higress-system
cd helm/higress; helm dependency build
helm upgrade higress helm/higress -n higress-system --set 'global.kind=true'
helm-push:
cp api/kubernetes/customresourcedefinitions.gen.yaml helm/higress/crds
cp api/kubernetes/customresourcedefinitions.gen.yaml helm/core/crds
cd helm; tar -zcf higress.tgz higress; helm push higress.tgz "oci://$(CHARTS)"
helm-push-istio:
cd helm/istio; helm dependency update
cd helm; tar -zcf istio.tgz istio; helm push istio.tgz "oci://$(CHARTS)"
helm-push-kind:
cd helm/kind/higress; helm dependency update
cd helm/kind; tar -zcf higress.tgz higress; helm push higress.tgz "oci://$(CHARTS)"
cd helm/kind/istio; helm dependency update
cd helm/kind; tar -zcf istio.tgz istio; helm push istio.tgz "oci://$(CHARTS)"
cue = cue-gen -paths=./external/api/common-protos
gen-api: prebuild
@@ -182,7 +171,7 @@ gateway-conformance-test:
# ingress-conformance-test runs ingress api conformance tests.
.PHONY: ingress-conformance-test
ingress-conformance-test: $(tools/kind) delete-cluster create-cluster kube-load-image install-dev run-ingress-e2e-test delete-cluster
ingress-conformance-test: $(tools/kind) delete-cluster create-cluster docker-build kube-load-image install-dev run-ingress-e2e-test delete-cluster
# create-cluster creates a kube cluster with kind.
.PHONY: create-cluster
@@ -196,7 +185,7 @@ delete-cluster: $(tools/kind) ## Delete kind cluster.
# kube-load-image loads a local built docker image into kube cluster.
.PHONY: kube-load-image
kube-load-image: docker-build $(tools/kind) ## Install the EG image to a kind cluster using the provided $IMAGE and $TAG.
kube-load-image: $(tools/kind) ## Install the EG image to a kind cluster using the provided $IMAGE and $TAG.
tools/hack/kind-load-image.sh higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/higress $(TAG)
# run-ingress-e2e-test starts to run ingress e2e tests.
@@ -207,4 +196,4 @@ run-ingress-e2e-test:
kubectl wait --timeout=5m -n higress-system deployment/higress-controller --for=condition=Available
@echo -e "\n\033[36mWaiting higress-gateway to be ready...\033[0m\n"
kubectl wait --timeout=5m -n higress-system deployment/higress-gateway --for=condition=Available
go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true --use-unique-ports=true
go test -v -tags conformance ./test/ingress/e2e_test.go --ingress-class=higress --debug=true

12
README.md
View File

@@ -154,8 +154,8 @@ kubectl.exe config use-context kind-higress
#### 第三步、 安装 higress
```bash
kubectl create ns higress-system
helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
helm repo add higress.io https://higress.io/helm-charts
helm install higress higress.io/higress -n higress-system --set global.kind=true --create-namespace --render-subchart-notes
```
helm版本需升级至**v3.8.0**及以上
@@ -163,7 +163,7 @@ helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.ali
#### 第四步、 创建 Ingress 资源并测试
```bash
kubectl apply -f https://github.com/alibaba/higress/releases/download/v0.6.0/quickstart.yaml
kubectl apply -f https://higress.io/samples/quickstart.yaml
```
测试 Ingress 生效:
@@ -178,7 +178,7 @@ curl localhost/bar
#### 卸载资源
```bash
kubectl delete -f https://github.com/alibaba/higress/releases/download/v0.6.0/quickstart.yaml
kubectl delete -f https://higress.io/samples/quickstart.yaml
helm uninstall higress -n higress-system
@@ -190,8 +190,8 @@ kubectl delete ns higress-system
#### 第一步、 安装 higress
```bash
kubectl create ns higress-system
helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress
helm repo add higress.io https://higress.io/helm-charts
helm install higress higress.io/higress -n higress-system --create-namespace --render-subchart-notes
```
#### 第二步、 创建 Ingress 资源并测试

12
README_EN.md
View File

@@ -127,14 +127,14 @@ kubectl.exe config use-context kind-higress
#### step 3. install higress
```bash
kubectl create ns higress-system
helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress-local
helm repo add higress.io https://higress.io/helm-charts
helm install higress higress.io/higress -n higress-system --create-namespace --set global.kind=true
```
Note: The helm version needs to be upgraded to **v3.8.0** and above
#### step 4. create the ingress and test it
```bash
kubectl apply -f https://kind.sigs.k8s.io/examples/ingress/usage.yaml
kubectl apply -f https://higress.io/samples/quickstart.yaml
```
Now verify that the ingress works
@@ -149,7 +149,7 @@ curl localhost/bar
#### Clean-Up
```bash
kubectl delete -f https://kind.sigs.k8s.io/examples/ingress/usage.yaml
kubectl delete -f https://higress.io/samples/quickstart.yaml
helm uninstall higress -n higress-system
@@ -161,8 +161,8 @@ kubectl delete ns higress-system
#### step 1. install higress
```bash
kubectl create ns higress-system
helm install higress -n higress-system oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/charts/higress
helm repo add higress.io https://higress.io/helm-charts
helm install higress higress.io/higress -n higress-system --create-namespace
```
#### step 2. create the ingress and test it

2
VERSION
View File

@@ -1 +1 @@
v0.6.1
v0.7.0

1
docker/Dockerfile.higress
View File

@@ -7,6 +7,7 @@ ARG BASE_VERSION=latest
ARG HUB
# The following section is used as base image if BASE_DISTRIBUTION=debug
# This base image is provided by istio, see: https://github.com/istio/istio/blob/master/docker/Dockerfile.base
FROM ${HUB}/base:${BASE_VERSION}
ARG TARGETARCH

2
go.mod
View File

@@ -22,6 +22,7 @@ require (
github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1
github.com/gogo/protobuf v1.3.2
github.com/golang/protobuf v1.5.2
github.com/google/go-cmp v0.5.8
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
github.com/hashicorp/go-multierror v1.1.1
github.com/nacos-group/nacos-sdk-go v1.0.8
@@ -98,7 +99,6 @@ require (
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/mock v1.6.0 // indirect
github.com/google/btree v1.0.1 // indirect
github.com/google/go-cmp v0.5.8 // indirect
github.com/google/go-containerregistry v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect

7
helm/base/Chart.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
appVersion: 1.12.0
description: Helm chart for deploying Istio cluster resources and CRDs
name: base
sources:
- http://github.com/alibaba/higress
version: 1.12.0

8499
helm/base/crds/crd-all.gen.yaml
View File

File diff suppressed because it is too large Load Diff

48
helm/base/crds/crd-operator.yaml
View File

@@ -1,48 +0,0 @@
# SYNC WITH manifests/charts/istio-operator/templates
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
conversion:
strategy: None
group: install.istio.io
names:
kind: IstioOperator
listKind: IstioOperatorList
plural: istiooperators
singular: istiooperator
shortNames:
- iop
- io
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Istio control plane revision
jsonPath: .spec.revision
name: Revision
type: string
- description: IOP current state
jsonPath: .status.status
name: Status
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
name: v1alpha1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---

5
helm/base/templates/NOTES.txt
View File

@@ -1,5 +0,0 @@
Istio base successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}

178
helm/base/templates/clusterrole.yaml
View File

@@ -1,178 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list", "create", "delete"]
# Used for MCS serviceimport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-{{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
{{- if or .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}
---

37
helm/base/templates/clusterrolebinding.yaml
View File

@@ -1,37 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-{{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}
---

4
helm/base/templates/crds.yaml
View File

@@ -1,4 +0,0 @@
{{- if .Values.base.enableCRDTemplates }}
{{ .Files.Get "crds/crd-all.gen.yaml" }}
{{ .Files.Get "crds/crd-operator.yaml" }}
{{- end }}

43
helm/base/templates/default.yaml
View File

@@ -1,43 +0,0 @@
{{- if not (eq .Values.defaultRevision "") }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istiod-default-validator
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
istio.io/rev: {{ .Values.defaultRevision }}
webhooks:
- name: validation.istio.io
clientConfig:
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
{{- if (eq .Values.defaultRevision "default") }}
name: istiod
{{- else }}
name: istiod-{{ .Values.defaultRevision }}
{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}

30
helm/base/templates/endpoints.yaml
View File

@@ -1,30 +0,0 @@
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod-remote
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
{{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
{{- end }}
---
{{- end }}

16
helm/base/templates/reader-serviceaccount.yaml
View File

@@ -1,16 +0,0 @@
# This service account aggregates reader permissions for the revisions in a given cluster
# Should be used for remote secret creation.
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}

25
helm/base/templates/role.yaml
View File

@@ -1,25 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

21
helm/base/templates/rolebinding.yaml
View File

@@ -1,21 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}

19
helm/base/templates/serviceaccount.yaml
View File

@@ -1,19 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}

37
helm/base/templates/services.yaml
View File

@@ -1,37 +0,0 @@
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
# when istiod is enabled in remote cluster, we can't use istiod service name
apiVersion: v1
kind: Service
metadata:
name: istiod-remote
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
clusterIP: None
{{- else }}
# when istiod isn't enabled in remote cluster, we can use istiod service name
apiVersion: v1
kind: Service
metadata:
name: istiod
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
# if the remotePilotAddress is IP addr, we use clusterIP: None.
# else, we use externalName
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
clusterIP: None
{{- else }}
type: ExternalName
externalName: {{ .Values.global.remotePilotAddress }}
{{- end }}
{{- end }}
---
{{- end }}

29
helm/base/values.yaml
View File

@@ -1,29 +0,0 @@
global:
# ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# Used to locate istiod.
istioNamespace: istio-system
istiod:
enableAnalysis: false
configValidation: true
externalIstiod: false
remotePilotAddress: ""
base:
# Used for helm2 to add the CRDs to templates.
enableCRDTemplates: false
# Validation webhook configuration url
# For example: https://$remotePilotAddress:15017/validate
validationURL: ""
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true
defaultRevision: "default"

10
helm/kind/higress/Chart.yaml → helm/core/Chart.yaml
View File

@@ -1,16 +1,12 @@
apiVersion: v2
appVersion: 0.6.1
appVersion: 0.7.0
description: Helm chart for deploying higress gateways
icon: https://higress.io/img/higress_logo_small.png
keywords:
- higress
- gateways
name: higress-local
name: higress-core
sources:
- http://github.com/alibaba/higress
dependencies:
- name: higress
repository: "file://../../higress"
version: 0.6.1
type: application
version: 0.6.1
version: 0.7.0

0
helm/higress/crds/customresourcedefinitions.gen.yaml → helm/core/crds/customresourcedefinitions.gen.yaml
View File

0
helm/higress/templates/NOTES.txt → helm/core/templates/NOTES.txt
View File

0
helm/higress/templates/_helpers.tpl → helm/core/templates/_helpers.tpl
View File

0
helm/higress/templates/clusterrole.yaml → helm/core/templates/clusterrole.yaml
View File

67
helm/higress/templates/configmap.yaml → helm/core/templates/configmap.yaml
View File

@@ -15,7 +15,7 @@
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
{{- if .Values.global.enableMesh }}
{{- if .Values.global.enableHigressIstio }}
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
{{- else }}
rootNamespace: {{ .Release.Namespace }}
@@ -23,6 +23,9 @@
configSources:
- address: "xds://127.0.0.1:15051"
{{- if .Values.global.enableIstioAPI }}
- address: "k8s://"
{{- end }}
defaultConfig:
{{- if .Values.global.meshID }}
@@ -74,7 +77,7 @@
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
{{- end }}
{{- else }}
{{- if .Values.global.enableMesh }}
{{- if .Values.global.enableHigressIstio }}
discoveryAddress: {{ printf "istiod.%s.svc" .Values.global.istioNamespace }}:15012
{{- else }}
discoveryAddress: higress-controller.{{.Release.Namespace}}.svc:15012
@@ -115,4 +118,64 @@ data:
{{- include "mesh" . }}
{{- end }}
---
{{- if .Values.enableSkywalking }}
apiVersion: v1
kind: ConfigMap
metadata:
name: higress-custom-bootstrap
namespace: {{ .Release.Namespace }}
labels:
{{- include "gateway.labels" . | nindent 4 }}
data:
custom_bootstrap.json: |-
{
"stats_sinks": [
{
"name": "envoy.metrics_service",
"typed_config": {
"@type": "type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig",
"transport_api_version": "V3",
"grpc_service": {
"envoy_grpc": {
"cluster_name": "service_skywalking"
}
}
}
}
],
"static_resources": {
"clusters": [
{
"name": "service_skywalking",
"type": "LOGICAL_DNS",
"connect_timeout": "5s",
"http2_protocol_options": {
},
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "service_skywalking",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "{{ .Values.Skywalking.address }}",
"port_value": "{{ .Values.Skywalking.port }}"
}
}
}
}
]
}
]
}
}
]
}
}
---
{{- end }}

7
helm/higress/templates/controller-clusterrole.yaml → helm/core/templates/controller-clusterrole.yaml
View File

@@ -106,3 +106,10 @@ rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]

0
helm/higress/templates/controller-clusterrolebinding.yaml → helm/core/templates/controller-clusterrolebinding.yaml
View File

10
helm/higress/templates/controller-deployment.yaml → helm/core/templates/controller-deployment.yaml
View File

@@ -28,7 +28,7 @@ spec:
securityContext:
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
containers:
{{- if not .Values.global.enableMesh }}
{{- if not .Values.global.enableHigressIstio }}
- name: discovery
{{- if contains "/" .Values.pilot.image }}
image: "{{ .Values.pilot.image }}"
@@ -120,7 +120,11 @@ spec:
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
{{- if not .Values.global.enableMesh }}
{{- if .Values.global.enableIstioAPI }}
- name: HIGRESS_ENABLE_ISTIO_API
value: "true"
{{- end }}
{{- if not .Values.global.enableHigressIstio }}
- name: CUSTOM_CA_CERT_NAME
value: "higress-ca-root-cert"
{{- end }}
@@ -228,7 +232,7 @@ spec:
volumes:
- name: log
emptyDir: {}
{{- if not .Values.global.enableMesh }}
{{- if not .Values.global.enableHigressIstio }}
- name: config
configMap:
name: higress-config

