--- # PATCH #1: Creating the istio-system namespace. apiVersion: v1 kind: Namespace metadata: name: istio-system labels: istio-injection: disabled # PATCH #1 ends. --- # Source: istio/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: istio namespace: istio-system labels: app: istio chart: istio heritage: Tiller release: release-name data: mesh: |- # Set the following variable to true to disable policy checks by the Mixer. # Note that metrics will still be reported to the Mixer. disablePolicyChecks: true # Set enableTracing to false to disable request tracing. enableTracing: true # Set accessLogFile to empty string to disable access log. accessLogFile: "/dev/stdout" # If accessLogEncoding is TEXT, value will be used directly as the log format # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" # If AccessLogEncoding is JSON, value will be parsed as map[string]string # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' # Leave empty to use default log format accessLogFormat: "" # Set accessLogEncoding to JSON or TEXT to configure sidecar access log accessLogEncoding: 'TEXT' # Let Pilot give ingresses the public IP of the Istio ingressgateway ingressService: istio-ingressgateway # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS connectTimeout: 10s # DNS refresh rate for Envoy clusters of type STRICT_DNS dnsRefreshRate: 5s # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. sdsUdsPath: # This flag is used by secret discovery service(SDS). # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which # will be used to generate key/cert eventually. This isn't supported for non-k8s case. enableSdsTokenMount: false # This flag is used by secret discovery service(SDS). # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) # and pass to sds server, which will be used to request key/cert eventually. # this flag is ignored if enableSdsTokenMount is set. # This isn't supported for non-k8s case. sdsUseK8sSaJwt: false # The trust domain corresponds to the trust root of a system. # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain trustDomain: # Set the default behavior of the sidecar for handling outbound traffic from the application: # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no # services or ServiceEntries for the destination port # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well # as those defined through ServiceEntries outboundTrafficPolicy: mode: ALLOW_ANY localityLbSetting: {} # The namespace to treat as the administrative root namespace for istio # configuration. rootNamespace: istio-system defaultConfig: # # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters # defined in Envoy's configuration file connectTimeout: 10s # ### ADVANCED SETTINGS ############# # Where should envoy's configuration be stored in the istio-proxy container configPath: "/etc/istio/proxy" binaryPath: "/usr/local/bin/envoy" # The pseudo service name used for Envoy. serviceCluster: istio-proxy # These settings that determine how long an old Envoy # process should be kept alive after an occasional reload. drainDuration: 45s parentShutdownDuration: 1m0s # # The mode used to redirect inbound connections to Envoy. This setting # has no effect on outbound traffic: iptables REDIRECT is always used for # outbound connections. # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. # The "REDIRECT" mode loses source addresses during redirection. # If "TPROXY", use iptables TPROXY to redirect to Envoy. # The "TPROXY" mode preserves both the source and destination IP # addresses and ports, so that they can be used for advanced filtering # and manipulation. # The "TPROXY" mode also configures the sidecar to run with the # CAP_NET_ADMIN capability, which is required to use TPROXY. #interceptionMode: REDIRECT # # Port where Envoy listens (on local host) for admin commands # You can exec into the istio-proxy container in a pod and # curl the admin port (curl http://localhost:15000/) to obtain # diagnostic information from Envoy. See # https://lyft.github.io/envoy/docs/operations/admin.html # for more details proxyAdminPort: 15000 # # Set concurrency to a specific number to control the number of Proxy worker threads. # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: 2 # tracing: zipkin: # Address of the Zipkin collector address: zipkin.istio-system:9411 # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running discoveryAddress: istio-pilot.istio-system:15010 # Configuration file for the mesh networks to be used by the Split Horizon EDS. meshNetworks: |- networks: {} --- # Source: istio/charts/gateways/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: cluster-local-gateway-service-account namespace: istio-system labels: app: cluster-local-gateway chart: gateways heritage: Tiller release: release-name --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-ingressgateway-service-account namespace: istio-system labels: app: istio-ingressgateway chart: gateways heritage: Tiller release: release-name --- --- # Source: istio/charts/pilot/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-pilot-service-account namespace: istio-system labels: app: pilot chart: pilot heritage: Tiller release: release-name --- # Source: istio/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: istio-multi namespace: istio-system --- # Source: istio/charts/gateways/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-local-gateway-istio-system labels: app: cluster-local-gateway chart: gateways heritage: Tiller release: release-name rules: - apiGroups: ["networking.istio.io"] resources: ["virtualservices", "destinationrules", "gateways"] verbs: ["get", "watch", "list", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-ingressgateway-istio-system labels: app: ingressgateway chart: gateways heritage: Tiller release: release-name rules: - apiGroups: ["networking.istio.io"] resources: ["virtualservices", "destinationrules", "gateways"] verbs: ["get", "watch", "list", "update"] --- --- # Source: istio/charts/pilot/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-pilot-istio-system labels: app: pilot chart: pilot heritage: Tiller release: release-name rules: - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["*"] - apiGroups: ["extensions"] resources: ["ingresses", "ingresses/status"] verbs: ["*"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: [""] resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] verbs: ["get", "list", "watch"] --- # Source: istio/templates/clusterrole.