--- # PATCH #1: Creating the istio-system namespace. apiVersion: v1 kind: Namespace metadata: name: istio-system # PATCH #1 ends. --- # Source: istio/charts/mixer/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: istio-statsd-prom-bridge namespace: istio-system labels: app: istio-statsd-prom-bridge chart: mixer-0.8.0 release: RELEASE-NAME heritage: Tiller istio: mixer data: mapping.conf: |- --- apiVersion: v1 kind: ConfigMap metadata: name: istio-mixer-custom-resources namespace: istio-system labels: app: istio-mixer chart: mixer-0.8.0 release: RELEASE-NAME heritage: Tiller istio: mixer data: custom-resources.yaml: |- apiVersion: "config.istio.io/v1alpha2" kind: attributemanifest metadata: name: istioproxy namespace: istio-system spec: attributes: origin.ip: valueType: IP_ADDRESS origin.uid: valueType: STRING origin.user: valueType: STRING request.headers: valueType: STRING_MAP request.id: valueType: STRING request.host: valueType: STRING request.method: valueType: STRING request.path: valueType: STRING request.reason: valueType: STRING request.referer: valueType: STRING request.scheme: valueType: STRING request.total_size: valueType: INT64 request.size: valueType: INT64 request.time: valueType: TIMESTAMP request.useragent: valueType: STRING response.code: valueType: INT64 response.duration: valueType: DURATION response.headers: valueType: STRING_MAP response.total_size: valueType: INT64 response.size: valueType: INT64 response.time: valueType: TIMESTAMP source.uid: valueType: STRING source.user: valueType: STRING destination.uid: valueType: STRING connection.id: valueType: STRING connection.received.bytes: valueType: INT64 connection.received.bytes_total: valueType: INT64 connection.sent.bytes: valueType: INT64 connection.sent.bytes_total: valueType: INT64 connection.duration: valueType: DURATION connection.mtls: valueType: BOOL context.protocol: valueType: STRING context.timestamp: valueType: TIMESTAMP context.time: valueType: TIMESTAMP api.service: valueType: STRING api.version: valueType: STRING api.operation: valueType: STRING api.protocol: valueType: STRING request.auth.principal: valueType: STRING request.auth.audiences: valueType: STRING request.auth.presenter: valueType: STRING request.auth.claims: valueType: STRING_MAP request.auth.raw_claims: valueType: STRING request.api_key: valueType: STRING --- apiVersion: "config.istio.io/v1alpha2" kind: attributemanifest metadata: name: kubernetes namespace: istio-system spec: attributes: source.ip: valueType: IP_ADDRESS source.labels: valueType: STRING_MAP source.name: valueType: STRING source.namespace: valueType: STRING source.service: valueType: STRING source.serviceAccount: valueType: STRING destination.ip: valueType: IP_ADDRESS destination.labels: valueType: STRING_MAP destination.name: valueType: STRING destination.namespace: valueType: STRING destination.service: valueType: STRING destination.serviceAccount: valueType: STRING --- apiVersion: "config.istio.io/v1alpha2" kind: stdio metadata: name: handler namespace: istio-system spec: outputAsJson: true --- apiVersion: "config.istio.io/v1alpha2" kind: logentry metadata: name: accesslog namespace: istio-system spec: severity: '"Info"' timestamp: request.time variables: originIp: origin.ip | ip("0.0.0.0") sourceIp: source.ip | ip("0.0.0.0") sourceService: source.service | "" sourceUser: source.user | source.uid | "" sourceNamespace: source.namespace | "" destinationIp: destination.ip | ip("0.0.0.0") destinationService: destination.service | "" destinationNamespace: destination.namespace | "" apiName: api.service | "" apiVersion: api.version | "" apiClaims: request.headers["sec-istio-auth-userinfo"]| "" apiKey: request.api_key | request.headers["x-api-key"] | "" requestOperation: api.operation | "" protocol: request.scheme | "http" method: request.method | "" url: request.path | "" responseCode: response.code | 0 responseSize: response.size | 0 requestSize: request.size | 0 latency: response.duration | "0ms" connectionMtls: connection.mtls | false userAgent: request.useragent | "" responseTimestamp: response.time receivedBytes: request.total_size | connection.received.bytes | 0 sentBytes: response.total_size | connection.sent.bytes | 0 referer: request.referer | "" monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: stdio namespace: istio-system spec: match: "true" # If omitted match is true. actions: - handler: handler.stdio instances: - accesslog.logentry --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestcount namespace: istio-system spec: value: "1" dimensions: source_service: source.service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 200 connection_mtls: connection.mtls | false monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestduration namespace: istio-system spec: value: response.duration | "0ms" dimensions: source_service: source.service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 200 connection_mtls: connection.mtls | false monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestsize namespace: istio-system spec: value: request.size | 0 dimensions: source_service: source.service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 200 connection_mtls: connection.mtls | false monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: responsesize namespace: istio-system spec: value: response.size | 0 dimensions: source_service: source.service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" response_code: response.code | 200 connection_mtls: connection.mtls | false monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: tcpbytesent namespace: istio-system labels: istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp spec: value: connection.sent.bytes | 0 dimensions: source_service: source.service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" connection_mtls: connection.mtls | false monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: tcpbytereceived namespace: istio-system labels: istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp spec: value: connection.received.bytes | 0 dimensions: source_service: source.service | "unknown" source_version: source.labels["version"] | "unknown" destination_service: destination.service | "unknown" destination_version: destination.labels["version"] | "unknown" connection_mtls: connection.mtls | false monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: prometheus metadata: name: handler namespace: istio-system spec: metrics: - name: request_count instance_name: requestcount.metric.istio-system kind: COUNTER