0
helm/higress/templates/controller-role.yaml → helm/core/templates/controller-role.yaml
View File

0
helm/higress/templates/controller-rolebinding.yaml → helm/core/templates/controller-rolebinding.yaml
View File

2
helm/higress/templates/controller-service.yaml → helm/core/templates/controller-service.yaml
View File

@@ -8,7 +8,7 @@ spec:
type: {{ .Values.controller.service.type }}
ports:
{{- toYaml .Values.controller.ports | nindent 4 }}
{{- if not .Values.global.enableMesh }}
{{- if not .Values.global.enableHigressIstio }}
- port: 15010
name: grpc-xds # plaintext
protocol: TCP

0
helm/higress/templates/controller-serviceaccont.yaml → helm/core/templates/controller-serviceaccont.yaml
View File

22
helm/higress/templates/deployment.yaml → helm/core/templates/deployment.yaml
View File

@@ -29,8 +29,8 @@ spec:
template:
metadata:
annotations:
{{- if .Values.global.enableMesh }}
"enableMesh": "true"
{{- if .Values.global.enableHigressIstio }}
"enableHigressIstio": "true"
{{- end }}
{{- if .Values.gateway.podAnnotations }}
{{- toYaml .Values.gateway.podAnnotations | nindent 8 }}
@@ -136,6 +136,10 @@ spec:
value: "{{ $.Values.clusterName | default `Kubernetes` }}"
- name: INSTANCE_NAME
value: "higress-gateway"
{{- if .Values.enableSkywalking }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: /etc/istio/custom-bootstrap/custom_bootstrap.json
{{- end }}
{{- with .Values.gateway.networkGateway }}
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
value: "{{.}}"
@@ -188,6 +192,10 @@ spec:
mountPath: /etc/istio/pod
- name: proxy-socket
mountPath: /etc/istio/proxy
{{- if .Values.enableSkywalking }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
{{- if .Values.gateway.hostNetwork }}
hostNetwork: {{ .Values.gateway.hostNetwork }}
dnsPolicy: ClusterFirstWithHostNet
@@ -216,7 +224,7 @@ spec:
{{- end }}
- name: istio-ca-root-cert
configMap:
{{- if .Values.global.enableMesh }}
{{- if .Values.global.enableHigressIstio }}
name: istio-ca-root-cert
{{- else }}
name: higress-ca-root-cert
@@ -224,7 +232,13 @@ spec:
- name: config
configMap:
name: higress-config
- name: istio-data
{{- if .Values.enableSkywalking }}
- configMap:
defaultMode: 420
name: higress-custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
- name: istio-data
emptyDir: {}
- name: proxy-socket
emptyDir: {}

0
helm/higress/templates/hpa.yaml → helm/core/templates/hpa.yaml
View File

0
helm/higress/templates/role.yaml → helm/core/templates/role.yaml
View File

0
helm/higress/templates/service.yaml → helm/core/templates/service.yaml
View File

0
helm/higress/templates/serviceaccount.yaml → helm/core/templates/serviceaccount.yaml
View File

24
helm/higress/values.yaml → helm/core/values.yaml
View File

@@ -1,9 +1,12 @@
revision: ""
global:
# whether to use autoscaling/v2 template for HPA settings
# for internal usage only, not to be configured by users.
autoscalingv2API: true
kind: false
enableMesh: false
enableIstioAPI: false
# Deprecated
enableHigressIstio: false
# Used to locate istiod.
istioNamespace: istio-system
# enable pod disruption budget for the control plane, which is used to
@@ -30,7 +33,7 @@ global:
# Dev builds from prow are on gcr.io
hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
# Default tag for Istio images.
tag: 0.6.1
tag: 0.7.0
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
@@ -364,7 +367,7 @@ gateway:
name: "higress-gateway"
replicas: 2
image: gateway
tag: "0.6.1"
tag: "0.7.0"
# revision declares which revision this gateway is a part of
revision: ""
@@ -409,10 +412,6 @@ gateway:
# Type of service. Set to "None" to disable the service entirely
type: LoadBalancer
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
@@ -456,7 +455,7 @@ controller:
name: "higress-controller"
replicas: 1
image: higress
tag: "0.6.1"
tag: "0.7.0"
env: {}
labels: {}
@@ -546,7 +545,7 @@ pilot:
rollingMaxUnavailable: 25%
hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
tag: 0.6.1
tag: 0.7.0
# Can be a full hub/image:tag
image: pilot
@@ -606,3 +605,10 @@ pilot:
# Additional labels to apply on the pod level for monitoring and logging configuration.
podLabels: {}
# Skywalking config settings
enableSkywalking: false
Skywalking:
address: "skywalking-oap.higress-system.svc"
port: 11800

9
helm/higress/Chart.lock Normal file
View File

@@ -0,0 +1,9 @@
dependencies:
- name: higress-core
repository: file://../core
version: 0.7.0
- name: higress-console
repository: https://higress.io/helm-charts/
version: 0.1.0
digest: sha256:3fd6cfb0fd10178927569d57e0cbff5250870dd677cbf30995c49ced83e38f7c
generated: "2023-03-15T15:09:02.878072+08:00"

11
helm/higress/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 0.6.1
appVersion: 0.7.0
description: Helm chart for deploying higress gateways
icon: https://higress.io/img/higress_logo_small.png
keywords:
@@ -8,5 +8,12 @@ keywords:
name: higress
sources:
- http://github.com/alibaba/higress
dependencies:
- name: higress-core
repository: "file://../core"
version: 0.7.0
- name: higress-console
repository: "https://higress.io/helm-charts/"
version: 0.1.0
type: application
version: 0.6.1
version: 0.7.0

9
helm/istio/Chart.lock
View File

@@ -1,9 +0,0 @@
dependencies:
- name: base
repository: file://../base
version: 1.12.0
- name: istiod
repository: file://../istiod
version: 1.12.0
digest: sha256:12dd680ac6eee11750941f56aab434cc35c5df09ac784a5ef8f5b84e0984f8c7
generated: "2022-10-31T14:49:23.29643+08:00"

15
helm/istio/Chart.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: v2
appVersion: 1.12.4
description: Helm chart for deploying higress istio
name: istio
sources:
- http://github.com/alibaba/higress
dependencies:
- name: base
repository: "file://../base"
version: 1.12.0
- name: istiod
repository: "file://../istiod"
version: 1.12.0
type: application
version: 1.12.4

7
helm/istiod/Chart.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
appVersion: 1.12.0
description: Helm chart for istio control plane
name: istiod
sources:
- http://github.com/alibaba/higress
version: 1.12.0

215
helm/istiod/files/gateway-injection-template.yaml
View File

@@ -1,215 +0,0 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
volumeMounts:
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
mountPath: /var/run/secrets/workload-spiffe-credentials
readOnly: true
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
volumes:
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
csi:
driver: workloadcertificates.security.cloud.google.com
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}

2544
helm/istiod/files/gen-istio.yaml
View File

File diff suppressed because it is too large Load Diff

233
helm/istiod/files/grpc-agent.yaml
View File

@@ -1,233 +0,0 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
sidecar.istio.io/rewriteAppHTTPProbers: "false",
}
spec:
containers:
{{- range $index, $container := .Spec.Containers }}
{{ if not (eq $container.Name "istio-proxy") }}
- name: {{ $container.Name }}
env:
- name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
value: "true"
- name: "GRPC_XDS_BOOTSTRAP"
value: "/etc/istio/proxy/grpc-bootstrap.json"
volumeMounts:
- mountPath: /var/lib/istio/data
name: istio-data
# UDS channel between istioagent and gRPC client for XDS/SDS
- mountPath: /etc/istio/proxy
name: istio-xds
{{- end }}
{{- end }}
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
env:
- name: ISTIO_META_GENERATOR
value: grpc
- name: OUTPUT_CERTS
value: /var/lib/istio/data
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
# grpc uses xds:/// to resolve no need to resolve VIP
- name: ISTIO_META_DNS_CAPTURE
value: "false"
- name: DISABLE_ENVOY
value: "true"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ .Values.global.proxy.statusPort }}
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# UDS channel between istioagent and gRPC client for XDS/SDS
- mountPath: /etc/istio/proxy
name: istio-xds
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
volumes:
# UDS channel between istioagent and gRPC client for XDS/SDS
- emptyDir:
medium: Memory
name: istio-xds
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}

64
helm/istiod/files/grpc-simple.yaml
View File

@@ -1,64 +0,0 @@
metadata:
sidecar.istio.io/rewriteAppHTTPProbers: "false"
spec:
initContainers:
- name: grpc-bootstrap-init
image: busybox:1.28
volumeMounts:
- mountPath: /var/lib/grpc/data/
name: grpc-io-proxyless-bootstrap
env:
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_NAMESPACE
value: |
{{ .Values.global.istioNamespace }}
command:
- sh
- "-c"
- |-
NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
echo '
{
"xds_servers": [
{
"server_uri": "'${SERVER_URI}'",
"channel_creds": [{"type": "insecure"}],
"server_features" : ["xds_v3"]
}
],
"node": {
"id": "'${NODE_ID}'",
"metadata": {
"GENERATOR": "grpc"
}
}
}' > /var/lib/grpc/data/bootstrap.json
containers:
{{- range $index, $container := .Spec.Containers }}
- name: {{ $container.Name }}
env:
- name: GRPC_XDS_BOOTSTRAP
value: /var/lib/grpc/data/bootstrap.json
- name: GRPC_GO_LOG_VERBOSITY_LEVEL
value: "99"
- name: GRPC_GO_LOG_SEVERITY_LEVEL
value: info
volumeMounts:
- mountPath: /var/lib/grpc/data/
name: grpc-io-proxyless-bootstrap
{{- end }}
volumes:
- name: grpc-io-proxyless-bootstrap
emptyDir: {}

491
helm/istiod/files/injection-template.yaml
View File

@@ -1,491 +0,0 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
{{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }}
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
{{- end }}
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}",
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
{{- end }}
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
{{- end }}
}
spec:
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{ if .Values.istio_cni.enabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
{{ end -}}
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- istio-iptables
- "-p"
- {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
- "-z"
- "15006"
- "-u"
- "1337"
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
- "-d"
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{- else }}
- "15090,15021"
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
- "-q"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
{{ end -}}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
{{ if .Values.istio_cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
{{ end -}}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
{{- if not .Values.istio_cni.enabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
{{- if not .Values.istio_cni.enabled }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{- else }}
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
{{- end }}
restartPolicy: Always
{{ end -}}
{{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if gt .EstimatedConcurrency 0 }}
- --concurrency
- "{{ .EstimatedConcurrency }}"
{{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- else if $holdProxy }}
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
{{- end }}
env:
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
{{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
allowPrivilegeEscalation: true
capabilities:
add:
- NET_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
runAsGroup: 1337
fsGroup: 1337
runAsNonRoot: false
runAsUser: 0
{{- else }}
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
add:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- NET_ADMIN
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- NET_BIND_SERVICE
{{- end }}
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
runAsGroup: 1337
fsGroup: 1337
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
mountPath: /var/run/secrets/workload-spiffe-credentials
readOnly: true
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
volumes:
{{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
- name: gke-workload-certificate
csi:
driver: workloadcertificates.security.cloud.google.com
{{- end }}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}

21
helm/istiod/templates/NOTES.txt
View File

@@ -1,21 +0,0 @@
"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}
Next steps:
* Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
* Try out our tasks to get started on common configurations:
* https://istio.io/latest/docs/tasks/traffic-management
* https://istio.io/latest/docs/tasks/security/
* https://istio.io/latest/docs/tasks/policy-enforcement/
* https://istio.io/latest/docs/tasks/policy-enforcement/
* Review the list of actively supported releases, CVE publications and our hardening guide:
* https://istio.io/latest/docs/releases/supported-releases/
* https://istio.io/latest/news/security/
* https://istio.io/latest/docs/ops/best-practices/security/
For further documentation see https://istio.io website
Tell us how your install/upgrade experience went at https://forms.gle/FegQbc9UvePd4Z9z7

59
helm/istiod/templates/autoscale.yaml
View File

@@ -1,59 +0,0 @@
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
{{- if not .Values.extra.autoscalingv2API }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
spec:
maxReplicas: {{ .Values.pilot.autoscaleMax }}
minReplicas: {{ .Values.pilot.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
---
{{- else }}
{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
apiVersion: autoscaling/v2
{{- else }}
apiVersion: autoscaling/v2beta2
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
spec:
maxReplicas: {{ .Values.pilot.autoscaleMax }}
minReplicas: {{ .Values.pilot.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
---
{{- end }}
{{- end }}

134
helm/istiod/templates/clusterrole.yaml
View File

@@ -1,134 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update", "patch"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: [ "get", "watch", "list", "create", "delete"]
# Used for MCS serviceimport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "watch", "list"]
---
{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
- apiGroups: ["apps"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "deployments" ]
- apiGroups: [""]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "services" ]
{{- end }}

33
helm/istiod/templates/clusterrolebinding.yaml
View File

@@ -1,33 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
---
{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
{{- end }}

14
helm/istiod/templates/configmap-jwks.yaml
View File

@@ -1,14 +0,0 @@
{{- if .Values.pilot.jwksResolverExtraRootCA }}
apiVersion: v1
kind: ConfigMap
metadata:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
data:
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
{{- end }}