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: istio-reader rules: - apiGroups: [''] resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] verbs: ['get', 'watch', 'list'] - apiGroups: ["extensions", "apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] --- # Source: istio/charts/gateways/templates/clusterrolebindings.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-local-gateway-istio-system labels: app: cluster-local-gateway chart: gateways heritage: Tiller release: release-name roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-local-gateway-istio-system subjects: - kind: ServiceAccount name: cluster-local-gateway-service-account namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-ingressgateway-istio-system labels: app: ingressgateway chart: gateways heritage: Tiller release: release-name roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-ingressgateway-istio-system subjects: - kind: ServiceAccount name: istio-ingressgateway-service-account namespace: istio-system --- --- # Source: istio/charts/pilot/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-pilot-istio-system labels: app: pilot chart: pilot heritage: Tiller release: release-name roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-pilot-istio-system subjects: - kind: ServiceAccount name: istio-pilot-service-account namespace: istio-system --- # Source: istio/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-multi labels: chart: istio-1.1.0 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-reader subjects: - kind: ServiceAccount name: istio-multi namespace: istio-system --- # Source: istio/charts/gateways/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: istio-ingressgateway-sds namespace: istio-system rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] --- --- # Source: istio/charts/gateways/templates/rolebindings.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: istio-ingressgateway-sds namespace: istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: istio-ingressgateway-sds subjects: - kind: ServiceAccount name: istio-ingressgateway-service-account --- --- # Source: istio/charts/gateways/templates/service.yaml apiVersion: v1 kind: Service metadata: name: cluster-local-gateway namespace: istio-system annotations: labels: chart: gateways heritage: Tiller release: release-name app: cluster-local-gateway istio: cluster-local-gateway spec: type: ClusterIP selector: release: release-name app: cluster-local-gateway istio: cluster-local-gateway ports: - name: status-port port: 15020 - name: http2 port: 80 - name: https port: 443 --- apiVersion: v1 kind: Service metadata: name: istio-ingressgateway namespace: istio-system annotations: labels: chart: gateways heritage: Tiller release: release-name app: istio-ingressgateway istio: ingressgateway spec: type: LoadBalancer selector: release: release-name app: istio-ingressgateway istio: ingressgateway ports: - name: status-port port: 15020 - name: http2 port: 80 - name: https port: 443 --- --- # Source: istio/charts/pilot/templates/service.yaml apiVersion: v1 kind: Service metadata: name: istio-pilot namespace: istio-system labels: app: pilot chart: pilot heritage: Tiller release: release-name istio: pilot spec: ports: - port: 15010 name: grpc-xds # direct - port: 15011 name: https-xds # mTLS - port: 8080 name: http-legacy-discovery # direct - port: 15014 name: http-monitoring selector: istio: pilot --- # Source: istio/charts/gateways/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: cluster-local-gateway namespace: istio-system labels: chart: gateways heritage: Tiller release: release-name app: cluster-local-gateway istio: cluster-local-gateway spec: replicas: 1 template: metadata: labels: chart: gateways heritage: Tiller release: release-name app: cluster-local-gateway istio: cluster-local-gateway annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: cluster-local-gateway-service-account containers: - name: istio-proxy image: "docker.io/istio/proxyv2:1.1.7" imagePullPolicy: IfNotPresent ports: - containerPort: 15020 - containerPort: 80 - containerPort: 443 - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --log_output_level=default:info - --drainDuration - '45s' #drainDuration - --parentShutdownDuration - '1m0s' #parentShutdownDuration - --connectTimeout - '10s' #connectTimeout - --serviceCluster - cluster-local-gateway - --zipkinAddress - zipkin:9411 - --proxyAdminPort - "15000" - --statusPort - "15020" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot:15010 readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 10m env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true - name: cluster-local-gateway-certs mountPath: "/etc/istio/cluster-local-gateway-certs" readOnly: true - name: cluster-local-gateway-ca-certs mountPath: "/etc/istio/cluster-local-gateway-ca-certs" readOnly: true volumes: - name: istio-certs secret: secretName: istio.cluster-local-gateway-service-account optional: true - name: cluster-local-gateway-certs secret: secretName: "istio-cluster-local-gateway-certs" optional: true - name: cluster-local-gateway-ca-certs secret: secretName: "istio-cluster-local-gateway-ca-certs" optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-ingressgateway namespace: istio-system labels: chart: gateways heritage: Tiller release: release-name app: istio-ingressgateway istio: ingressgateway spec: template: metadata: labels: chart: gateways heritage: Tiller release: release-name app: istio-ingressgateway istio: ingressgateway annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-ingressgateway-service-account containers: - name: ingress-sds image: "docker.io/istio/node-agent-k8s:1.1.7" imagePullPolicy: IfNotPresent resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi env: - name: "ENABLE_WORKLOAD_SDS" value: "false" - name: "ENABLE_INGRESS_GATEWAY_SDS" value: "true" - name: "INGRESS_GATEWAY_NAMESPACE" valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace volumeMounts: - name: ingressgatewaysdsudspath mountPath: /var/run/ingress_gateway - name: istio-proxy image: "docker.io/istio/proxyv2:1.1.7" imagePullPolicy: IfNotPresent ports: - containerPort: 15020 - containerPort: 80 - containerPort: 443 - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --log_output_level=default:info - --drainDuration - '45s' #drainDuration - --parentShutdownDuration - '1m0s' #parentShutdownDuration - --connectTimeout - '10s' #connectTimeout - --serviceCluster - istio-ingressgateway - --zipkinAddress - zipkin:9411 - --proxyAdminPort - "15000" - --statusPort - "15020" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot:15010 readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_META_USER_SDS value: "true" - name: ISTIO_META_ROUTER_MODE value: sni-dnat volumeMounts: - name: ingressgatewaysdsudspath mountPath: /var/run/ingress_gateway - name: istio-certs mountPath: /etc/certs readOnly: true - name: ingressgateway-certs mountPath: "/etc/istio/ingressgateway-certs" readOnly: true - name: ingressgateway-ca-certs mountPath: "/etc/istio/ingressgateway-ca-certs" readOnly: true volumes: - name: ingressgatewaysdsudspath emptyDir: {} - name: istio-certs secret: secretName: istio.istio-ingressgateway-service-account optional: true - name: ingressgateway-certs secret: secretName: "istio-ingressgateway-certs" optional: true - name: ingressgateway-ca-certs secret: secretName: "istio-ingressgateway-ca-certs" optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- --- # Source: istio/charts/pilot/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: istio-pilot namespace: istio-system # TODO: default template doesn't have this, which one is right ? labels: app: pilot chart: pilot heritage: Tiller release: release-name istio: pilot annotations: checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 spec: strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: istio: pilot template: metadata: labels: app: pilot chart: pilot heritage: Tiller release: release-name istio: pilot annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: istio-pilot-service-account containers: - name: discovery image: "docker.io/istio/pilot:1.1.7" imagePullPolicy: IfNotPresent args: - "discovery" - --monitoringAddr=:15014 - --log_output_level=default:info - --domain - cluster.local - --secureGrpcAddr - "" - --keepaliveMaxServerConnectionAge - "30m" ports: - containerPort: 8080 - containerPort: 15010 - containerPort: 15011 readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 5 periodSeconds: 30 timeoutSeconds: 5 env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: GODEBUG value: "gctrace=1" - name: PILOT_PUSH_THROTTLE value: "100" - name: PILOT_TRACE_SAMPLING value: "100" - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY value: "1" resources: requests: cpu: 100m memory: 256Mi volumeMounts: - name: config-volume mountPath: /etc/istio/config - name: istio-certs mountPath: /etc/certs readOnly: true volumes: - name: config-volume configMap: name: istio - name: istio-certs secret: secretName: istio.istio-pilot-service-account optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- # Source: istio/charts/gateways/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: istio-ingressgateway namespace: istio-system labels: app: ingressgateway chart: gateways heritage: Tiller release: release-name spec: maxReplicas: 1 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 kind: Deployment name: istio-ingressgateway metrics: - type: Resource resource: name: cpu targetAverageUtilization: 80 --- --- # Source: istio/charts/pilot/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: istio-pilot namespace: istio-system labels: app: pilot chart: pilot heritage: Tiller release: release-name spec: maxReplicas: 5 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 kind: Deployment name: istio-pilot metrics: - type: Resource resource: name: cpu targetAverageUtilization: 80 --- --- # Source: istio/charts/gateways/templates/poddisruptionbudget.yaml --- # Source: istio/charts/gateways/templates/preconfigured.yaml --- # Source: istio/charts/mixer/templates/autoscale.yaml --- # Source: istio/charts/mixer/templates/clusterrole.yaml --- # Source: istio/charts/mixer/templates/clusterrolebinding.yaml --- # Source: istio/charts/mixer/templates/config.yaml --- # Source: istio/charts/mixer/templates/deployment.yaml --- # Source: istio/charts/mixer/templates/poddisruptionbudget.yaml --- # Source: istio/charts/mixer/templates/service.yaml --- # Source: istio/charts/mixer/templates/serviceaccount.yaml --- # Source: istio/charts/pilot/templates/meshexpansion.yaml --- # Source: istio/charts/pilot/templates/poddisruptionbudget.yaml --- # Source: istio/templates/endpoints.yaml --- # Source: istio/templates/install-custom-resources.sh.tpl --- # Source: istio/templates/service.yaml --- # Source: istio/templates/sidecar-injector-configmap.yaml