label_names: - source_service - source_version - destination_service - destination_version - response_code - connection_mtls - name: request_duration instance_name: requestduration.metric.istio-system kind: DISTRIBUTION label_names: - source_service - source_version - destination_service - destination_version - response_code - connection_mtls buckets: explicit_buckets: bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - name: request_size instance_name: requestsize.metric.istio-system kind: DISTRIBUTION label_names: - source_service - source_version - destination_service - destination_version - response_code - connection_mtls buckets: exponentialBuckets: numFiniteBuckets: 8 scale: 1 growthFactor: 10 - name: response_size instance_name: responsesize.metric.istio-system kind: DISTRIBUTION label_names: - source_service - source_version - destination_service - destination_version - response_code - connection_mtls buckets: exponentialBuckets: numFiniteBuckets: 8 scale: 1 growthFactor: 10 - name: tcp_bytes_sent instance_name: tcpbytesent.metric.istio-system kind: COUNTER label_names: - source_service - source_version - destination_service - destination_version - connection_mtls - name: tcp_bytes_received instance_name: tcpbytereceived.metric.istio-system kind: COUNTER label_names: - source_service - source_version - destination_service - destination_version - connection_mtls --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promhttp namespace: istio-system labels: istio-protocol: http spec: actions: - handler: handler.prometheus instances: - requestcount.metric - requestduration.metric - requestsize.metric - responsesize.metric --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promtcp namespace: istio-system labels: istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP spec: actions: - handler: handler.prometheus instances: - tcpbytesent.metric - tcpbytereceived.metric --- apiVersion: "config.istio.io/v1alpha2" kind: kubernetesenv metadata: name: handler namespace: istio-system spec: # when running from mixer root, use the following config after adding a # symbolic link to a kubernetes config file via: # # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig # # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: kubeattrgenrulerule namespace: istio-system spec: actions: - handler: handler.kubernetesenv instances: - attributes.kubernetes --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: tcpkubeattrgenrulerule namespace: istio-system spec: match: context.protocol == "tcp" actions: - handler: handler.kubernetesenv instances: - attributes.kubernetes --- apiVersion: "config.istio.io/v1alpha2" kind: kubernetes metadata: name: attributes namespace: istio-system spec: # Pass the required attribute data to the adapter source_uid: source.uid | "" source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr destination_uid: destination.uid | "" origin_uid: '""' origin_ip: ip("0.0.0.0") # default to unspecified ip addr attribute_bindings: # Fill the new attributes from the adapter produced output. # $out refers to an instance of OutputTemplate message source.ip: $out.source_pod_ip | ip("0.0.0.0") source.labels: $out.source_labels | emptyStringMap() source.namespace: $out.source_namespace | "default" source.service: $out.source_service | "unknown" source.serviceAccount: $out.source_service_account_name | "unknown" destination.ip: $out.destination_pod_ip | ip("0.0.0.0") destination.labels: $out.destination_labels | emptyStringMap() destination.namespace: $out.destination_namespace | "default" destination.service: $out.destination_service | "unknown" destination.serviceAccount: $out.destination_service_account_name | "unknown" --- # Configuration needed by Mixer. # Mixer cluster is delivered via CDS # Specify mixer cluster settings apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: istio-policy namespace: istio-system spec: host: istio-policy.istio-system.svc.cluster.local trafficPolicy: connectionPool: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: istio-telemetry namespace: istio-system spec: host: istio-telemetry.istio-system.svc.cluster.local trafficPolicy: connectionPool: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 --- --- # Source: istio/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: istio namespace: istio-system labels: app: istio chart: istio-0.8.0 release: RELEASE-NAME heritage: Tiller data: mesh: |- # # Edit this list to avoid using mTLS to connect to these services. # Typically, these are control services (e.g kubernetes API server) that don't have istio sidecar # to transparently terminate mTLS authentication. # mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"] # Set the following variable to true to disable policy checks by the Mixer. # Note that metrics will still be reported to the Mixer. disablePolicyChecks: false # Set enableTracing to false to disable request tracing. enableTracing: true # # To disable the mixer completely (including metrics), comment out # the following lines mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004 # This is the ingress service name, update if you used a different name ingressService: istio-ingress # # Along with discoveryRefreshDelay, this setting determines how # frequently should Envoy fetch and update its internal configuration # from istio Pilot. Lower refresh delay results in higher CPU # utilization and potential performance loss in exchange for faster # convergence. Tweak this value according to your setup. rdsRefreshDelay: 10s # defaultConfig: # NOTE: If you change any values in this section, make sure to make # the same changes in start up args in istio-ingress pods. # See rdsRefreshDelay for explanation about this setting. discoveryRefreshDelay: 10s # # TCP connection timeout between Envoy & the application, and between Envoys. connectTimeout: 10s # ### ADVANCED SETTINGS ############# # Where should envoy's configuration be stored in the istio-proxy container configPath: "/etc/istio/proxy" binaryPath: "/usr/local/bin/envoy" # The pseudo service name used for Envoy. serviceCluster: istio-proxy # These settings that determine how long an old Envoy # process should be kept alive after an occasional reload. drainDuration: 45s parentShutdownDuration: 1m0s # # The mode used to redirect inbound connections to Envoy. This setting # has no effect on outbound traffic: iptables REDIRECT is always used for # outbound connections. # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. # The "REDIRECT" mode loses source addresses during