115
helm/istiod/templates/configmap.yaml
View File

@@ -1,115 +0,0 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
accessLogEncoding: TEXT
accessLogFile: "/dev/stdout"
accessLogFormat: '{"authority":"%REQ(:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"}
'
dnsRefreshRate: 200s
enableAutoMtls: false
enablePrometheusMerge: false
protocolDetectionTimeout: 100ms
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
configSources:
- address: k8s://
- address: {{ printf "xds://%s.%s:%s" .Values.extra.higressName .Values.extra.higressNamespace .Values.extra.higressPort }}
defaultConfig:
{{- if .Values.global.meshID }}
meshId: {{ .Values.global.meshID }}
{{- end }}
tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }}
lightstep:
# Address of the LightStep Satellite pool
address: {{ .Values.global.tracer.lightstep.address }}
# Access Token used to communicate with the Satellite pool
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
zipkin:
# Address of the Zipkin collector
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
datadog:
# Address of the Datadog Agent
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
stackdriver:
# enables trace output to stdout.
{{- if $.Values.global.tracer.stackdriver.debug }}
debug: {{ $.Values.global.tracer.stackdriver.debug }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
# The global default max number of attributes per span.
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
# The global default max number of annotation events per span.
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
# The global default max number of message events per span.
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
{{- end }}
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
{{- else }}
{}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
{{- else }}
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
{{- end }}
{{- else }}
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
{{- end }}
proxyStatsMatcher:
inclusionRegexps:
- ".*"
{{- end }}
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
{{- $originalMesh := include "mesh" . | fromYaml }}
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
{{- if .Values.pilot.configMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
{{- if .Values.global.meshNetworks }}
networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
{{- else }}
networks: {}
{{- end }}
mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---
{{- end }}

230
helm/istiod/templates/deployment.yaml
View File

@@ -1,230 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
istio: pilot
release: {{ .Release.Name }}
{{- range $key, $val := .Values.pilot.deploymentLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
spec:
{{- if not .Values.pilot.autoscaleEnabled }}
{{- if .Values.pilot.replicaCount }}
replicas: {{ .Values.pilot.replicaCount }}
{{- end }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
selector:
matchLabels:
{{- if ne .Values.revision "" }}
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
{{- else }}
istio: pilot
{{- end }}
template:
metadata:
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot"
{{- if ne .Values.revision "" }}
istio: istiod
{{- else }}
istio: pilot
{{- end }}
{{- range $key, $val := .Values.pilot.podLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if .Values.pilot.podAnnotations }}
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.pilot.nodeSelector }}
nodeSelector:
{{ toYaml .Values.pilot.nodeSelector | indent 8 }}
{{- end }}
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
securityContext:
fsGroup: 1337
containers:
- name: discovery
{{- if contains "/" .Values.pilot.image }}
image: "{{ .Values.pilot.image }}"
{{- else }}
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
args:
- "discovery"
- --monitoringAddr=:15014
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --domain
- {{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.oneNamespace }}
- "-a"
- {{ .Release.Namespace }}
{{- end }}
{{- if .Values.pilot.plugins }}
- --plugins={{ .Values.pilot.plugins }}
{{- end }}
- --keepaliveMaxServerConnectionAge
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: HIGRESS_CONTROLLER_SVC
value: {{ printf "%s.%s" .Values.extra.higressName .Values.extra.higressNamespace }}
- name: HIGRESS_CONTROLLER_PORT
value: "{{ .Values.extra.higressPort }}"
- name: REVISION
value: "{{ .Values.revision | default `default` }}"
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
{{- if .Values.pilot.env }}
{{- range $key, $val := .Values.pilot.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.pilot.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.pilot.traceSampling }}"
{{- end }}
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
- name: ISTIOD_ADDR
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
{{- if not .Values.extra.kind }}
resources:
{{- if .Values.pilot.resources }}
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
{{- end }}
{{- end }}
securityContext:
readOnlyRootFilesystem: true
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: istio
mountPath: /etc/istio/config
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
{{- end }}
volumes:
- name: istio
configMap:
name: istio
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ .Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
{{- end }}
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- end }}
---

67
helm/istiod/templates/istiod-injector-configmap.yaml
View File

@@ -1,67 +0,0 @@
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
values: |-
{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
# and istiod webhook functionality.
#
# New fields should not use Values - it is a 'primary' config object, users should be able
# to fine tune it or use it with kube-inject.
config: |-
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
{{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
defaultTemplates:
{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
- {{ . }}
{{- end }}
{{- else }}
defaultTemplates: [sidecar]
{{- end }}
policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
injectedAnnotations:
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
"{{ $key }}": "{{ $val }}"
{{- end }}
{{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
This should make it obvious that their installation is broken.
*/}}
template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
templates:
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
sidecar: |
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
gateway: |
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
grpc-simple: |
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
grpc-agent: |
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
{{- end }}
{{- with .Values.sidecarInjectorWebhook.templates }}
{{ toYaml . | trim | indent 6 }}
{{- end }}
{{- end }}

144
helm/istiod/templates/mutatingwebhook.yaml
View File

@@ -1,144 +0,0 @@
{{- /* Core defines the common configuration used by all webhook segments */}}
{{- define "core" }}
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
a unique prefix to each. */}}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: "{{ .Values.istiodRemote.injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "{{ .Values.istiodRemote.injectionPath }}"
port: 443
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
{{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq .Release.Namespace "istio-system"}}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- else }}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ .Release.Name }}
webhooks:
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
{{- /* Webhooks for default revision */}}
{{- if (eq .Values.revision "") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
{{- end }}

29
helm/istiod/templates/poddisruptionbudget.yaml
View File

@@ -1,29 +0,0 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{- if (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
istio: pilot
spec:
minAvailable: 1
selector:
matchLabels:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }}
{{- else }}
istio: pilot
{{- end }}
---
{{- end }}

54
helm/istiod/templates/reader-clusterrole.yaml
View File

@@ -1,54 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "list", "watch"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceimports"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- if .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}

15
helm/istiod/templates/reader-clusterrolebinding.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}

130
helm/istiod/templates/revision-tags.yaml
View File

@@ -1,130 +0,0 @@
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
{{- define "core" }}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: "{{ .Values.istiodRemote.injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "{{ .Values.istiodRemote.injectionPath }}"
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}
{{- range $tagName := $.Values.revisionTags }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq $.Release.Namespace "istio-system"}}
name: istio-revision-tag-{{ $tagName }}
{{- else }}
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
{{- end }}
labels:
istio.io/tag: {{ $tagName }}
istio.io/rev: {{ $.Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ $.Release.Name }}
webhooks:
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
{{- if (eq $tagName "default") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
{{- end }}

20
helm/istiod/templates/role.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

16
helm/istiod/templates/rolebinding.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}

41
helm/istiod/templates/service.yaml
View File

@@ -1,41 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
{{- if .Values.pilot.serviceAnnotations }}
annotations:
{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: istiod
istio: pilot
release: {{ .Release.Name }}
spec:
ports:
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
selector:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }}
{{- else }}
# Label used by the 'default' service. For versioned deployments we match with app and version.
# This avoids default deployment picking the canary
istio: pilot
{{- end }}
---

15
helm/istiod/templates/serviceaccount.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
---

601
helm/istiod/templates/telemetryv2_1.10.yaml
View File

@@ -1,601 +0,0 @@
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
---
# Note: http stats filter is wasm enabled only in sidecars.
{{- if .Values.telemetry.v2.prometheus.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
---
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
---
{{- end }}
{{- if .Values.telemetry.v2.stackdriver.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.10.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "istio.stackdriver"
patch:
operation: INSERT_BEFORE
value:
name: istio.access_log
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: "envoy.wasm.access_log_policy" }
---
{{- end }}
{{- end }}
{{- end }}

601
helm/istiod/templates/telemetryv2_1.11.yaml
View File

@@ -1,601 +0,0 @@
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
---
# Note: http stats filter is wasm enabled only in sidecars.
{{- if .Values.telemetry.v2.prometheus.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
---
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
---
{{- end }}
{{- if .Values.telemetry.v2.stackdriver.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "istio.stackdriver"
patch:
operation: INSERT_BEFORE
value:
name: istio.access_log
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: "envoy.wasm.access_log_policy" }
---
{{- end }}
{{- end }}
{{- end }}

601
helm/istiod/templates/telemetryv2_1.12.yaml
View File

@@ -1,601 +0,0 @@
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
---
# Note: http stats filter is wasm enabled only in sidecars.
{{- if .Values.telemetry.v2.prometheus.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
---
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
---
{{- end }}
{{- if .Values.telemetry.v2.stackdriver.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.12.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "istio.stackdriver"
patch:
operation: INSERT_BEFORE
value:
name: istio.access_log
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: "envoy.wasm.access_log_policy" }
---
{{- end }}
{{- end }}
{{- end }}

56
helm/istiod/templates/validatingwebhookconfiguration.yaml
View File

@@ -1,56 +0,0 @@
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
webhooks:
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
# are rejecting invalid configs on a per-revision basis.
- name: rev.validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
caBundle: "" # patched at runtime when the webhook is ready.
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
- extensions.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
---
{{- end }}

549
helm/istiod/values.yaml
View File

@@ -1,549 +0,0 @@
#.Values.pilot for discovery and mesh wide config
## Discovery Settings
pilot:
autoscaleEnabled: false
autoscaleMin: 1
autoscaleMax: 5
replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
tag: 0.6.1
# Can be a full hub/image:tag
image: pilot
traceSampling: 1.0
# Resources for a small pilot install
resources:
requests:
cpu: 500m
memory: 2048Mi
env:
PILOT_SCOPE_GATEWAY_TO_NAMESPACE: "true"
PILOT_ENABLE_METADATA_EXCHANGE: "false"
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY: "false"
VALIDATION_ENABLED: "false"
cpu:
targetAverageUtilization: 80
# if protocol sniffing is enabled for outbound
enableProtocolSniffingForOutbound: true
# if protocol sniffing is enabled for inbound
enableProtocolSniffingForInbound: true
nodeSelector: {}
podAnnotations: {}
serviceAnnotations: {}
# You can use jwksResolverExtraRootCA to provide a root certificate
# in PEM format. This will then be trusted by pilot when resolving
# JWKS URIs.
jwksResolverExtraRootCA: ""
# This is used to set the source of configuration for
# the associated address in configSource, if nothing is specificed
# the default MCP is assumed.
configSource:
subscribedResources: []
plugins: []
# The following is used to limit how long a sidecar can be connected
# to a pilot. It balances out load across pilot instances at the cost of
# increasing system churn.
keepaliveMaxServerConnectionAge: 30m
# Additional labels to apply to the deployment.
deploymentLabels: {}
## Mesh config settings
# Install the mesh config map, generated from values.yaml.
# If false, pilot wil use default values (by default) or user-supplied values.
configMap: true
# Additional labels to apply on the pod level for monitoring and logging configuration.
podLabels: {}
sidecarInjectorWebhook:
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
neverInjectSelector: []
alwaysInjectSelector: []
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
#
# annotations:
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
#
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
# injectedAnnotations:
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
injectedAnnotations: {}
# This enables injection of sidecar in all namespaces,
# with the exception of namespaces with "istio-injection:disabled" annotation
# Only one environment should have this enabled.
enableNamespacesByDefault: false
# Enable objectSelector to filter out pods with no need for sidecar before calling istiod.
# It is enabled by default as the minimum supported Kubernetes version is 1.15+
objectSelector:
enabled: true
autoInject: true
rewriteAppHTTPProbe: true
# Templates defines a set of custom injection templates that can be used. For example, defining:
#
# templates:
# hello: |
# metadata:
# labels:
# hello: world
#
# Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
# being injected with the hello=world labels.
# This is intended for advanced configuration only; most users should use the built in template
templates: {}
# Default templates specifies a set of default templates that are used in sidecar injection.
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
# To inject other additional templates, define it using the `templates` option, and add it to
# the default templates list.
# For example:
#
# templates:
# hello: |
# metadata:
# labels:
# hello: world
#
# defaultTemplates: ["sidecar", "hello"]
defaultTemplates: []
istiodRemote:
# Sidecar injector mutating webhook configuration clientConfig.url value.
# For example: https://$remotePilotAddress:15017/inject
# The host should not refer to a service running in the cluster; use a service reference by specifying
# the clientConfig.service field instead.
injectionURL: ""
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
injectionPath: "/inject"
telemetry:
enabled: true
v2:
# For Null VM case now.
# This also enables metadata exchange.
enabled: true
metadataExchange:
# Indicates whether to enable WebAssembly runtime for metadata exchange filter.
wasmEnabled: false
# Indicate if prometheus stats filter is enabled or not
prometheus:
enabled: true
# Indicates whether to enable WebAssembly runtime for stats filter.
wasmEnabled: false
# overrides stats EnvoyFilter configuration.
configOverride:
gateway: {}
inboundSidecar: {}
outboundSidecar: {}
# stackdriver filter settings.
stackdriver:
enabled: false
logging: false
monitoring: false
topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
disableOutbound: false
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
configOverride: {}
# e.g.
# disable_server_access_logging: false
# disable_host_header_fallback: true
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
accessLogPolicy:
enabled: false
# To reduce the number of successful logs, default log window duration is
# set to 12 hours.
logWindowDuration: "43200s"
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# Revision tags are aliases to Istio control plane revisions
revisionTags: []
# For Helm compatibility.
ownerName: ""
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
meshConfig:
enablePrometheusMerge: true
# Config for the default ProxyConfig.
# Initially using directly the proxy metadata - can also be activated using annotations
# on the pod. This is an unsupported low-level API, pending review and decisions on
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
# and gradual adoption by setting capture only on specific workloads. It also allows
# VMs to use other DNS options, like dnsmasq or unbound.
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace:
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# TODO: the intent is to eventually have this enabled by default when security is used.
# It is not clear if user should normally need to configure - the metadata is typically
# used as an escape and to control testing and rollout, but it is not intended as a long-term
# stable API.
# What we may configure in mesh config is the ".global" - and use of other suffixes.
# No hurry to do this in 1.6, we're trying to prove the code.
extra:
kind: false
# whether to use autoscaling/v2 template for HPA settings
# for internal usage only, not to be configured by users.
autoscalingv2API: true
higressName: "higress-controller"
higressNamespace: "higress-system"
higressPort: "15051"
global:
# Used to locate istiod.
istioNamespace: istio-system
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: false
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
# Default tag for Istio images.
tag: 0.6.1
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# Enabled by default in master for maximising testing.
istiod:
enableAnalysis: false
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
omitSidecarInjectorConfigMap: false
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Configure whether Operator manages webhook configurations. The current behavior
# of Istiod is to manage its own webhook configurations.
# When this option is set as true, Istio Operator, instead of webhooks, manages the
# webhook configurations. When this option is set as false, webhooks manage their
# own webhook configurations.
operatorManageWebhooks: false
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
#podDNSSearchNamespaces:
#- global
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# istio ingress capture allowlist
# examples:
# Redirect only selected ports: --includeInboundPorts="80,8080"
excludeInboundPorts: ""
includeInboundPorts: "*"
# istio egress capture allowlist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
includeOutboundPorts: ""
excludeOutboundPorts: ""
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# Resources for the sidecar.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
tracer: "zipkin"
# Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
holdApplicationUntilProxyStarts: false
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxyv2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi
# configure remote pilot and istiod service and endpoint
remotePilotAddress: ""
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
# If not set explicitly, default to the Istio discovery address.
caAddress: ""
# Configure a remote cluster data plane controlled by an external istiod.
# When set to true, istiod is not deployed locally and only a subset of the other
# discovery charts are enabled.
externalIstiod: false
# Configure a remote cluster as the config cluster for an external istiod.
configCluster: false
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (only
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443
#
meshNetworks: {}
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: true
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Configuration for each of the supported tracers
tracer:
# Configuration for envoy to send trace data to LightStep.
# Disabled by default.
# address: the <host>:<port> of the satellite pool
# accessToken: required for sending data to the pool
#
datadog:
# Host:Port for submitting traces to the Datadog agent.
address: "$(HOST_IP):8126"
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
stackdriver:
# enables trace output to stdout.
debug: false
# The global default max number of message events per span.
maxNumberOfMessageEvents: 200
# The global default max number of annotation events per span.
maxNumberOfAnnotations: 200
# The global default max number of attributes per span.
maxNumberOfAttributes: 200
zipkin:
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
# zipkin service (port 9411) in the same namespace as the other istio components.
address: ""
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
useMCP: false
# The name of the CA for workload certificates.
# For example, when caName=GkeWorkloadCertificate, GKE workload certificates
# will be used as the certificates for workloads.
# The default value is "" and when caName="", the CA will be configured by other
# mechanisms (e.g., environmental variable CA_PROVIDER).
caName: ""
base:
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true

