andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

(dev-v2.6-archive) Support kiali 1.35 and istio 1.10.1 

(partially cherry picked from commit 20ae86582a)
pull/1680/head
Brenda Rearden 2021-06-22 13:17:46 -07:00 committed by Arvind Iyengar
parent e87b6f9cdc
commit a1a3a386bf
No known key found for this signature in database
GPG Key ID: A8DD9BFD6C811498
31 changed files with 966 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
packages/rancher-istio/charts/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
appVersion: 1.10.1
description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ for details.
name: rancher-istio
version: 1.10.1
icon: https://charts.rancher.io/assets/logos/istio.svg
keywords:
- networking
- infrastructure
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/namespace: istio-system
catalog.cattle.io/release-name: rancher-istio
catalog.cattle.io/ui-component: istio
catalog.cattle.io/provides-gvr: networking.istio.io.virtualservice/v1beta1
catalog.cattle.io/auto-install: rancher-kiali-server-crd=100.0.0+up1.35.0
catalog.cattle.io/display-name: "Istio"
catalog.cattle.io/os: linux
catalog.cattle.io/requests-cpu: "710m"
catalog.cattle.io/requests-memory: "2314Mi"

69
packages/rancher-istio/charts/README.md Normal file
View File

@ -0,0 +1,69 @@
# Rancher Istio Installers
A Rancher created chart that packages the istioctl binary to install via a helm chart.
# Installation Requirements
## Chart Dependencies
- rancher-kiali-server-crd chart
# Uninstallation Requirements
To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see installation requirements for chart dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal.
If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error::
`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"`
# Addons
## Kiali
Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard.
#### Dependencies
- rancher-monitoring chart or other Prometheus installation
This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation.
> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding.
The Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces.
To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources.
1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape.
1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces.
#### External Services
##### Prometheus
The `kiali.external_services.prometheus` url is set in the values.yaml:
```
http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }}
```
The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance.
##### Grafana
The `kiali.external_services.grafana` url is set in the values.yaml:
```
http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }}
```
The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance.
##### Tracing
The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml:
```
http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }}
```
The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance.
## Jaeger
Jaeger allows you to trace and monitor distributed microservices.
> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs.
# Installation
```
helm install rancher-istio . --create-namespace -n istio-system
```

45
packages/rancher-istio/charts/app-readme.md Normal file
View File

@ -0,0 +1,45 @@
# Rancher Istio
Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes:
* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh
* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed systemm. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead.
### Dependencies
**Rancher Monitoring or other Prometheus installation**
The Prometheus CRDs are required for installing Kiali which is enabled by default. If you do not have Prometheus installed your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` to bypass this requirement.
### Customization
**Rancher Monitoring**
The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces.
To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources.
1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape.
1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces.
**Custom Prometheus Installation with Kiali**
To use a custom Monitoring installation, set the `kiali.external_services.prometheus` url in the values.yaml. This url depends on the values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` in your rancher-monitoring or other monitoring instance:
```
http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }}
```
**Custom Grafana Installation with Kiali**
To use a custom Grafana installation, set the `kiali.external_services.grafana` url in the values.yaml. This url depends on the values for `nameOverride`, `namespaceOverride`, and `granfa.service.port` in your rancher-monitoring or other grafana instance:
```
http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }}
```
**Custom Tracing Installation with Kiali**
To use a custom Tracing installation, set the `kiali.external_services.tracing` url and update the `.Values.tracing.contextPath` in the rancher-istio values.yaml.
This url depends on the values for `namespaceOverride`, and `.Values.service.externalPort` in your rancher-tracing or other tracing instance.:
```
http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }}
```
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/).