redirection. # If "TPROXY", use iptables TPROXY to redirect to Envoy. # The "TPROXY" mode preserves both the source and destination IP # addresses and ports, so that they can be used for advanced filtering # and manipulation. # The "TPROXY" mode also configures the sidecar to run with the # CAP_NET_ADMIN capability, which is required to use TPROXY. #interceptionMode: REDIRECT # # Port where Envoy listens (on local host) for admin commands # You can exec into the istio-proxy container in a pod and # curl the admin port (curl http://localhost:15000/) to obtain # diagnostic information from Envoy. See # https://lyft.github.io/envoy/docs/operations/admin.html # for more details proxyAdminPort: 15000 # # Zipkin trace collector zipkinAddress: zipkin.istio-system:9411 # # Statsd metrics collector converts statsd metrics into Prometheus metrics. statsdUdpAddress: istio-statsd-prom-bridge.istio-system:9125 # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running discoveryAddress: istio-pilot.istio-system:15007 --- # Source: istio/templates/sidecar-injector-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: istio-sidecar-injector namespace: istio-system labels: app: istio chart: istio-0.8.0 release: RELEASE-NAME heritage: Tiller istio: sidecar-injector data: config: |- policy: enabled template: |- initContainers: - name: istio-init image: docker.io/istio/proxy_init:0.8.0 args: - "-p" - [[ .MeshConfig.ProxyListenPort ]] - "-u" - 1337 - "-m" - [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] - "-i" [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]] - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]" [[ else -]] - "*" [[ end -]] - "-x" [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]] - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]" [[ else -]] - "" [[ end -]] - "-b" [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]] - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]" [[ else -]] - [[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]] - "-d" [[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts") -]] - "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts" ]]" [[ else -]] - "" [[ end -]] imagePullPolicy: IfNotPresent securityContext: capabilities: add: - NET_ADMIN privileged: true restartPolicy: Always containers: - name: istio-proxy # PATCH #2: Add a prestop sleep. lifecycle: preStop: exec: command: - /bin/sleep - "20" # PATCH #2 ends. image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]] "[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]" [[ else -]] docker.io/istio/proxyv2:0.8.0 [[ end -]] args: - proxy - sidecar - --configPath - [[ .ProxyConfig.ConfigPath ]] - --binaryPath - [[ .ProxyConfig.BinaryPath ]] - --serviceCluster [[ if ne "" (index .ObjectMeta.Labels "app") -]] - [[ index .ObjectMeta.Labels "app" ]] [[ else -]] - "istio-proxy" [[ end -]] - --drainDuration - [[ formatDuration .ProxyConfig.DrainDuration ]] - --parentShutdownDuration - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]] - --discoveryAddress - [[ .ProxyConfig.DiscoveryAddress ]] - --discoveryRefreshDelay - [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]] - --zipkinAddress - [[ .ProxyConfig.ZipkinAddress ]] - --connectTimeout - [[ formatDuration .ProxyConfig.ConnectTimeout ]] - --statsdUdpAddress - [[ .ProxyConfig.StatsdUdpAddress ]] - --proxyAdminPort - [[ .ProxyConfig.ProxyAdminPort ]] - --controlPlaneAuthPolicy - [[ .ProxyConfig.ControlPlaneAuthPolicy ]] env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: ISTIO_META_INTERCEPTION_MODE value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] imagePullPolicy: IfNotPresent securityContext: privileged: false readOnlyRootFilesystem: true [[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]] capabilities: add: - NET_ADMIN [[ else -]] runAsUser: 1337 [[ end -]] restartPolicy: Always resources: requests: cpu: 100m memory: 128Mi volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/certs/ name: istio-certs readOnly: true volumes: - emptyDir: medium: Memory name: istio-envoy - name: istio-certs secret: optional: true [[ if eq .Spec.ServiceAccountName "" -]] secretName: istio.default [[ else -]] secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] [[ end -]] --- # Source: istio/charts/egressgateway/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-egressgateway-service-account namespace: istio-system labels: app: egressgateway chart: egressgateway-0.8.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/ingress/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-ingress-service-account namespace: istio-system labels: app: ingress chart: ingress-0.8.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/ingressgateway/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-ingressgateway-service-account namespace: istio-system labels: app: ingressgateway chart: ingressgateway-0.8.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/mixer/templates/create-custom-resources-job.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-mixer-post-install-account namespace: istio-system labels: app: mixer chart: mixer-0.8.0 heritage: Tiller release: RELEASE-NAME --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-mixer-post-install-istio-system namespace: istio-system labels: app: mixer chart: mixer-0.8.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] - apiGroups: ["networking.istio.io"] # needed to create mixer destination rules resources: ["*"] verbs: ["*"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-mixer-post-install-role-binding-istio-system labels: app: mixer chart: mixer-0.8.0 heritage: Tiller release: RELEASE-NAME roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-mixer-post-install-istio-system subjects: - kind: ServiceAccount name: istio-mixer-post-install-account namespace: istio-system --- apiVersion: batch/v1 kind: Job metadata: name: istio-mixer-post-install namespace: istio-system annotations: "helm.sh/hook": post-install "helm.sh/hook-delete-policy": before-hook-creation labels: app: mixer chart: mixer-0.8.0 release: RELEASE-NAME heritage: Tiller spec: template: metadata: name: istio-mixer-post-install labels: app: mixer release: RELEASE-NAME spec: serviceAccountName: istio-mixer-post-install-account containers: - name: hyperkube image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" command: - ./kubectl - apply - -f - /tmp/mixer/custom-resources.yaml volumeMounts: - mountPath: "/tmp/mixer" name: tmp-configmap-mixer volumes: - name: tmp-configmap-mixer configMap: name: istio-mixer-custom-resources restartPolicy: Never # CRD might take some time till they are available to consume --- # Source: istio/charts/mixer/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-mixer-service-account namespace: istio-system labels: app: mixer chart: mixer-0.8.