6
helm/kind/higress/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: higress
repository: file://../../higress
version: 0.6.1
digest: sha256:35e6287d96a2268039a5b2a2fee5413424616275211bc46aec3f7ff0256c00e5
generated: "2023-02-03T16:36:04.629269+08:00"

2
helm/kind/higress/values.yaml
View File

@@ -1,2 +0,0 @@
global:
kind: true

9
helm/kind/istio/Chart.lock
View File

@@ -1,9 +0,0 @@
dependencies:
- name: base
repository: file://../../base
version: 1.12.0
- name: istiod
repository: file://../../istiod
version: 1.12.0
digest: sha256:ce57290cabf7b0a85a150017cfdfcb2e25f18de7e8c93f5f3020750f9a65ece3
generated: "2022-11-13T13:50:54.129765+08:00"

15
helm/kind/istio/Chart.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: v2
appVersion: 1.12.4
description: Helm chart for deploying higress istio
name: istio-local
sources:
- http://github.com/alibaba/higress
dependencies:
- name: base
repository: "file://../../base"
version: 1.12.0
- name: istiod
repository: "file://../../istiod"
version: 1.12.0
type: application
version: 1.12.4

2
helm/kind/istio/values.yaml
View File

@@ -1,2 +0,0 @@
global:
kind: true

18
istio/1.12/patches/istio/20230208-waf-stats.patch Normal file
View File

@@ -0,0 +1,18 @@
diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio_new/tools/packaging/common/envoy_bootstrap.json
--- istio/tools/packaging/common/envoy_bootstrap.json 2023-02-08 22:42:41.000000000 +0800
+++ istio_new/tools/packaging/common/envoy_bootstrap.json 2023-02-08 22:19:04.000000000 +0800
@@ -37,6 +37,14 @@
"use_all_default_tags": false,
"stats_tags": [
{
+ "tag_name": "phase",
+ "regex": "(_phase=([a-z_]+))"
+ },
+ {
+ "tag_name": "ruleid",
+ "regex": "(_ruleid=([0-9]+))"
+ },
+ {
"tag_name": "route",
"regex": "^vhost\\..*?\\.route\\.([^\\.]+\\.)upstream"
},

8
pkg/ingress/config/ingress_config.go
View File

@@ -330,10 +330,10 @@ func (m *IngressConfig) convertGateways(configs []common.WrapperConfig) []config
func (m *IngressConfig) convertVirtualService(configs []common.WrapperConfig) []config.Config {
convertOptions := common.ConvertOptions{
HostAndPath2Ingress: map[string]*config.Config{},
IngressRouteCache: common.NewIngressRouteCache(),
VirtualServices: map[string]*common.WrapperVirtualService{},
HTTPRoutes: map[string][]*common.WrapperHTTPRoute{},
IngressRouteCache: common.NewIngressRouteCache(),
VirtualServices: map[string]*common.WrapperVirtualService{},
HTTPRoutes: map[string][]*common.WrapperHTTPRoute{},
Route2Ingress: map[string]*common.WrapperConfigWithRuleKey{},
}
// convert http route

8
pkg/ingress/kube/annotations/annotations.go
View File

@@ -63,6 +63,10 @@ type Ingress struct {
Auth *AuthConfig
Destination *DestinationConfig
IgnoreCase *IgnoreCaseConfig
Match *MatchConfig
}
func (i *Ingress) NeedRegexMatch() bool {
@@ -132,6 +136,8 @@ func NewAnnotationHandlerManager() AnnotationHandler {
fallback{},
auth{},
destination{},
ignoreCaseMatching{},
match{},
},
gatewayHandlers: []GatewayHandler{
downstreamTLS{},
@@ -146,6 +152,8 @@ func NewAnnotationHandlerManager() AnnotationHandler {
ipAccessControl{},
retry{},
fallback{},
ignoreCaseMatching{},
match{},
},
trafficPolicyHandlers: []TrafficPolicyHandler{
upstreamTLS{},

54
pkg/ingress/kube/annotations/ignore_case.go Normal file
View File

@@ -0,0 +1,54 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package annotations
import (
networking "istio.io/api/networking/v1alpha3"
)
const (
enableIgnoreCase = "ignore-path-case"
)
type IgnoreCaseConfig struct {
IgnoreUriCase bool
}
type ignoreCaseMatching struct{}
func (m ignoreCaseMatching) ApplyRoute(route *networking.HTTPRoute, config *Ingress) {
if config == nil || config.IgnoreCase == nil || !config.IgnoreCase.IgnoreUriCase {
return
}
for _, v := range route.Match {
v.IgnoreUriCase = true
}
}
func (m ignoreCaseMatching) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
if !needIgnoreCaseMatch(annotations) {
return nil
}
config.IgnoreCase = &IgnoreCaseConfig{}
config.IgnoreCase.IgnoreUriCase, _ = annotations.ParseBoolASAP(enableIgnoreCase)
return nil
}
func needIgnoreCaseMatch(annotation Annotations) bool {
return annotation.HasASAP(enableIgnoreCase)
}

135
pkg/ingress/kube/annotations/ignore_case_test.go Normal file
View File

@@ -0,0 +1,135 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package annotations
import (
"testing"
"github.com/google/go-cmp/cmp"
networking "istio.io/api/networking/v1alpha3"
)
func TestIgnoreCaseMatching_ApplyRoute(t *testing.T) {
handler := ignoreCaseMatching{}
testCases := []struct {
input *networking.HTTPRoute
config *Ingress
expect *networking.HTTPRoute
}{
{
input: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
IgnoreUriCase: false,
},
},
},
config: &Ingress{
IgnoreCase: &IgnoreCaseConfig{IgnoreUriCase: true},
},
expect: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
IgnoreUriCase: true,
},
},
},
},
{
input: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
IgnoreUriCase: false,
},
},
},
config: &Ingress{
IgnoreCase: &IgnoreCaseConfig{IgnoreUriCase: false},
},
expect: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
IgnoreUriCase: false,
},
},
},
},
}
t.Run("", func(t *testing.T) {
for _, tt := range testCases {
handler.ApplyRoute(tt.input, tt.config)
if diff := cmp.Diff(tt.expect, tt.input); diff != "" {
t.Fatalf("TestIgnoreCaseMatching_ApplyRoute() mismatch(-want +got): \n%s", diff)
}
}
})
}
func TestIgnoreCaseMatching_Parse(t *testing.T) {
parser := ignoreCaseMatching{}
testCases := []struct {
input Annotations
expect *IgnoreCaseConfig
}{
{
input: Annotations{},
expect: nil,
},
{
input: Annotations{
buildHigressAnnotationKey(enableIgnoreCase): "true",
},
expect: &IgnoreCaseConfig{
IgnoreUriCase: true,
},
},
{
input: Annotations{
buildHigressAnnotationKey(enableIgnoreCase): "false",
},
expect: &IgnoreCaseConfig{
IgnoreUriCase: false,
},
},
}
t.Run("", func(t *testing.T) {
for _, tt := range testCases {
config := &Ingress{}
_ = parser.Parse(tt.input, config, nil)
if diff := cmp.Diff(tt.expect, config.IgnoreCase); diff != "" {
t.Fatalf("TestIgnoreCaseMatching_Parse() mismatch(-want +got): \n%s", diff)
}
}
})
}

249
pkg/ingress/kube/annotations/match.go Normal file
View File

@@ -0,0 +1,249 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package annotations
import (
"fmt"
"strings"
. "github.com/alibaba/higress/pkg/ingress/log"
networking "istio.io/api/networking/v1alpha3"
)
const (
exact = "exact"
regex = "regex"
prefix = "prefix"
MatchMethod = "match-method"
MatchQuery = "match-query"
MatchHeader = "match-header"
sep = " "
)
var (
methodList = []string{"GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PATCH"}
methodMap map[string]struct{}
)
type match struct{}
type MatchConfig struct {
Methods []string
Headers map[string]map[string]string
QueryParams map[string]map[string]string
}
func (m match) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) (err error) {
config.Match = &MatchConfig{}
if err = m.matchByMethod(annotations, config); err != nil {
IngressLog.Errorf("parse methods error %v within ingress %s/%s", err, config.Namespace, config.Name)
}
if config.Match.Headers, err = m.matchByHeaderOrQueryParma(annotations, MatchHeader, config.Match.Headers); err != nil {
IngressLog.Errorf("parse headers error %v within ingress %s/%s", err, config.Namespace, config.Name)
}
if config.Match.QueryParams, err = m.matchByHeaderOrQueryParma(annotations, MatchQuery, config.Match.QueryParams); err != nil {
IngressLog.Errorf("parse query params error %v within ingress %s/%s", err, config.Namespace, config.Name)
}
return
}
func (m match) ApplyRoute(route *networking.HTTPRoute, ingressCfg *Ingress) {
// apply route for method
config := ingressCfg.Match
if config.Methods != nil {
for i := 0; i < len(route.Match); i++ {
route.Match[i].Method = createMethodMatch(config.Methods...)
IngressLog.Debug(fmt.Sprintf("match :%v, methods %v", route.Match[i].Name, route.Match[i].Method))
}
}
// apply route for headers
if config.Headers != nil {
for i := 0; i < len(route.Match); i++ {
if route.Match[i].Headers == nil {
route.Match[i].Headers = map[string]*networking.StringMatch{}
}
addHeadersMatch(route.Match[i].Headers, config)
IngressLog.Debug(fmt.Sprintf("match headers: %v, headers: %v", route.Match[i].Name, route.Match[i].Headers))
}
}
if config.QueryParams != nil {
for i := 0; i < len(route.Match); i++ {
if route.Match[i].QueryParams == nil {
route.Match[i].QueryParams = map[string]*networking.StringMatch{}
}
addQueryParamsMatch(route.Match[i].QueryParams, config)
IngressLog.Debug(fmt.Sprintf("match : %v, queryParams: %v", route.Match[i].Name, route.Match[i].QueryParams))
}
}
}
func (m match) matchByMethod(annotations Annotations, ingress *Ingress) error {
if !annotations.HasHigress(MatchMethod) {
return nil
}
config := ingress.Match
str, err := annotations.ParseStringForHigress(MatchMethod)
if err != nil {
return err
}
methods := strings.Split(str, sep)
set := make(map[string]struct{})
for i := 0; i < len(methods); i++ {
t := strings.ToUpper(methods[i])
if _, ok := set[t]; !ok && isMethod(t) {
set[t] = struct{}{}
config.Methods = append(config.Methods, t)
}
}
return nil
}
// matchByHeader to parse annotations to find MatchHeader config
func (m match) matchByHeaderOrQueryParma(annotations Annotations, key string, mmap map[string]map[string]string) (map[string]map[string]string, error) {
for k, v := range annotations {
if idx := strings.Index(k, key); idx != -1 {
if mmap == nil {
mmap = make(map[string]map[string]string)
}
if err := m.doMatch(k, v, mmap, idx+len(key)+1); err != nil {
IngressLog.Errorf("matchByHeader() failed, the key: %v, value : %v, start: %d", k, v, idx+len(key)+1)
return mmap, err
}
}
}
return mmap, nil
}
func (m match) doMatch(k, v string, mmap map[string]map[string]string, start int) error {
if start >= len(k) {
return ErrInvalidAnnotationName
}
var (
idx int
legalIdx = len(HigressAnnotationsPrefix + "/") // the key has a higress prefix
)
// if idx == -1, it means don't have exact|regex|prefix
// if idx > legalIdx, it means the user key also has exact|regex|prefix. we just match the first one
if idx = strings.Index(k, exact); idx == legalIdx {
if mmap[exact] == nil {
mmap[exact] = make(map[string]string)
}
mmap[exact][k[start:]] = v
return nil
}
if idx = strings.Index(k, regex); idx == legalIdx {
if mmap[regex] == nil {
mmap[regex] = make(map[string]string)
}
mmap[regex][k[start:]] = v
return nil
}
if idx = strings.Index(k, prefix); idx == legalIdx {
if mmap[prefix] == nil {
mmap[prefix] = make(map[string]string)
}
mmap[prefix][k[start:]] = v
return nil
}
return ErrInvalidAnnotationName
}
func isMethod(s string) bool {
if methodMap == nil || len(methodMap) == 0 {
methodMap = make(map[string]struct{})
for _, v := range methodList {
methodMap[v] = struct{}{}
}
}
_, ok := methodMap[s]
return ok
}
func createMethodMatch(methods ...string) *networking.StringMatch {
var sb strings.Builder
for i := 0; i < len(methods); i++ {
if i != 0 {
sb.WriteString("|")
}
sb.WriteString(methods[i])
}
return &networking.StringMatch{
MatchType: &networking.StringMatch_Regex{
Regex: sb.String(),
},
}
}
func addHeadersMatch(headers map[string]*networking.StringMatch, config *MatchConfig) {
merge(headers, config.Headers)
}
func addQueryParamsMatch(params map[string]*networking.StringMatch, config *MatchConfig) {
merge(params, config.QueryParams)
}
// merge m2 to m1
func merge(m1 map[string]*networking.StringMatch, m2 map[string]map[string]string) {
if m1 == nil {
return
}
for typ, mmap := range m2 {
for k, v := range mmap {
switch typ {
case exact:
if _, ok := m1[k]; !ok {
m1[k] = &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{
Exact: v,
},
}
}
case prefix:
if _, ok := m1[k]; !ok {
m1[k] = &networking.StringMatch{
MatchType: &networking.StringMatch_Prefix{
Prefix: v,
},
}
}
case regex:
if _, ok := m1[k]; !ok {
m1[k] = &networking.StringMatch{
MatchType: &networking.StringMatch_Regex{
Regex: v,
},
}
}
default:
IngressLog.Errorf("unknown type: %q is not supported Match type", typ)
}
}
}
}