82
packages/rancher-istio/charts/configs/istio-base.yaml Normal file
View File

@ -0,0 +1,82 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
base:
enabled: {{ .Values.base.enabled }}
cni:
enabled: {{ .Values.cni.enabled }}
egressGateways:
- enabled: {{ .Values.egressGateways.enabled }}
name: istio-egressgateway
ingressGateways:
- enabled: {{ .Values.ingressGateways.enabled }}
name: istio-ingressgateway
k8s:
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: http2
port: 80
targetPort: 8080
nodePort: 31380
- name: https
port: 443
targetPort: 8443
nodePort: 31390
- name: tcp
port: 31400
targetPort: 31400
nodePort: 31400
- name: tls
port: 15443
targetPort: 15443
istiodRemote:
enabled: {{ .Values.istiodRemote.enabled }}
pilot:
enabled: {{ .Values.pilot.enabled }}
hub: {{ .Values.systemDefaultRegistry | default "docker.io" }}
profile: default
tag: {{ .Values.tag }}
revision: {{ .Values.revision }}
meshConfig:
defaultConfig:
proxyMetadata:
{{- if .Values.dns.enabled }}
ISTIO_META_DNS_CAPTURE: "true"
{{- end }}
values:
gateways:
istio-egressgateway:
name: istio-egressgateway
type: {{ .Values.egressGateways.type }}
istio-ingressgateway:
name: istio-ingressgateway
type: {{ .Values.ingressGateways.type }}
global:
istioNamespace: {{ template "istio.namespace" . }}
proxy:
image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }}
proxy_init:
image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }}
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
defaultPodDisruptionBudget:
enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }}
{{- end }}
{{- if .Values.pilot.enabled }}
pilot:
image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }}
{{- end }}
telemetry:
enabled: {{ .Values.telemetry.enabled }}
v2:
enabled: {{ .Values.telemetry.v2.enabled }}
{{- if .Values.cni.enabled }}
cni:
image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }}
excludeNamespaces:
{{- toYaml .Values.cni.excludeNamespaces | nindent 8 }}
logLevel: {{ .Values.cni.logLevel }}
{{- end }}

7
packages/rancher-istio/charts/requirements.yaml Normal file
View File

@ -0,0 +1,7 @@
dependencies:
- condition: kiali.enabled
name: kiali
repository: file://./charts/kiali
- condition: tracing.enabled
name: tracing
repository: file://./charts/tracing

37
packages/rancher-istio/charts/samples/overlay-example.yaml Normal file
View File

@ -0,0 +1,37 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
ingressGateways:
- enabled: true
name: ilb-gateway
namespace: user-ingressgateway-ns
k8s:
resources:
requests:
cpu: 200m
service:
ports:
- name: tcp-citadel-grpc-tls
port: 8060
targetPort: 8060
- name: tcp-dns
port: 5353
serviceAnnotations:
cloud.google.com/load-balancer-type: internal
- enabled: true
name: other-gateway
namespace: cattle-istio-system
k8s:
resources:
requests:
cpu: 200m
service:
ports:
- name: tcp-citadel-grpc-tls
port: 8060
targetPort: 8060
- name: tcp-dns
port: 5353
serviceAnnotations:
cloud.google.com/load-balancer-type: internal

12
packages/rancher-istio/charts/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,12 @@
{{/* Ensure namespace is set the same everywhere */}}
{{- define "istio.namespace" -}}
{{- .Release.Namespace | default "istio-system" -}}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

43
packages/rancher-istio/charts/templates/admin-role.yaml Normal file
View File

@ -0,0 +1,43 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: istio-admin
namespace: {{ template "istio.namespace" . }}
rules:
- apiGroups:
- config.istio.io
resources:
- adapters
- attributemanifests
- handlers
- httpapispecbindings
- httpapispecs
- instances
- quotaspecbindings
- quotaspecs
- rules
- templates
verbs: ["get", "watch", "list"]
- apiGroups:
- networking.istio.io
resources:
- destinationrules
- envoyfilters
- gateways
- serviceentries
- sidecars
- virtualservices
- workloadentries
verbs:
- '*'
- apiGroups:
- security.istio.io
resources:
- authorizationpolicies
- peerauthentications
- requestauthentications
verbs:
- '*'

7
packages/rancher-istio/charts/templates/base-config-map.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-installer-base
namespace: {{ template "istio.namespace" . }}
data:
{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }}

120
packages/rancher-istio/charts/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,120 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-installer
rules:
# istio groups
- apiGroups:
- authentication.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- config.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- install.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- networking.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- rbac.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- security.istio.io
resources:
- '*'
verbs:
- '*'
# k8s groups
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions.apiextensions.k8s.io
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- apps
- extensions
resources:
- daemonsets
- deployments
- deployments/finalizers
- ingresses
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- events
- namespaces
- pods
- pods/exec
- persistentvolumeclaims
- secrets
- services
- serviceaccounts
verbs:
- '*'
- apiGroups:
- policy
resourceNames:
- istio-installer
resources:
- podsecuritypolicies
verbs:
- use

12
packages/rancher-istio/charts/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,12 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: istio-installer
subjects:
- kind: ServiceAccount
name: istio-installer
namespace: {{ template "istio.namespace" . }}
roleRef:
kind: ClusterRole
name: istio-installer
apiGroup: rbac.authorization.k8s.io