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/pilot/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-pilot-service-account namespace: istio-system labels: app: istio-pilot chart: pilot-0.8.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/security/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-citadel-service-account namespace: istio-system labels: app: security chart: security-0.8.0 heritage: Tiller release: RELEASE-NAME --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-cleanup-old-ca-service-account namespace: istio-system labels: app: security chart: security-0.8.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-sidecar-injector-service-account namespace: istio-system labels: app: istio-sidecar-injector chart: sidecarInjectorWebhook-0.8.0 heritage: Tiller release: RELEASE-NAME --- # Source: istio/charts/mixer/templates/crds.yaml # Mixer CRDs kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: rules.config.istio.io labels: app: mixer package: istio.io.mixer istio: core spec: group: config.istio.io names: kind: rule plural: rules singular: rule scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: attributemanifests.config.istio.io labels: app: mixer package: istio.io.mixer istio: core spec: group: config.istio.io names: kind: attributemanifest plural: attributemanifests singular: attributemanifest scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: circonuses.config.istio.io labels: app: mixer package: circonus istio: mixer-adapter spec: group: config.istio.io names: kind: circonus plural: circonuses singular: circonus scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: deniers.config.istio.io labels: app: mixer package: denier istio: mixer-adapter spec: group: config.istio.io names: kind: denier plural: deniers singular: denier scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: fluentds.config.istio.io labels: app: mixer package: fluentd istio: mixer-adapter spec: group: config.istio.io names: kind: fluentd plural: fluentds singular: fluentd scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: kubernetesenvs.config.istio.io labels: app: mixer package: kubernetesenv istio: mixer-adapter spec: group: config.istio.io names: kind: kubernetesenv plural: kubernetesenvs singular: kubernetesenv scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: listcheckers.config.istio.io labels: app: mixer package: listchecker istio: mixer-adapter spec: group: config.istio.io names: kind: listchecker plural: listcheckers singular: listchecker scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: memquotas.config.istio.io labels: app: mixer package: memquota istio: mixer-adapter spec: group: config.istio.io names: kind: memquota plural: memquotas singular: memquota scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: noops.config.istio.io labels: app: mixer package: noop istio: mixer-adapter spec: group: config.istio.io names: kind: noop plural: noops singular: noop scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: opas.config.istio.io labels: app: mixer package: opa istio: mixer-adapter spec: group: config.istio.io names: kind: opa plural: opas singular: opa scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: prometheuses.config.istio.io labels: app: mixer package: prometheus istio: mixer-adapter spec: group: config.istio.io names: kind: prometheus plural: prometheuses singular: prometheus scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: rbacs.config.istio.io labels: app: mixer package: rbac istio: mixer-adapter spec: group: config.istio.io names: kind: rbac plural: rbacs singular: rbac scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: servicecontrols.config.istio.io labels: app: mixer package: servicecontrol istio: mixer-adapter spec: group: config.istio.io names: kind: servicecontrol plural: servicecontrols singular: servicecontrol scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: solarwindses.config.istio.io labels: app: mixer package: solarwinds istio: mixer-adapter spec: group: config.istio.io names: kind: solarwinds plural: solarwindses singular: solarwinds scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: stackdrivers.config.istio.io labels: app: mixer package: stackdriver istio: mixer-adapter spec: group: config.istio.io names: kind: stackdriver plural: stackdrivers singular: stackdriver scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: statsds.config.istio.io labels: app: mixer package: statsd istio: mixer-adapter spec: group: config.istio.io names: kind: statsd plural: statsds singular: statsd scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: stdios.config.istio.io labels: app: mixer package: stdio istio: mixer-adapter spec: group: config.istio.io names: kind: stdio plural: stdios singular: stdio scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: apikeys.config.istio.io labels: app: mixer package: apikey istio: mixer-instance spec: group: config.istio.io names: kind: apikey plural: apikeys singular: apikey scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: authorizations.config.istio.io labels: app: mixer package: authorization istio: mixer-instance spec: group: config.istio.io names: kind: authorization plural: authorizations singular: authorization scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: checknothings.config.istio.io labels: app: mixer package: checknothing istio: mixer-instance spec: group: config.istio.io names: kind: checknothing plural: checknothings singular: checknothing scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: kuberneteses.config.istio.io labels: app: mixer package: adapter.template.kubernetes istio: mixer-instance spec: group: config.istio.io names: kind: kubernetes plural: kuberneteses singular: kubernetes scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: listentries.config.istio.io labels: app: mixer package: listentry istio: mixer-instance spec: group: config.istio.io names: kind: listentry plural: listentries singular: listentry scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: logentries.config.istio.io labels: app: mixer package: logentry istio: mixer-instance spec: group: config.istio.io names: kind: logentry plural: logentries singular: logentry scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: metrics.config.istio.io labels: app: mixer package: metric istio: mixer-instance spec: group: config.istio.io names: kind: metric plural: metrics singular: metric scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: quotas.config.istio.io labels: app: mixer package: quota istio: mixer-instance spec: group: config.istio.io names: kind: quota plural: quotas singular: quota scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: reportnothings.config.istio.io labels: app: mixer package: reportnothing istio: mixer-instance spec: group: config.istio.io names: kind: reportnothing plural: reportnothings singular: reportnothing scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: servicecontrolreports.config.istio.io labels: app: mixer package: servicecontrolreport istio: mixer-instance spec: group: config.istio.io names: kind: servicecontrolreport plural: servicecontrolreports singular: servicecontrolreport scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: tracespans.config.istio.io labels: app: mixer package: tracespan istio: mixer-instance spec: group: config.istio.io names: kind: tracespan plural: tracespans singular: tracespan scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: serviceroles.config.istio.io labels: app: mixer package: istio.io.mixer istio: rbac spec: group: config.istio.io names: kind: ServiceRole plural: serviceroles singular: servicerole scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: servicerolebindings.config.istio.io labels: app: mixer package: istio.io.mixer istio: rbac spec: group: config.istio.io names: kind: ServiceRoleBinding plural: servicerolebindings singular: servicerolebinding scope: Namespaced version: v1alpha2 --- # Source: istio/charts/pilot/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: destinationpolicies.config.istio.io labels: app: istio-pilot spec: group: config.istio.io names: kind: DestinationPolicy listKind: DestinationPolicyList plural: destinationpolicies singular: destinationpolicy scope: Namespaced version: v1alpha2 --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: egressrules.config.istio.io labels: app: istio-pilot spec: group: config.istio.io names: kind: EgressRule listKind: EgressRuleList plural: egressrules singular: egressrule scope: Namespaced version: v1alpha2 --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: routerules.config.istio.io labels: app: istio-pilot spec: group: config.istio.io names: kind: RouteRule listKind: RouteRuleList plural: routerules singular: routerule scope: Namespaced version: v1alpha2 --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: virtualservices.networking.istio.io labels: app: istio-pilot spec: group: networking.istio.io names: kind: VirtualService listKind: VirtualServiceList plural: virtualservices singular: virtualservice scope: Namespaced version: v1alpha3 --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: destinationrules.networking.istio.io labels: app: istio-pilot spec: group: networking.istio.io names: kind: DestinationRule listKind: DestinationRuleList plural: destinationrules singular: destinationrule scope: Namespaced version: v1alpha3 --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: serviceentries.networking.istio.io labels: app: istio-pilot spec: group: networking.istio.io names: kind: ServiceEntry listKind: ServiceEntryList plural: serviceentries singular: serviceentry scope: Namespaced version: v1alpha3 --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: gateways.networking.istio.io labels: app: istio-pilot spec: group: networking.istio.io names: kind: Gateway plural: gateways singular: gateway scope: Namespaced version: v1alpha3 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: policies.authentication.istio.io spec: group: authentication.istio.io names: kind: Policy plural: policies singular: policy scope: Namespaced version: v1alpha1 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: httpapispecbindings.config.istio.io spec: group: config.istio.io names: kind: HTTPAPISpecBinding plural: httpapispecbindings singular: httpapispecbinding scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: httpapispecs.config.istio.io spec: group: config.istio.io names: kind: HTTPAPISpec plural: httpapispecs singular: httpapispec scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: quotaspecbindings.config.istio.io spec: group: config.istio.io names: kind: QuotaSpecBinding plural: quotaspecbindings singular: quotaspecbinding scope: Namespaced version: v1alpha2 --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: quotaspecs.config.istio.io spec: group: config.istio.io names: kind: QuotaSpec plural: quotaspecs singular: quotaspec scope: Namespaced version: v1alpha2 --- # Source: istio/charts/ingress/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: app: ingress chart: ingress-0.8.0 heritage: Tiller release: RELEASE-NAME name: istio-ingress-istio-system rules: - apiGroups: ["extensions"] resources: ["thirdpartyresources", "ingresses"] verbs: ["get", "watch", "list", "update"] - apiGroups: [""] resources: ["configmaps", "pods", "endpoints", "services"] verbs: ["get", "watch", "list"] --- # Source: istio/charts/mixer/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-mixer-istio-system namespace: istio-system labels: app: mixer chart: mixer-0.8.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"] verbs: ["get", "list", "watch"] --- # Source: istio/charts/pilot/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-pilot-istio-system namespace: istio-system labels: app: istio-pilot chart: pilot-0.8.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["*"] - apiGroups: ["extensions"] resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"] verbs: ["*"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: [""] resources: ["endpoints", "pods", "services"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["namespaces", "nodes", "secrets"] verbs: ["get", "list", "watch"] --- # Source: istio/charts/security/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-citadel-istio-system namespace: istio-system labels: app: security chart: security-0.8.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "watch", "list", "update", "delete"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "watch", "list"] - apiGroups: [""] resources: ["services"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: istio-cleanup-old-ca-istio-system namespace: istio-system labels: app: security chart: security-0.8.