375
pkg/ingress/kube/annotations/match_test.go Normal file
View File

@@ -0,0 +1,375 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package annotations
import (
"testing"
"github.com/google/go-cmp/cmp"
networking "istio.io/api/networking/v1alpha3"
)
func TestMatch_ParseMethods(t *testing.T) {
parser := match{}
testCases := []struct {
input Annotations
expect *MatchConfig
}{
{
input: Annotations{},
expect: &MatchConfig{},
},
{
input: Annotations{
buildHigressAnnotationKey(MatchMethod): "PUT POST PATCH",
},
expect: &MatchConfig{
Methods: []string{"PUT", "POST", "PATCH"},
},
},
{
input: Annotations{
buildHigressAnnotationKey(MatchMethod): "PUT PUT",
},
expect: &MatchConfig{
Methods: []string{"PUT"},
},
},
{
input: Annotations{
buildHigressAnnotationKey(MatchMethod): "put post patch",
},
expect: &MatchConfig{
Methods: []string{"PUT", "POST", "PATCH"},
},
},
{
input: Annotations{
buildHigressAnnotationKey(MatchMethod): "geet",
},
expect: &MatchConfig{},
},
}
for _, tt := range testCases {
t.Run("", func(t *testing.T) {
config := &Ingress{}
_ = parser.Parse(tt.input, config, nil)
if diff := cmp.Diff(tt.expect, config.Match); diff != "" {
t.Fatalf("TestMatch_Parse() mismatch (-want +got):\n%s", diff)
}
})
}
}
func TestMatch_ParseHeaders(t *testing.T) {
parser := match{}
testCases := []struct {
typ string
key string
value string
expect map[string]map[string]string
}{
{
typ: "exact",
key: "abc",
value: "123",
expect: map[string]map[string]string{
exact: {
"abc": "123",
},
},
},
{
typ: "prefix",
key: "user-id",
value: "10086-1",
expect: map[string]map[string]string{
prefix: {
"user-id": "10086-1",
},
},
},
{
typ: "regex",
key: "content-type",
value: "application/(json|xml)",
expect: map[string]map[string]string{
regex: {
"content-type": "application/(json|xml)",
},
},
},
}
for _, tt := range testCases {
t.Run("", func(t *testing.T) {
key := buildHigressAnnotationKey(tt.typ + "-" + MatchHeader + "-" + tt.key)
input := Annotations{key: tt.value}
config := &Ingress{}
_ = parser.Parse(input, config, nil)
if diff := cmp.Diff(tt.expect, config.Match.Headers); diff != "" {
t.Fatalf("TestMatch_ParseHeaders() mismatch (-want +got):\n%s", diff)
}
})
}
}
func TestMatch_ParseQueryParams(t *testing.T) {
parser := match{}
testCases := []struct {
typ string
key string
value string
expect map[string]map[string]string
}{
{
typ: "exact",
key: "abc",
value: "123",
expect: map[string]map[string]string{
exact: {
"abc": "123",
},
},
},
{
typ: "prefix",
key: "age",
value: "2",
expect: map[string]map[string]string{
prefix: {
"age": "2",
},
},
},
{
typ: "regex",
key: "name",
value: "B.*",
expect: map[string]map[string]string{
regex: {
"name": "B.*",
},
},
},
}
for _, tt := range testCases {
t.Run("", func(t *testing.T) {
key := buildHigressAnnotationKey(tt.typ + "-" + MatchQuery + "-" + tt.key)
input := Annotations{key: tt.value}
config := &Ingress{}
_ = parser.Parse(input, config, nil)
if diff := cmp.Diff(tt.expect, config.Match.QueryParams); diff != "" {
t.Fatalf("TestMatch_ParseQueryParams() mismatch (-want +got):\n%s", diff)
}
})
}
}
func TestMatch_ApplyRoute(t *testing.T) {
handler := match{}
testCases := []struct {
input *networking.HTTPRoute
config *Ingress
expect *networking.HTTPRoute
}{
// methods
{
input: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
config: &Ingress{
Match: &MatchConfig{
Methods: []string{"PUT", "GET", "POST"},
},
},
expect: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Method: &networking.StringMatch{
MatchType: &networking.StringMatch_Regex{Regex: "PUT|GET|POST"},
},
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
},
// headers
{
input: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
config: &Ingress{
Match: &MatchConfig{
Headers: map[string]map[string]string{
exact: {"new": "new"},
},
},
},
expect: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Headers: map[string]*networking.StringMatch{
"new": {
MatchType: &networking.StringMatch_Exact{Exact: "new"},
},
},
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
},
{
input: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Headers: map[string]*networking.StringMatch{
"origin": {
MatchType: &networking.StringMatch_Exact{Exact: "origin"},
},
},
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
config: &Ingress{
Match: &MatchConfig{
Headers: map[string]map[string]string{
exact: {"new": "new"},
},
},
},
expect: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Headers: map[string]*networking.StringMatch{
"origin": {
MatchType: &networking.StringMatch_Exact{Exact: "origin"},
},
"new": {
MatchType: &networking.StringMatch_Exact{Exact: "new"},
},
},
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
},
// queryParams
{
input: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
config: &Ingress{
Match: &MatchConfig{
QueryParams: map[string]map[string]string{
exact: {"new": "new"},
},
},
},
expect: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
QueryParams: map[string]*networking.StringMatch{
"new": {
MatchType: &networking.StringMatch_Exact{Exact: "new"},
},
},
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
},
{
input: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
QueryParams: map[string]*networking.StringMatch{
"origin": {
MatchType: &networking.StringMatch_Exact{Exact: "origin"},
},
},
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
config: &Ingress{
Match: &MatchConfig{
QueryParams: map[string]map[string]string{
exact: {"new": "new"},
},
},
},
expect: &networking.HTTPRoute{
Match: []*networking.HTTPMatchRequest{
{
QueryParams: map[string]*networking.StringMatch{
"origin": {
MatchType: &networking.StringMatch_Exact{Exact: "origin"},
},
"new": {
MatchType: &networking.StringMatch_Exact{Exact: "new"},
},
},
Uri: &networking.StringMatch{
MatchType: &networking.StringMatch_Exact{Exact: "/abc"},
},
},
},
},
},
}
for _, tt := range testCases {
t.Run("", func(t *testing.T) {
handler.ApplyRoute(tt.input, tt.config)
if diff := cmp.Diff(tt.expect, tt.input); diff != "" {
t.Fatalf("TestMatch_Parse() mismatch (-want +got):\n%s", diff)
}
})
}
}

6
pkg/ingress/kube/common/controller.go
View File

@@ -38,6 +38,11 @@ type WrapperConfig struct {
AnnotationsConfig *annotations.Ingress
}
type WrapperConfigWithRuleKey struct {
Config *config.Config
RuleKey string
}
type WrapperGateway struct {
Gateway *networking.Gateway
WrapperConfig *WrapperConfig
@@ -70,6 +75,7 @@ type WrapperHTTPRoute struct {
OriginPathType PathType
WeightTotal int32
IsDefaultBackend bool
RuleKey string
}
func (w *WrapperHTTPRoute) Meta() string {

3
pkg/ingress/kube/common/model.go
View File

@@ -149,7 +149,8 @@ type ConvertOptions struct {
IngressDomainCache *IngressDomainCache
HostAndPath2Ingress map[string]*config.Config
// the host, path, headers, params of rule => ingress
Route2Ingress map[string]*WrapperConfigWithRuleKey
// Record valid/invalid routes from ingress
IngressRouteCache *IngressRouteCache

25
pkg/ingress/kube/common/tool.go
View File

@@ -175,6 +175,9 @@ func SortHTTPRoutes(routes []*WrapperHTTPRoute) {
return false
}
// default backend,user specified root path => path type => path length =>
// methods => header => query param
// refer https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec
sort.SliceStable(routes, func(i, j int) bool {
// Move default backend to end
if isDefaultBackend(routes[i]) {
@@ -193,7 +196,27 @@ func SortHTTPRoutes(routes []*WrapperHTTPRoute) {
}
if routes[i].OriginPathType == routes[j].OriginPathType {
return len(routes[i].OriginPath) > len(routes[j].OriginPath)
if in, jn := len(routes[i].OriginPath), len(routes[j].OriginPath); in != jn {
return in > jn
}
match1, match2 := routes[i].HTTPRoute.Match[0], routes[j].HTTPRoute.Match[0]
// methods
if in, jn := len(match1.Method.GetRegex()), len(match2.Method.GetRegex()); in != jn {
if in != 0 && jn != 0 {
return in < jn
}
return in != 0
}
// headers
if in, jn := len(match1.Headers), len(match2.Headers); in != jn {
return in > jn
}
// query params
if in, jn := len(match1.QueryParams), len(match2.QueryParams); in != jn {
return in > jn
}
return false
}
if routes[i].OriginPathType == Exact {

140
pkg/ingress/kube/common/tool_test.go
View File

@@ -416,3 +416,143 @@ func TestSortRoutes(t *testing.T) {
t.Fatal("should be test-3")
}
}
// TestSortHTTPRoutesWithMoreRules include headers, query params, methods
func TestSortHTTPRoutesWithMoreRules(t *testing.T) {
input := []struct {
order string
pathType PathType
path string
method *networking.StringMatch
header map[string]*networking.StringMatch
queryParam map[string]*networking.StringMatch
}{
{
order: "1",
pathType: Exact,
path: "/bar",
},
{
order: "2",
pathType: Prefix,
path: "/bar",
},
{
order: "3",
pathType: Prefix,
path: "/bar",
method: &networking.StringMatch{
MatchType: &networking.StringMatch_Regex{Regex: "GET|PUT"},
},
},
{
order: "4",
pathType: Prefix,
path: "/bar",
method: &networking.StringMatch{
MatchType: &networking.StringMatch_Regex{Regex: "GET"},
},
},
{
order: "5",
pathType: Prefix,
path: "/bar",
header: map[string]*networking.StringMatch{
"foo": {
MatchType: &networking.StringMatch_Exact{Exact: "bar"},
},
},
},
{
order: "6",
pathType: Prefix,
path: "/bar",
header: map[string]*networking.StringMatch{
"foo": {
MatchType: &networking.StringMatch_Exact{Exact: "bar"},
},
"bar": {
MatchType: &networking.StringMatch_Exact{Exact: "foo"},
},
},
},
{
order: "7",
pathType: Prefix,
path: "/bar",
queryParam: map[string]*networking.StringMatch{
"foo": {
MatchType: &networking.StringMatch_Exact{Exact: "bar"},
},
},
},
{
order: "8",
pathType: Prefix,
path: "/bar",
queryParam: map[string]*networking.StringMatch{
"foo": {
MatchType: &networking.StringMatch_Exact{Exact: "bar"},
},
"bar": {
MatchType: &networking.StringMatch_Exact{Exact: "foo"},
},
},
},
{
order: "9",
pathType: Prefix,
path: "/bar",
method: &networking.StringMatch{
MatchType: &networking.StringMatch_Regex{Regex: "GET"},
},
queryParam: map[string]*networking.StringMatch{
"foo": {
MatchType: &networking.StringMatch_Exact{Exact: "bar"},
},
},
},
{
order: "10",
pathType: Prefix,
path: "/bar",
method: &networking.StringMatch{
MatchType: &networking.StringMatch_Regex{Regex: "GET"},
},
queryParam: map[string]*networking.StringMatch{
"bar": {
MatchType: &networking.StringMatch_Exact{Exact: "foo"},
},
},
},
}
origin := []string{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10"}
expect := []string{"1", "9", "10", "4", "3", "6", "5", "8", "7", "2"}
var list []*WrapperHTTPRoute
for idx, val := range input {
list = append(list, &WrapperHTTPRoute{
OriginPath: val.path,
OriginPathType: val.pathType,
HTTPRoute: &networking.HTTPRoute{
Name: origin[idx],
Match: []*networking.HTTPMatchRequest{
{
Method: val.method,
Headers: val.header,
QueryParams: val.queryParam,
},
},
},
})
}
SortHTTPRoutes(list)
for idx, val := range list {
if val.HTTPRoute.Name != expect[idx] {
t.Fatalf("should be %s, but got %s", expect[idx], val.HTTPRoute.Name)
}
}
}

95
pkg/ingress/kube/ingress/controller.go
View File

@@ -20,6 +20,7 @@ import (
"path"
"reflect"
"regexp"
"sort"
"strings"
"sync"
"time"
@@ -494,9 +495,12 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra
// When the host, pathType, path of two rule are same, we think there is a conflict event.
definedRules := sets.NewSet()
// But in across ingresses case, we will restrict this limit.
// When the host, path of two rule in different ingress are same, we think there is a conflict event.
var tempHostAndPath []string
var (
// But in across ingresses case, we will restrict this limit.
// When the {host, path, headers, method, params} of two rule in different ingress are same, we think there is a conflict event.
tempRuleKey []string
)
for _, rule := range ingressV1.Rules {
if rule.HTTP == nil || len(rule.HTTP.Paths) == 0 {
IngressLog.Warnf("invalid ingress rule %s:%s for host %q in cluster %s, no paths defined", cfg.Namespace, cfg.Name, rule.Host, c.options.ClusterId)
@@ -566,13 +570,14 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra
ingressRouteBuilder := convertOptions.IngressRouteCache.New(wrapperHttpRoute)
// host and path overlay check across different ingresses.
hostAndPath := wrapperHttpRoute.BasePathFormat()
if preIngress, exist := convertOptions.HostAndPath2Ingress[hostAndPath]; exist {
ingressRouteBuilder.PreIngress = preIngress
hostAndPath := wrapperHttpRoute.PathFormat()
key := createRuleKey(cfg.Annotations, hostAndPath)
wrapperHttpRoute.RuleKey = key
if WrapPreIngress, exist := convertOptions.Route2Ingress[key]; exist {
ingressRouteBuilder.PreIngress = WrapPreIngress.Config
ingressRouteBuilder.Event = common.DuplicatedRoute
}
tempHostAndPath = append(tempHostAndPath, hostAndPath)
tempRuleKey = append(tempRuleKey, key)
// Two duplicated rules in the same ingress.
if ingressRouteBuilder.Event == common.Normal {
@@ -607,10 +612,12 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra
convertOptions.IngressRouteCache.Add(ingressRouteBuilder)
}
for _, item := range tempHostAndPath {
// We only record the first
if _, exist := convertOptions.HostAndPath2Ingress[item]; !exist {
convertOptions.HostAndPath2Ingress[item] = cfg
for idx, item := range tempRuleKey {
if val, exist := convertOptions.Route2Ingress[item]; !exist || strings.Compare(val.RuleKey, tempRuleKey[idx]) != 0 {
convertOptions.Route2Ingress[item] = &common.WrapperConfigWithRuleKey{
Config: cfg,
RuleKey: tempRuleKey[idx],
}
}
}
@@ -794,6 +801,7 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w
convertOptions.IngressRouteCache.Add(ingressRouteBuilder)
continue
}
canary.RuleKey = createRuleKey(canary.WrapperConfig.Config.Annotations, canary.PathFormat())
canaryConfig := wrapper.AnnotationsConfig.Canary
if byWeight {
@@ -1004,8 +1012,7 @@ func (c *controller) createServiceKey(service *ingress.IngressBackend, namespace
}
func isCanaryRoute(canary, route *common.WrapperHTTPRoute) bool {
return route != nil && canary != nil && !route.WrapperConfig.AnnotationsConfig.IsCanary() && canary.OriginPath == route.OriginPath &&
canary.OriginPathType == route.OriginPathType
return route != nil && canary != nil && !route.WrapperConfig.AnnotationsConfig.IsCanary() && canary.RuleKey == route.RuleKey
}
func (c *controller) backendToRouteDestination(backend *ingress.IngressBackend, namespace string,
@@ -1221,3 +1228,63 @@ func setDefaultMSEIngressOptionalField(ing *ingress.Ingress) {
}
}
}
// createRuleKey according to the pathType, path, methods, headers, params of rules
func createRuleKey(annots map[string]string, hostAndPath string) string {
var (
headers [][2]string
params [][2]string
sb strings.Builder
)
sep := "\n\n"
// path
sb.WriteString(hostAndPath)
sb.WriteString(sep)
// methods
if str, ok := annots[annotations.HigressAnnotationsPrefix+"/"+annotations.MatchMethod]; ok {
sb.WriteString(str)
}
sb.WriteString(sep)
start := len(annotations.HigressAnnotationsPrefix) + 1 // example: higress.io/exact-match-header-key: value
// headers && params
for k, val := range annots {
if idx := strings.Index(k, annotations.MatchHeader); idx != -1 {
key := k[start:idx] + k[idx+len(annotations.MatchHeader)+1:]
headers = append(headers, [2]string{key, val})
}
if idx := strings.Index(k, annotations.MatchQuery); idx != -1 {
key := k[start:idx] + k[idx+len(annotations.MatchQuery)+1:]
params = append(params, [2]string{key, val})
}
}
sort.SliceStable(headers, func(i, j int) bool {
return headers[i][0] < headers[j][0]
})
sort.SliceStable(params, func(i, j int) bool {
return params[i][0] < params[j][0]
})
for idx := range headers {
if idx != 0 {
sb.WriteByte('\n')
}
sb.WriteString(headers[idx][0])
sb.WriteByte('\t')
sb.WriteString(headers[idx][1])
}
sb.WriteString(sep)
for idx := range params {
if idx != 0 {
sb.WriteByte('\n')
}
sb.WriteString(params[idx][0])
sb.WriteByte('\t')
sb.WriteString(params[idx][1])
}
sb.WriteString(sep)
return sb.String()
}

62
pkg/ingress/kube/ingress/controller_test.go
View File

@@ -19,6 +19,7 @@ import (
"testing"
"time"
"github.com/google/go-cmp/cmp"
"istio.io/api/networking/v1alpha3"
"istio.io/istio/pilot/pkg/model"
"istio.io/istio/pkg/config"
@@ -103,10 +104,10 @@ func testApplyCanaryIngress(t *testing.T, c common.IngressController) {
Valid: make(map[string]*common.IngressDomainBuilder),
Invalid: make([]model.IngressDomain, 0),
},
HostAndPath2Ingress: make(map[string]*config.Config),
VirtualServices: make(map[string]*common.WrapperVirtualService),
Gateways: make(map[string]*common.WrapperGateway),
IngressRouteCache: &common.IngressRouteCache{},
Route2Ingress: map[string]*common.WrapperConfigWithRuleKey{},
VirtualServices: make(map[string]*common.WrapperVirtualService),
Gateways: make(map[string]*common.WrapperGateway),
IngressRouteCache: &common.IngressRouteCache{},
HTTPRoutes: map[string][]*common.WrapperHTTPRoute{
"test1": make([]*common.WrapperHTTPRoute, 0),
},
@@ -193,11 +194,11 @@ func testApplyDefaultBackend(t *testing.T, c common.IngressController) {
Valid: make(map[string]*common.IngressDomainBuilder),
Invalid: make([]model.IngressDomain, 0),
},
HostAndPath2Ingress: make(map[string]*config.Config),
VirtualServices: make(map[string]*common.WrapperVirtualService),
Gateways: make(map[string]*common.WrapperGateway),
IngressRouteCache: &common.IngressRouteCache{},
HTTPRoutes: make(map[string][]*common.WrapperHTTPRoute),
Route2Ingress: map[string]*common.WrapperConfigWithRuleKey{},
VirtualServices: make(map[string]*common.WrapperVirtualService),
Gateways: make(map[string]*common.WrapperGateway),
IngressRouteCache: &common.IngressRouteCache{},
HTTPRoutes: make(map[string][]*common.WrapperHTTPRoute),
},
wrapperConfig: &common.WrapperConfig{Config: &config.Config{
Spec: ingress.IngressSpec{Rules: []ingress.IngressRule{
@@ -385,11 +386,11 @@ func testConvertHTTPRoute(t *testing.T, c common.IngressController) {
Valid: make(map[string]*common.IngressDomainBuilder),
Invalid: make([]model.IngressDomain, 0),
},
HostAndPath2Ingress: make(map[string]*config.Config),
VirtualServices: make(map[string]*common.WrapperVirtualService),
Gateways: make(map[string]*common.WrapperGateway),
IngressRouteCache: &common.IngressRouteCache{},
HTTPRoutes: make(map[string][]*common.WrapperHTTPRoute),
Route2Ingress: map[string]*common.WrapperConfigWithRuleKey{},
VirtualServices: make(map[string]*common.WrapperVirtualService),
Gateways: make(map[string]*common.WrapperGateway),
IngressRouteCache: &common.IngressRouteCache{},
HTTPRoutes: make(map[string][]*common.WrapperHTTPRoute),
},
wrapperConfig: &common.WrapperConfig{Config: &config.Config{
Spec: ingress.IngressSpec{Rules: []ingress.IngressRule{
@@ -474,7 +475,7 @@ func testConvertTrafficPolicy(t *testing.T, c common.IngressController) {
Valid: make(map[string]*common.IngressDomainBuilder),
Invalid: make([]model.IngressDomain, 0),
},
HostAndPath2Ingress: make(map[string]*config.Config),
Route2Ingress: map[string]*common.WrapperConfigWithRuleKey{},
VirtualServices: make(map[string]*common.WrapperVirtualService),
Gateways: make(map[string]*common.WrapperGateway),
IngressRouteCache: &common.IngressRouteCache{},
@@ -1291,3 +1292,34 @@ func TestShouldProcessIngressUpdate(t *testing.T) {
t.Fatal("should be true")
}
}
func TestCreateRuleKey(t *testing.T) {
sep := "\n\n"
wrapperHttpRoute := &common.WrapperHTTPRoute{
Host: "higress.com",
OriginPathType: common.Prefix,
OriginPath: "/foo",
}
annots := annotations.Annotations{
buildHigressAnnotationKey(annotations.MatchMethod): "GET PUT",
buildHigressAnnotationKey("exact-" + annotations.MatchHeader + "-abc"): "123",
buildHigressAnnotationKey("prefix-" + annotations.MatchHeader + "-def"): "456",
buildHigressAnnotationKey("exact-" + annotations.MatchQuery + "-region"): "beijing",
buildHigressAnnotationKey("prefix-" + annotations.MatchQuery + "-user-id"): "user-",
}
expect := "higress.com-prefix-/foo" + sep + //host-pathType-path
"GET PUT" + sep + // method
"exact-abc\t123" + "\n" + "prefix-def\t456" + sep + // header
"exact-region\tbeijing" + "\n" + "prefix-user-id\tuser-" + sep // params
key := createRuleKey(annots, wrapperHttpRoute.PathFormat())
if diff := cmp.Diff(expect, key); diff != "" {
t.Errorf("CreateRuleKey() mismatch (-want +got):\n%s", diff)
}
}
func buildHigressAnnotationKey(key string) string {
return annotations.HigressAnnotationsPrefix + "/" + key
}