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: [""] resources: ["deployments", "serviceaccounts", "services"] verbs: ["get", "delete"] - apiGroups: ["extensions"] resources: ["deployments", "replicasets"] verbs: ["get", "list", "update", "delete"] --- # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: istio-sidecar-injector-istio-system labels: app: istio-sidecar-injector chart: sidecarInjectorWebhook-0.8.0 heritage: Tiller release: RELEASE-NAME rules: - apiGroups: ["*"] resources: ["configmaps"] verbs: ["get", "list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] verbs: ["get", "list", "watch", "patch"] --- # Source: istio/charts/ingress/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-ingress-istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-pilot-istio-system subjects: - kind: ServiceAccount name: istio-ingress-service-account namespace: istio-system --- # Source: istio/charts/mixer/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-mixer-admin-role-binding-istio-system labels: app: mixer chart: mixer-0.8.0 heritage: Tiller release: RELEASE-NAME roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-mixer-istio-system subjects: - kind: ServiceAccount name: istio-mixer-service-account namespace: istio-system --- # Source: istio/charts/pilot/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-pilot-istio-system labels: app: istio-pilot chart: pilot-0.8.0 heritage: Tiller release: RELEASE-NAME roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-pilot-istio-system subjects: - kind: ServiceAccount name: istio-pilot-service-account namespace: istio-system --- # Source: istio/charts/security/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-citadel-istio-system labels: app: security chart: security-0.8.0 heritage: Tiller release: RELEASE-NAME roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-citadel-istio-system subjects: - kind: ServiceAccount name: istio-citadel-service-account namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: istio-cleanup-old-ca-istio-system namespace: istio-system labels: app: security chart: security-0.8.0 heritage: Tiller release: RELEASE-NAME roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istio-cleanup-old-ca-istio-system subjects: - kind: ServiceAccount name: istio-cleanup-old-ca-service-account namespace: istio-system --- # Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: istio-sidecar-injector-admin-role-binding-istio-system labels: app: istio-sidecar-injector chart: sidecarInjectorWebhook-0.8.0 heritage: Tiller release: RELEASE-NAME roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-sidecar-injector-istio-system subjects: - kind: ServiceAccount name: istio-sidecar-injector-service-account namespace: istio-system --- # Source: istio/charts/egressgateway/templates/service.yaml apiVersion: v1 kind: Service metadata: name: istio-egressgateway namespace: istio-system labels: chart: egressgateway-0.8.0 release: RELEASE-NAME heritage: Tiller istio: egressgateway spec: type: ClusterIP selector: istio: egressgateway ports: - name: http port: 80 - name: https port: 443 --- # Source: istio/charts/ingress/templates/service.yaml apiVersion: v1 kind: Service metadata: name: istio-ingress namespace: istio-system labels: chart: ingress-0.8.0 release: RELEASE-NAME heritage: Tiller istio: ingress spec: type: LoadBalancer selector: istio: ingress ports: - name: http nodePort: 32000 port: 80 - name: https port: 443 --- --- # Source: istio/charts/ingressgateway/templates/service.yaml apiVersion: v1 kind: Service metadata: name: istio-ingressgateway namespace: istio-system labels: chart: ingressgateway-0.8.0 release: RELEASE-NAME heritage: Tiller istio: ingressgateway spec: type: LoadBalancer selector: istio: ingressgateway ports: - name: http nodePort: 31380 port: 80 - name: https nodePort: 31390 port: 443 - name: tcp nodePort: 31400 port: 31400 --- # Source: istio/charts/mixer/templates/service.yaml apiVersion: v1 kind: Service metadata: name: istio-policy namespace: istio-system labels: chart: mixer-0.8.0 release: RELEASE-NAME istio: mixer spec: ports: - name: grpc-mixer port: 9091 - name: grpc-mixer-mtls port: 15004 - name: http-monitoring port: 9093 selector: istio: mixer istio-mixer-type: policy --- apiVersion: v1 kind: Service metadata: name: istio-telemetry namespace: istio-system labels: chart: mixer-0.8.0 release: RELEASE-NAME istio: mixer spec: ports: - name: grpc-mixer port: 9091 - name: grpc-mixer-mtls port: 15004 - name: http-monitoring port: 9093 - name: prometheus port: 42422 selector: istio: mixer istio-mixer-type: telemetry --- --- # Source: istio/charts/mixer/templates/statsdtoprom.yaml --- apiVersion: v1 kind: Service metadata: name: istio-statsd-prom-bridge namespace: istio-system labels: chart: mixer-0.8.0 release: RELEASE-NAME istio: statsd-prom-bridge spec: ports: - name: statsd-prom port: 9102 - name: statsd-udp port: 9125 protocol: UDP selector: istio: statsd-prom-bridge --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-statsd-prom-bridge namespace: istio-system labels: chart: mixer-0.8.0 release: RELEASE-NAME istio: mixer spec: template: metadata: labels: istio: statsd-prom-bridge annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-mixer-service-account volumes: - name: config-volume configMap: name: istio-statsd-prom-bridge containers: - name: statsd-prom-bridge image: "prom/statsd-exporter:latest" imagePullPolicy: IfNotPresent ports: - containerPort: 9102 - containerPort: 9125 protocol: UDP args: - '-statsd.mapping-config=/etc/statsd/mapping.conf' resources: {} volumeMounts: - name: config-volume mountPath: /etc/statsd --- # Source: istio/charts/pilot/templates/service.yaml apiVersion: v1 kind: Service metadata: name: istio-pilot namespace: istio-system labels: app: istio-pilot chart: pilot-0.8.0 release: RELEASE-NAME heritage: Tiller spec: ports: - port: 15003 name: http-old-discovery # mTLS or non-mTLS depending on auth setting - port: 15005 name: https-discovery # always mTLS - port: 15007 name: http-discovery # always plain-text - port: 15010 name: grpc-xds # direct - port: 15011 name: https-xds # mTLS - port: 8080 name: http-legacy-discovery # direct - port: 9093 name: http-monitoring selector: istio: pilot --- # Source: istio/charts/security/templates/service.yaml apiVersion: v1 kind: Service metadata: # we use the normal name here (e.g. 