95
pkg/ingress/kube/ingressv1/controller.go
View File

@@ -20,6 +20,7 @@ import (
"path"
"reflect"
"regexp"
"sort"
"strings"
"sync"
"time"
@@ -476,9 +477,12 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra
// When the host, pathType, path of two rule are same, we think there is a conflict event.
definedRules := sets.NewSet()
// But in across ingresses case, we will restrict this limit.
// When the host, path of two rule in different ingress are same, we think there is a conflict event.
var tempHostAndPath []string
var (
// But in across ingresses case, we will restrict this limit.
// When the {host, path, headers, method, params} of two rule in different ingress are same, we think there is a conflict event.
tempRuleKey []string
)
for _, rule := range ingressV1.Rules {
if rule.HTTP == nil || len(rule.HTTP.Paths) == 0 {
IngressLog.Warnf("invalid ingress rule %s:%s for host %q in cluster %s, no paths defined", cfg.Namespace, cfg.Name, rule.Host, c.options.ClusterId)
@@ -548,13 +552,14 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra
ingressRouteBuilder := convertOptions.IngressRouteCache.New(wrapperHttpRoute)
// host and path overlay check across different ingresses.
hostAndPath := wrapperHttpRoute.BasePathFormat()
if preIngress, exist := convertOptions.HostAndPath2Ingress[hostAndPath]; exist {
ingressRouteBuilder.PreIngress = preIngress
hostAndPath := wrapperHttpRoute.PathFormat()
key := createRuleKey(cfg.Annotations, hostAndPath)
wrapperHttpRoute.RuleKey = key
if WrapPreIngress, exist := convertOptions.Route2Ingress[key]; exist {
ingressRouteBuilder.PreIngress = WrapPreIngress.Config
ingressRouteBuilder.Event = common.DuplicatedRoute
}
tempHostAndPath = append(tempHostAndPath, hostAndPath)
tempRuleKey = append(tempRuleKey, key)
// Two duplicated rules in the same ingress.
if ingressRouteBuilder.Event == common.Normal {
@@ -589,10 +594,12 @@ func (c *controller) ConvertHTTPRoute(convertOptions *common.ConvertOptions, wra
convertOptions.IngressRouteCache.Add(ingressRouteBuilder)
}
for _, item := range tempHostAndPath {
// We only record the first
if _, exist := convertOptions.HostAndPath2Ingress[item]; !exist {
convertOptions.HostAndPath2Ingress[item] = cfg
for idx, item := range tempRuleKey {
if val, exist := convertOptions.Route2Ingress[item]; !exist || strings.Compare(val.RuleKey, tempRuleKey[idx]) != 0 {
convertOptions.Route2Ingress[item] = &common.WrapperConfigWithRuleKey{
Config: cfg,
RuleKey: tempRuleKey[idx],
}
}
}
@@ -763,6 +770,7 @@ func (c *controller) ApplyCanaryIngress(convertOptions *common.ConvertOptions, w
convertOptions.IngressRouteCache.Add(ingressRouteBuilder)
continue
}
canary.RuleKey = createRuleKey(canary.WrapperConfig.Config.Annotations, canary.PathFormat())
canaryConfig := wrapper.AnnotationsConfig.Canary
if byWeight {
@@ -960,8 +968,7 @@ func (c *controller) createServiceKey(service *ingress.IngressServiceBackend, na
}
func isCanaryRoute(canary, route *common.WrapperHTTPRoute) bool {
return !strings.HasSuffix(route.HTTPRoute.Name, "-canary") && canary.OriginPath == route.OriginPath &&
canary.OriginPathType == route.OriginPathType
return !route.WrapperConfig.AnnotationsConfig.IsCanary() && canary.RuleKey == route.RuleKey
}
func (c *controller) backendToRouteDestination(backend *ingress.IngressBackend, namespace string,
@@ -1171,3 +1178,63 @@ func setDefaultMSEIngressOptionalField(ing *ingress.Ingress) {
}
}
}
// createRuleKey according to the pathType, path, methods, headers, params of rules
func createRuleKey(annots map[string]string, hostAndPath string) string {
var (
headers [][2]string
params [][2]string
sb strings.Builder
)
sep := "\n\n"
// path
sb.WriteString(hostAndPath)
sb.WriteString(sep)
// methods
if str, ok := annots[annotations.HigressAnnotationsPrefix+"/"+annotations.MatchMethod]; ok {
sb.WriteString(str)
}
sb.WriteString(sep)
start := len(annotations.HigressAnnotationsPrefix) + 1 // example: higress.io/exact-match-header-key: value
// headers && params
for k, val := range annots {
if idx := strings.Index(k, annotations.MatchHeader); idx != -1 {
key := k[start:idx] + k[idx+len(annotations.MatchHeader)+1:]
headers = append(headers, [2]string{key, val})
}
if idx := strings.Index(k, annotations.MatchQuery); idx != -1 {
key := k[start:idx] + k[idx+len(annotations.MatchQuery)+1:]
params = append(params, [2]string{key, val})
}
}
sort.SliceStable(headers, func(i, j int) bool {
return headers[i][0] < headers[j][0]
})
sort.SliceStable(params, func(i, j int) bool {
return params[i][0] < params[j][0]
})
for idx := range headers {
if idx != 0 {
sb.WriteByte('\n')
}
sb.WriteString(headers[idx][0])
sb.WriteByte('\t')
sb.WriteString(headers[idx][1])
}
sb.WriteString(sep)
for idx := range params {
if idx != 0 {
sb.WriteByte('\n')
}
sb.WriteString(params[idx][0])
sb.WriteByte('\t')
sb.WriteString(params[idx][1])
}
sb.WriteString(sep)
return sb.String()
}

1
plugins/wasm-cpp/.bazelversion Normal file
View File

@@ -0,0 +1 @@
5.4.0

399
plugins/wasm-cpp/extensions/jwt_auth/README_EN.md Normal file
View File

@@ -0,0 +1,399 @@
# Description
The `jwt-auth` plugin implements authentication and authorization based on JWT (JSON Web Token), supports parsing JWTs from URL parameters, request headers, and Cookie fields from HTTP requests, and verifies whether the token has permission to access.
The difference between this plugin and the JWT authentication in `Security Capabilities->Authentication and Authorization` is that it provides additional capabilities for identifying the caller's identity, supporting the configuration of different JWT credentials for different callers.
# Detailed Description
## 1. Token-based authentication
### 1.1 Introduction
Many open APIs need to identify the identity of the caller and determine whether the requested resource can be returned to the caller based on this identity. Token is a mechanism used for identity verification. Based on this mechanism, the application does not need to retain the user's authentication information or session information on the server, which can realize stateless and distributed web application authorization and provide convenience for application extension.
### 1.2 Process Description
![](process.png)
The above figure is the business process sequence diagram when the gateway uses JWT for authentication, and the following we will describe the steps marked in the figure in detail in words:
1. The client initiates an authentication request to the API gateway, usually carrying the end user's username and password in the request;
2. The gateway forwards the request directly to the backend service;
3. The backend service reads the authentication information (such as the username and password) in the request for verification. After the verification is passed, it uses the private key to generate a standard token and returns it to the gateway;
4. The gateway returns the response with the token to the client, and the client needs to cache this token locally;
5. The client sends a business request to the API gateway, carrying the token in the request;
6. The gateway uses the public key set by the user to verify the token in the request. After the verification is passed, the request is passed through to the backend service;
7. The backend service processes the business and responds;
8. The gateway returns the business response to the client.
In this entire process, the gateway uses the token authentication mechanism to realize the ability of users to use their own user system to authorize their API. Next, we will introduce the structured token JSON Web Token (JWT) used by the gateway to implement token authentication.
### 1.3 JWT
#### 1.3.1 Introduction
JSON Web Token (JWT) is an open standard RFC7519 based on JSON for executing a type of claim to pass between network applications. JWT can generally be used as an independent identity verification token, which can contain user identification, user roles, and permissions information, making it easier to obtain resources from the resource server, and can also add some other necessary declarative information for other business logic, especially suitable for the login scenario of distributed sites.
#### 1.3.2 Composition of JWT
`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ`
As shown in the example above, JWT is a string consisting of three parts:
- Header
- Payload
- Signature
**Header**
The header of the JWT carries two pieces of information:
- The type of the token, which is JWT
- The algorithm used for encryption
The gateway supports the following encryption algorithms:
```text
ES256, ES384, ES512,
HS256, HS384, HS512,
RS256, RS384, RS512,
PS256, PS384, PS512,
EdDSA
```
The complete header looks like the following JSON:
```js
{
'typ': 'JWT',
'alg': 'HS256'
}
```
The header is then Base64-encoded (this encoding can be symmetrically decoded), forming the first part:
`eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9`
**Payload**
The payload is where the actual information is stored. The details are defined below:
```text
iss: The issuer of the token. This indicates who created the token and is a string value.
sub: The subject identifier. This is the unique identifier for the end user provided by the issuer, and is no longer than 255 ASCII characters, and is case-sensitive within the issuer's scope.
aud: The audience(s) of the token, which is an array of case-sensitive strings.
exp: The expiration time of the token, after which the token will be invalidated, is an integer declaration representing the Unix timestamp in seconds.
iat: The issuance time of the token, is an integer declaration representing the Unix timestamp in seconds.
jti: The unique identifier of the token, and the value is unique for every token created by the issuer. It is usually a cryptographically random value to prevent conflicts. This component adds a random entropy that an attacker cannot obtain to the structured token, making it more difficult for the token to be guessed or replayed.
```
Custom fields for a user feature can also be added, such as the example below adding a "name" field for the user's nickname:
```js
{
"sub": "1234567890",
"name": "John Doe"
}
```
The payload is then Base64-encoded, forming the second part of the JWT:
`JTdCJTBBJTIwJTIwJTIyc3ViJTIyJTNBJTIwJTIyMTIzNDU2Nzg5MCUyMiUyQyUwQSUyMCUyMCUyMm5hbWUlMjIlM0ElMjAlMjJKb2huJTIwRG9lJTIyJTBBJTdE`
**Signature**
This part is a string that consists of the Base64-encoded header and Base64-encoded payload concatenated with a period, followed by the encryption of the resulting string using the algorithm specified in the header (where $secret represents the user's private key).
```js
var encodedString = base64UrlEncode(header) + '.' + base64UrlEncode(payload);
var signature = HMACSHA256(encodedString, '$secret');
```
These three parts are then concatenated using periods to form the complete JWT string as shown in the example at the beginning of this section.
#### 1.3.3 Time validity
The gateway will verify the exp field in the token. Once this field has expired, the gateway will consider the token invalid and reject the request directly. The expiration time value must be set.
#### 1.3.4 Several Characteristics of JWT
1. By default, JWT is not encrypted and cannot write secret data into JWT.
2. JWT can not only be used for authentication but also for exchanging information. Using JWT effectively can reduce the number of times servers query the database.
3. The biggest drawback of JWT is that the server cannot invalidate a token during use, or change the token's permission, because the server does not keep the session state. That is, once JWT is issued, it will always be valid before it expires, unless the server deploys additional logic.
4. JWT contains authentication information itself. Once leaked, anyone can obtain all permissions of the token. To reduce theft, the expiration time of JWT should be set relatively short. For some more important permissions, users should be authenticated again when using them.
5. To reduce theft, JWT should not be transmitted in plaintext using the HTTP protocol, and the HTTPS protocol should be used for transmission.
## 2. How to apply the JWT plugin to protect the API of the user system
### 2.1 Generate a pair of JWK (JSON Web Key)
**Method 1: Generate online**
Users can generate the private and public keys used for token generation and verification on this website https://mkjwk.org. The private key is used for the authorization service to issue JWT, and the public key is configured into the JWT plugin for the gateway to verify the signature of the request. Note that the JWKs format configuration used by the gateway requires the public key in the figure below to be placed in the keys structure, such as: `{"keys":[{"kty":"RSA","e":"AQAB",...}]}`
<img src="https://help-static-aliyun-doc.aliyuncs.com/assets/img/zh-CN/2336348951/p135823.png" style="zoom:50%" />
**Method 2: Generate locally**
This article uses a Java example to illustrate, and users of other languages can also find relevant tools to generate key pairs. Create a new Maven project and add the following dependencies:
```xml
<dependency>
<groupId>org.bitbucket.b_c</groupId>
<artifactId>jose4j</artifactId>
<version>0.7.0</version>
</dependency>
```
Use the following code to generate a pair of RSA keys:
```java
RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);
final String publicKeyString = rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY);
final String privateKeyString = rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
```
### 2.2 Implement the token issuance authentication service using the private key in JWK
The Keypair JSON string generated online in Section 2.1 (the first of the three boxes) or privateKeyString JSON string generated locally needs to be used as the private key to issue tokens for trusted users to access protected APIs. The specific implementation can refer to the following example. The form of issuing tokens to customers is determined by the user according to the specific business scenario. The function of issuing tokens can be deployed in the production environment and configured as a normal API for visitors to obtain through username and password, or tokens can be generated directly in the local environment and copied to designated users for use.
```java
import java.security.PrivateKey;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
public class GenerateJwtDemo {
public static void main(String[] args) throws JoseException {
String keyId = "uniq_key";
//Use the Keypair generated in section 2.1 of this article
String privateKeyJson = "{\n"
+ " \"kty\": \"RSA\",\n"
+ " \"d\": "
+
"\"O9MJSOgcjjiVMNJ4jmBAh0mRHF_TlaVva70Imghtlgwxl8BLfcf1S8ueN1PD7xV6Cnq8YenSKsfiNOhC6yZ_fjW1syn5raWfj68eR7cjHWjLOvKjwVY33GBPNOvspNhVAFzeqfWneRTBbga53Agb6jjN0SUcZdJgnelzz5JNdOGaLzhacjH6YPJKpbuzCQYPkWtoZHDqWTzCSb4mJ3n0NRTsWy7Pm8LwG_Fd3pACl7JIY38IanPQDLoighFfo-Lriv5z3IdlhwbPnx0tk9sBwQBTRdZ8JkqqYkxUiB06phwr7mAnKEpQJ6HvhZBQ1cCnYZ_nIlrX9-I7qomrlE1UoQ\",\n"
+ " \"e\": \"AQAB\",\n"
+ " \"alg\": \"RS256\",\n"
+ " \"n\": \"vCuB8MgwPZfziMSytEbBoOEwxsG7XI3MaVMoocziP4SjzU4IuWuE_DodbOHQwb_thUru57_Efe"
+
"--sfATHEa0Odv5ny3QbByqsvjyeHk6ZE4mSAV9BsHYa6GWAgEZtnDceeeDc0y76utXK2XHhC1Pysi2KG8KAzqDa099Yh7s31AyoueoMnrYTmWfEyDsQL_OAIiwgXakkS5U8QyXmWicCwXntDzkIMh8MjfPskesyli0XQD1AmCXVV3h2Opm1Amx0ggSOOiINUR5YRD6mKo49_cN-nrJWjtwSouqDdxHYP-4c7epuTcdS6kQHiQERBd1ejdpAxV4c0t0FHF7MOy9kw\"\n"
+ "}";
JwtClaims claims = new JwtClaims();
claims.setGeneratedJwtId();
claims.setIssuedAtToNow();
//Expiration time must be set
NumericDate date = NumericDate.now();
date.addSeconds(120*60);
claims.setExpirationTime(date);
claims.setNotBeforeMinutesInThePast(1);
claims.setSubject("YOUR_SUBJECT");
claims.setAudience("YOUR_AUDIENCE");
//Add custom parameters, use String type for all values
claims.setClaim("userId", "1213234");
claims.setClaim("email", "userEmail@youapp.com");
JsonWebSignature jws = new JsonWebSignature();
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
jws.setKeyIdHeaderValue(keyId);
jws.setPayload(claims.toJson());
PrivateKey privateKey = new RsaJsonWebKey(JsonUtil.parseJson(privateKeyJson)).getPrivateKey();
jws.setKey(privateKey);
String jwtResult = jws.getCompactSerialization();
System.out.println("Generate Json Web token , result is " + jwtResult);
}
}
```
# Plugin Configuration Guide
## Configuration Fields
| Name | Data Type | Required | Default | Description |
| ----------- | --------------- | ------------------------------------------- | ------ | ----------------------------------------------------------- |
| `consumers` | array of object | Yes | - | Configures callers of the service for authenticating requests |
| `_rules_` | array of object | Optional | - | Configures access control lists for specific routes or domains for authorizing requests |
The configuration field descriptions for each item in consumers are as follows:
| Name | Data Type | Required | Default | Description|
| ----------------------- | ----------------- | -------- | ------------------------------------------------- | ------------------------ |
| `name` | string | Yes | - | Configures the name of this consumer |
| `jwks` | string | Yes | - | Specifies a JSON Web Key Set, as defined in https://www.rfc-editor.org/rfc/rfc7517, consisting of public keys (or symmetric keys) used to verify the signature of JWT |
| `issuer` | string | Yes | - | The issuer of the JWT, which should be consistent with the iss field in the payload |
| `claims_to_headers` | array of object | Optional | - | Extracts the specified fields from the JWT's payload and sets them to the specified request headers for forwarding to the backend |
| `from_headers` | array of object | Optional | {"name":"Authorization","value_prefix":"Bearer "} | Extracts the JWT from the specified request headers |
| `from_params` | array of string | Optional | access_token | Extracts the JWT from the specified URL parameters |
| `from_cookies` | array of string | Optional | - | Extracts the JWT from the specified cookie(s) |
| `clock_skew_seconds` | number | Optional | 60 | The amount of clock skew, in seconds, that is allowed when verifying the exp and iat fields of the JWT |
| `keep_token` | bool | Optional | ture | Whether to keep the JWT when forwarding it to the backend |
**Note:**
- The default value is used only if neither `from_headers`, `from_params`, nor `from_cookies` are configured.
The configuration field descriptions for each item in `from_headers` are as follows:
| Name | Data Type | Required| Default | Description |
| ---------------- | --------------- | ------- | ------ | --------------------------------------------------------- |
| `name` | string | Yes | - | Specifies the request header to extract the JWT from |
| `value_prefix` | string | Yes | - | Removes the specified prefix from the request header's value, leaving the rest as the JWT |
The configuration field descriptions for each item in `claims_to_headers` are as follows:
| Name | Data Type | Required| Default | Description |
| ---------------- | --------------- | ------- | ------ | --------------------------------------------------------- |
| `claim` | string | Yes | - | The name of the field in the JWT payload, which must be a string or unsigned integer |
| `header` | string | Yes | - | Sets the value of the specified request header to the value of the specified field in the payload, for forwarding to the backend |
| `override` | bool | Optional | true | If true, overrides an existing header with the same name; if false, appends the header to the existing headers |
The configuration field descriptions for each item in `_rules_` are as follows:
| Name | Data Type | Required| Default | Description |
| ---------------- | --------------- | ------------------------------------------------- | ------ | -------------------------------------------------- |
| `_match_route_` | array of string | Optional, select either `_match_route_` or `_match_domain_` | - | Configures the route names to match|
| `_match_domain_` | array of string | Optional, select either `_match_route_` or `_match_domain_` | - | Configures the domains to match |
| `allow` | array of string | Required | - | Configures the consumer names allowed to access the matched requests |
**Note:**
- If the `_rules_` field is not configured, authentication and authorization are enabled for all routes of the current gateway instance by default;
- For authenticated and authorized requests, a `X-Mse-Consumer` field is added to the request header to identify the caller's name.
## Configuration Example
### Enable for Specific Routes or Domains
The following configuration enables Jwt Auth authentication and authorization for specific routes or domains of the gateway. If a JWT can match multiple `jwks`, the first matching `consumer` is hit according to the configuration order.
```yaml
consumers:
- name: consumer1
issuer: abcd
jwks: |
{
"keys": [
{
"kty": "oct",
"kid": "123",
"k": "hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew",
"alg": "HS256"
}
]
}
- name: consumer2
issuer: abc
jwks: |
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "123",
"alg": "RS256",
"n": "i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw"
}
]
}
# Use the _rules_ field for fine-grained rule configuration
_rules_:
# Rule 1: Effective when matched by route name
- _match_route_:
- route-a
- route-b
allow:
- consumer1
# Rule 2: Effective when matched by domain name
- _match_domain_:
- "*.example.com"
- test.com
allow:
- consumer2
```
In this example, the `route-a` and `route-b` specified in `_match_route_` are the names of the routes filled in when creating the gateway route. When these two routes are matched, access will be allowed for the caller with the `name` of `consumer1`, and other callers will not be allowed to access.
The `*.example.com` and `test.com` specified in `_match_domain_` are used to match the domain names of the requests. When a domain name match is found, access will be allowed for the caller with the `name` of `consumer2`, and other callers will not be allowed to access.
#### According to this configuration, the following requests are allowed:
Assuming the following requests will match the route-a route:
**JWT is set in URL parameter**
```bash
curl 'http://xxx.hello.com/test?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxODY1NjczODE5fQ.-vBSV0bKeDwQcuS6eeSZN9dLTUnSnZVk8eVCXdooCQ4'
```
**JWT is set in HTTP request header**
```bash
curl http://xxx.hello.com/test -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxODY1NjczODE5fQ.-vBSV0bKeDwQcuS6eeSZN9dLTUnSnZVk8eVCXdooCQ4'
```
After authentication and authorization, a `X-Mse-Consumer` field will be added in the request header with a value of `consumer1` in this example, to identify the name of the caller.
#### The following requests will be denied:
**Request without JWT provided, returns 401**
```bash
curl http://xxx.hello.com/test
```
**The consumer matched by the provided JWT in the request does not have access, returns 403**
```bash
# consumer1 is not in the allow list of *.example.com
curl 'http://xxx.example.com/test' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxODY1NjczODE5fQ.-vBSV0bKeDwQcuS6eeSZN9dLTUnSnZVk8eVCXdooCQ4'
```
### Enabling at Gateway Instance Level
The following configuration does not specify the `_rules_` field, so JWT authentication will be enabled at the gateway instance level:
```yaml
consumers:
- name: consumer1
issuer: abcd
jwks: |
{
"keys": [
{
"kty": "oct",
"kid": "123",
"k": "hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew",
"alg": "HS256"
}
]
}
- name: consumer2
issuer: abc
jwks: |
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "123",
"alg": "RS256",
"n": "i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw"
}
]
}
```
# Common Error Codes
|
HTTP Status Code | Error Message | Reason Description|
| ----------- | ---------------------- | -------------------------------------------------------------------------------- |
| 401 | JWT missing | The JWT is not provided in the request header. |
| 401 | JWT expired | The JWT has expired. |
| 401 | JWT verification fails | The JWT payload verification failed, such as the iss mismatch. |
| 403 | Access denied | Access to the current route is denied. |