'prometheus') # as grafana is configured to use this as a data source name: istio-citadel namespace: istio-system labels: app: istio-citadel spec: ports: - name: grpc-citadel port: 8060 targetPort: 8060 protocol: TCP - name: http-monitoring port: 9093 selector: istio: citadel --- # Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml apiVersion: v1 kind: Service metadata: name: istio-sidecar-injector namespace: istio-system labels: istio: sidecar-injector spec: ports: - port: 443 selector: istio: sidecar-injector --- # Source: istio/charts/egressgateway/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-egressgateway namespace: istio-system labels: app: egressgateway chart: egressgateway-0.8.0 release: RELEASE-NAME heritage: Tiller istio: egressgateway spec: replicas: template: metadata: labels: istio: egressgateway annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-egressgateway-service-account containers: - name: egressgateway image: "docker.io/istio/proxyv2:0.8.0" imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 args: - proxy - router - -v - "2" - --discoveryRefreshDelay - '1s' #discoveryRefreshDelay - --drainDuration - '45s' #drainDuration - --parentShutdownDuration - '1m0s' #parentShutdownDuration - --connectTimeout - '10s' #connectTimeout - --serviceCluster - istio-egressgateway - --zipkinAddress - zipkin:9411 - --statsdUdpAddress - istio-statsd-prom-bridge:9125 - --proxyAdminPort - "15000" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot:8080 resources: {} env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true volumes: - name: istio-certs secret: secretName: "istio.default" optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- # Source: istio/charts/ingress/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-ingress namespace: istio-system labels: app: ingress chart: ingress-0.8.0 release: RELEASE-NAME heritage: Tiller istio: ingress spec: replicas: template: metadata: labels: istio: ingress annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-ingress-service-account containers: - name: ingress image: "docker.io/istio/proxy:0.8.0" imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 args: - proxy - ingress - -v - "2" - --discoveryRefreshDelay - '1s' #discoveryRefreshDelay - --drainDuration - '45s' #drainDuration - --parentShutdownDuration - '1m0s' #parentShutdownDuration - --connectTimeout - '10s' #connectTimeout - --serviceCluster - istio-ingress - --zipkinAddress - zipkin:9411 - --statsdUdpAddress - istio-statsd-prom-bridge:9125 - --proxyAdminPort - "15000" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot:8080 resources: {} env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true - name: ingress-certs mountPath: /etc/istio/ingress-certs readOnly: true volumes: - name: istio-certs secret: secretName: "istio.default" optional: true - name: ingress-certs secret: secretName: istio-ingress-certs optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- # Source: istio/charts/ingressgateway/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-ingressgateway namespace: istio-system labels: app: ingressgateway chart: ingressgateway-0.8.0 release: RELEASE-NAME heritage: Tiller istio: ingressgateway spec: replicas: template: metadata: labels: istio: ingressgateway annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-ingressgateway-service-account containers: - name: ingressgateway image: "docker.io/istio/proxyv2:0.8.0" imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 - containerPort: 31400 args: - proxy - router - -v - "2" - --discoveryRefreshDelay - '1s' #discoveryRefreshDelay - --drainDuration - '45s' #drainDuration - --parentShutdownDuration - '1m0s' #parentShutdownDuration - --connectTimeout - '10s' #connectTimeout - --serviceCluster - istio-ingressgateway - --zipkinAddress - zipkin:9411 - --statsdUdpAddress - istio-statsd-prom-bridge:9125 - --proxyAdminPort - "15000" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot:8080 resources: {} env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true - name: ingressgateway-certs mountPath: "/etc/istio/ingressgateway-certs" readOnly: true volumes: - name: istio-certs secret: secretName: "istio.default" optional: true - name: ingressgateway-certs secret: secretName: "istio-ingressgateway-certs" optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- # Source: istio/charts/mixer/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-policy namespace: istio-system labels: chart: mixer-0.8.0 release: RELEASE-NAME istio: mixer spec: replicas: 1 template: metadata: labels: istio: mixer istio-mixer-type: policy annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-mixer-service-account volumes: - name: istio-certs secret: secretName: istio.istio-mixer-service-account optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x containers: - name: mixer image: "docker.io/istio/mixer:0.8.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9092 - containerPort: 9093 - containerPort: 42422 args: - --address - tcp://127.0.0.1:9092 - --configStoreURL=k8s:// - --configDefaultNamespace=istio-system - --trace_zipkin_url=http://zipkin:9411/api/v1/spans resources: {} - name: istio-proxy image: "docker.io/istio/proxyv2:0.8.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9091 - containerPort: 15004 args: - proxy - --serviceCluster - istio-policy - --templateFile - /etc/istio/proxy/envoy_policy.yaml.tmpl - --controlPlaneAuthPolicy - NONE env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP resources: requests: cpu: 100m memory: 128Mi volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-telemetry namespace: istio-system labels: chart: mixer-0.8.0 release: RELEASE-NAME istio: mixer spec: replicas: 1 template: metadata: labels: istio: mixer istio-mixer-type: telemetry annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-mixer-service-account volumes: - name: istio-certs secret: secretName: istio.istio-mixer-service-account optional: true containers: - name: mixer image: "docker.io/istio/mixer:0.8.