BIN
plugins/wasm-cpp/extensions/jwt_auth/process.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

19
plugins/wasm-go/Dockerfile
View File

@@ -1,2 +1,17 @@
FROM scratch
COPY main.wasm plugin.wasm
ARG BUILDER=higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/wasm-go-builder:go1.19-tinygo0.27.0
FROM $BUILDER as builder
ARG PLUGIN_NAME=hello-world
WORKDIR /workspace
COPY . .
WORKDIR /workspace/extensions/$PLUGIN_NAME
RUN go mod tidy
RUN tinygo build -o /main.wasm -scheduler=none -target=wasi ./main.go
FROM scratch as output
COPY --from=builder /main.wasm plugin.wasm

84
plugins/wasm-go/DockerfileBuilder Normal file
View File

@@ -0,0 +1,84 @@
# The Dockerfile for wasm-go builder only support amd64 and arm64 yet.
# If you want to build on another architecture, the following information may be helpful.
#
# - arch: amd64 \
# base image: docker.io/ubuntu
# go_url: https://golang.google.cn/dl/go1.20.1.linux-amd64.tar.gz"
# tinygo_url: https://github.com/tinygo-org/tinygo/releases/download/v0.27.0/tinygo_0.27.0_amd64.deb
#
# - arch: arm64
# base image: docker.io/ubuntu
# go_url: https://golang.google.cn/dl/go1.20.1.linux-arm64.tar.gz
# tinygo_url: https://github.com/tinygo-org/tinygo/releases/download/v0.27.0/tinygo_0.27.0_arm64.deb
#
# - arch: armel
# base image: build yourself
# go_url: install from source code
# tinygo_url: build yourself
#
# - arch: i386
# base image: build yourself
# go_url: https://dl.google.com/go/go1.20.1.linux-386.tar.gz
# tinygo_url: build yourself
#
# - arch: mips64el
# base image: build your self
# go_url: https://dl.google.com/go/go1.20.1.linux-386.tar.gz
# tinygo_url: build your self
#
# - arch: ppc64el
# base image: build your self
# go_url: https://dl.google.com/go/go1.20.1.linux-ppc64le.tar.gz
# tinygo_url: build your self
#
# - arch: s390x
# base image: docker.io/ubuntu
# go_url: https://dl.google.com/go/go1.20.1.linux-s390x.tar.gz
# tinygo_url: build your self
#
# - arch: armhf
# base image: build your self
# go_url: https://golang.google.cn/dl/go1.20.1.linux-armv6l.tar.gz
# tinygo_url: https://github.com/tinygo-org/tinygo/releases/download/v0.27.0/tinygo_0.27.0_armhf.deb
ARG BASE_IMAGE=docker.io/ubuntu
FROM $BASE_IMAGE
ARG GO_VERSION
ARG TINYGO_VERSION
LABEL go_version=$GO_VERSION tinygo_version=$TINYGO_VERSION
RUN apt-get update \
&& apt-get install -y wget build-essential \
&& rm -rf /var/lib/apt/lists/*
RUN arch="$(dpkg --print-architecture)"; arch="${arch##*-}"; \
go_url=; \
tinygo_url=; \
go_version=${GO_VERSION:-1.19}; \
tinygo_version=${TINYGO_VERSION:-0.27.0}; \
echo "arch: '$arch'"; \
echo "go go_version: '$go_version'"; \
echo "tinygo_version: '$tinygo_version'"; \
case "$arch" in \
'amd64') \
go_url="https://golang.google.cn/dl/go$go_version.linux-amd64.tar.gz"; \
tinygo_url="https://github.com/tinygo-org/tinygo/releases/download/v$tinygo_version/tinygo_${tinygo_version}_amd64.deb"; \
;; \
'arm64') \
go_url="https://golang.google.cn/dl/go$go_version.linux-arm64.tar.gz"; \
tinygo_url="https://github.com/tinygo-org/tinygo/releases/download/v$tinygo_version/tinygo_${tinygo_version}_arm64.deb"; \
;; \
*) echo >&2 "error: unsupported architecture '$arch' "; exit 1 ;; \
esac; \
echo "go_url: '$go_url'"; \
echo "tinygo_url: '$tinygo_url'"; \
wget -O go.tgz "$go_url" --progress=dot:giga; \
wget -O tinygo.deb "$tinygo_url" --progress=dot:giga; \
echo "Download complete"; \
rm -rf /usr/local/go && tar -C /usr/local -xzf go.tgz && rm -rf go.tgz; \
dpkg -i tinygo.deb && rm -rf tinygo.deb
ENV PATH=$PATH:/usr/local/go/bin:/usr/local/bin

44
plugins/wasm-go/Makefile Normal file
View File

@@ -0,0 +1,44 @@
PLUGIN_NAME ?= hello-world
REGISTRY ?= higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/
GO_VERSION ?= 1.19
TINYGO_VERSION ?= 0.27.0
BUILDER ?= ${REGISTRY}wasm-go-builder:go${GO_VERSION}-tinygo${TINYGO_VERSION}
BUILD_TIME := $(shell date "+%Y%m%d-%H%M%S")
COMMIT_ID := $(shell git rev-parse --short HEAD 2>/dev/null)
IMG ?= ${REGISTRY}${PLUGIN_NAME}:${BUILD_TIME}-${COMMIT_ID}
.DEFAULT:
build:
DOCKER_BUILDKIT=1 docker build --build-arg PLUGIN_NAME=${PLUGIN_NAME} \
--build-arg BUILDER=${BUILDER} \
-t ${IMG} \
--output extensions/${PLUGIN_NAME} \
.
@echo ""
@echo "image: ${IMG}"
@echo "output wasm file: extensions/${PLUGIN_NAME}/plugin.wasm"
build-push: build
docker push ${IMG}
# builder:
# To build a wasm-go-builder image.
# e.g.
# REGISTRY=<your_docker_registry> make builder
# If you want to use Go/TinyGo with another version, please modify GO_VERSION/TINYGO_VERSION.
# After your wasm-go-builder image is built, you can use it to build plugin image.
# e.g.
# PLUGIN_NAME=request-block BUILDER=<your-wasm-go-builder> make
builder:
BUILDER=$(REGISTRY)wasm-go-builder:go$(GO_VERSION)-tinygo$(TINYGO_VERSION)
docker buildx build --no-cache \
--platform linux/amd64,linux/arm64 \
--build-arg BASE_IMAGE=docker.io/ubuntu \
--build-arg GO_VERSION=$(GO_VERSION) \
--build-arg TINYGO_VERSION=$(TINYGO_VERSION) \
-f DockerfileBuilder \
-t ${BUILDER} \
--push \
.
@echo ""
@echo "image: ${BUILDER}"

Some files were not shown because too many files have changed in this diff Show More