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9092 - containerPort: 9093 - containerPort: 42422 args: - --address - tcp://127.0.0.1:9092 - --configStoreURL=k8s:// - --configDefaultNamespace=istio-system - --trace_zipkin_url=http://zipkin:9411/api/v1/spans resources: {} - name: istio-proxy image: "docker.io/istio/proxyv2:0.8.0" imagePullPolicy: IfNotPresent ports: - containerPort: 9091 - containerPort: 15004 args: - proxy - --serviceCluster - istio-telemetry - --templateFile - /etc/istio/proxy/envoy_telemetry.yaml.tmpl - --controlPlaneAuthPolicy - NONE env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP resources: requests: cpu: 100m memory: 128Mi volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true --- --- # Source: istio/charts/pilot/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-pilot namespace: istio-system # TODO: default tempate doesn't have this, which one is right ? labels: app: istio-pilot chart: pilot-0.8.0 release: RELEASE-NAME heritage: Tiller istio: pilot annotations: checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 spec: replicas: 1 template: metadata: labels: istio: pilot annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-pilot-service-account containers: - name: discovery image: "docker.io/istio/pilot:0.8.0" imagePullPolicy: IfNotPresent args: - "discovery" # TODO(sdake) remove when secrets are automagically registered ports: - containerPort: 8080 - containerPort: 15010 readinessProbe: httpGet: path: /v1/registration port: 8080 initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 5 env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: PILOT_THROTTLE value: "500" - name: PILOT_CACHE_SQUASH value: "5" resources: {} volumeMounts: - name: config-volume mountPath: /etc/istio/config - name: istio-certs mountPath: /etc/certs readOnly: true - name: istio-proxy image: "docker.io/istio/proxyv2:0.8.0" imagePullPolicy: IfNotPresent ports: - containerPort: 15003 - containerPort: 15005 - containerPort: 15007 - containerPort: 15011 args: - proxy - --serviceCluster - istio-pilot - --templateFile - /etc/istio/proxy/envoy_pilot.yaml.tmpl - --controlPlaneAuthPolicy - NONE env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP resources: requests: cpu: 100m memory: 128Mi volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true volumes: - name: config-volume configMap: name: istio - name: istio-certs secret: secretName: "istio.istio-pilot-service-account" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- # Source: istio/charts/security/templates/deployment.yaml # istio CA watching all namespaces apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-citadel namespace: istio-system labels: app: security chart: security-0.8.0 release: RELEASE-NAME heritage: Tiller istio: citadel spec: replicas: 1 template: metadata: labels: istio: citadel annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-citadel-service-account containers: - name: citadel image: "docker.io/istio/citadel:0.8.0" imagePullPolicy: IfNotPresent args: - --append-dns-names=true - --grpc-port=8060 - --grpc-hostname=citadel - --self-signed-ca=true - --citadel-storage-namespace=istio-system resources: {} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- # Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-sidecar-injector namespace: istio-system labels: app: sidecarInjectorWebhook chart: sidecarInjectorWebhook-0.8.0 release: RELEASE-NAME heritage: Tiller istio: sidecar-injector spec: replicas: template: metadata: labels: istio: sidecar-injector spec: serviceAccountName: istio-sidecar-injector-service-account containers: - name: sidecar-injector-webhook image: "docker.io/istio/sidecar_injector:0.8.0" imagePullPolicy: IfNotPresent args: - --caCertFile=/etc/istio/certs/root-cert.pem - --tlsCertFile=/etc/istio/certs/cert-chain.pem - --tlsKeyFile=/etc/istio/certs/key.pem - --injectConfig=/etc/istio/inject/config - --meshConfig=/etc/istio/config/mesh - --healthCheckInterval=2s - --healthCheckFile=/health volumeMounts: - name: config-volume mountPath: /etc/istio/config readOnly: true - name: certs mountPath: /etc/istio/certs readOnly: true - name: inject-config mountPath: /etc/istio/inject readOnly: true livenessProbe: exec: command: - /usr/local/bin/sidecar-injector - probe - --probe-path=/health - --interval=2s initialDelaySeconds: 4 periodSeconds: 4 readinessProbe: exec: command: - /usr/local/bin/sidecar-injector - probe - --probe-path=/health - --interval=2s initialDelaySeconds: 4 periodSeconds: 4 volumes: - name: config-volume configMap: name: istio - name: certs secret: secretName: istio.istio-sidecar-injector-service-account - name: inject-config configMap: name: istio-sidecar-injector items: - key: config path: config affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- # Source: istio/charts/security/templates/cleanup-old-ca.yaml apiVersion: batch/v1 kind: Job metadata: name: istio-cleanup-old-ca namespace: istio-system annotations: "helm.sh/hook": post-install "helm.sh/hook-delete-policy": hook-succeeded labels: app: security chart: security-0.8.0 release: RELEASE-NAME heritage: Tiller spec: template: metadata: name: istio-cleanup-old-ca labels: app: security release: RELEASE-NAME spec: serviceAccountName: istio-cleanup-old-ca-service-account containers: - name: hyperkube image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" command: - /bin/bash - -c - > NS="-n istio-system"; ./kubectl get deploy istio-ca $NS; if [[ $? = 0 ]]; then ./kubectl delete deploy istio-ca $NS; fi; ./kubectl get serviceaccount istio-ca-service-account $NS; if [[ $? = 0 ]]; then ./kubectl delete serviceaccount istio-ca-service-account $NS; fi; ./kubectl get service istio-ca-ilb $NS; if [[ $? = 0 ]]; then ./kubectl delete service istio-ca-ilb $NS; fi restartPolicy: Never --- # Source: istio/charts/egressgateway/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: istio-egressgateway namespace: istio-system spec: maxReplicas: 1 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 kind: Deployment name: istio-egressgateway metrics: - type: Resource resource: name: cpu targetAverageUtilization: 80 --- # Source: istio/charts/ingress/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: istio-ingress namespace: istio-system spec: maxReplicas: 1 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 kind: Deployment name: istio-ingress metrics: - type: Resource resource: name: cpu targetAverageUtilization: 80 --- # Source: istio/charts/ingressgateway/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: istio-ingressgateway namespace: istio-system spec: maxReplicas: 1 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 kind: Deployment name: istio-ingressgateway metrics: - type: Resource resource: name: cpu targetAverageUtilization: 80 --- # Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector namespace: istio-system labels: app: istio-sidecar-injector chart: sidecarInjectorWebhook-0.8.0 release: RELEASE-NAME heritage: Tiller webhooks: - name: sidecar-injector.istio.io clientConfig: service: name: istio-sidecar-injector namespace: istio-system path: "/inject" caBundle: "" rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] failurePolicy: Fail namespaceSelector: matchLabels: istio-injection: enabled --- # Source: istio/charts/mixer/templates/config.yaml