43
packages/rancher-istio/charts/templates/edit-role.yaml Normal file
View File

@ -0,0 +1,43 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
namespace: {{ template "istio.namespace" . }}
name: istio-edit
rules:
- apiGroups:
- config.istio.io
resources:
- adapters
- attributemanifests
- handlers
- httpapispecbindings
- httpapispecs
- instances
- quotaspecbindings
- quotaspecs
- rules
- templates
verbs: ["get", "watch", "list"]
- apiGroups:
- networking.istio.io
resources:
- destinationrules
- envoyfilters
- gateways
- serviceentries
- sidecars
- virtualservices
- workloadentries
verbs:
- '*'
- apiGroups:
- security.istio.io
resources:
- authorizationpolicies
- peerauthentications
- requestauthentications
verbs:
- '*'

51
packages/rancher-istio/charts/templates/istio-cni-psp.yaml Normal file
View File

@ -0,0 +1,51 @@
{{- if .Values.global.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp-istio-cni
namespace: {{ template "istio.namespace" . }}
spec:
allowPrivilegeEscalation: true
fsGroup:
rule: RunAsAny
hostNetwork: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret
- configMap
- emptyDir
- hostPath
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: psp-istio-cni
namespace: {{ template "istio.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: psp-istio-cni
subjects:
- kind: ServiceAccount
name: istio-cni
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: psp-istio-cni
namespace: {{ template "istio.namespace" . }}
rules:
- apiGroups:
- policy
resourceNames:
- psp-istio-cni
resources:
- podsecuritypolicies
verbs:
- use
{{- end }}

50
packages/rancher-istio/charts/templates/istio-install-job.yaml Normal file
View File

@ -0,0 +1,50 @@
apiVersion: batch/v1
kind: Job
metadata:
name: istioctl-installer
namespace: {{ template "istio.namespace" . }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 1
template:
spec:
containers:
- name: istioctl-installer
image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }}
env:
- name: RELEASE_NAME
value: {{ .Release.Name }}
- name: ISTIO_NAMESPACE
value: {{ template "istio.namespace" . }}
- name: FORCE_INSTALL
value: {{ .Values.forceInstall | default "false" | quote }}
command: ["/bin/sh","-c"]
args: ["/usr/local/app/scripts/run.sh"]
volumeMounts:
- name: config-volume
mountPath: /app/istio-base.yaml
subPath: istio-base.yaml
{{- if .Values.overlayFile }}
- name: overlay-volume
mountPath: /app/overlay-config.yaml
subPath: overlay-config.yaml
{{- end }}
volumes:
- name: config-volume
configMap:
name: istio-installer-base
{{- if .Values.overlayFile }}
- name: overlay-volume
configMap:
name: istio-installer-overlay
{{- end }}
serviceAccountName: istio-installer
{{- if .Values.global.rbac.pspEnabled }}
securityContext:
runAsUser: 101
runAsGroup: 101
{{- end }}
restartPolicy: Never

30
packages/rancher-istio/charts/templates/istio-install-psp.yaml Normal file
View File

@ -0,0 +1,30 @@
{{- if .Values.global.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: istio-installer
namespace: {{ template "istio.namespace" . }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'configMap'
- 'secret'
{{- end }}

81
packages/rancher-istio/charts/templates/istio-psp.yaml Normal file
View File

@ -0,0 +1,81 @@
{{- if .Values.global.rbac.pspEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istio-psp
namespace: {{ template "istio.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-psp
subjects:
- kind: ServiceAccount
name: istio-egressgateway-service-account
- kind: ServiceAccount
name: istio-ingressgateway-service-account
- kind: ServiceAccount
name: istio-mixer-service-account
- kind: ServiceAccount
name: istio-operator-authproxy
- kind: ServiceAccount
name: istiod-service-account
- kind: ServiceAccount
name: istio-sidecar-injector-service-account
- kind: ServiceAccount
name: istiocoredns-service-account
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istio-psp
namespace: {{ template "istio.namespace" . }}
rules:
- apiGroups:
- policy
resourceNames:
- istio-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: istio-psp
namespace: {{ template "istio.namespace" . }}
spec:
allowPrivilegeEscalation: false
forbiddenSysctls:
- '*'
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
{{- end }}

45
packages/rancher-istio/charts/templates/istio-uninstall-job.yaml Normal file
View File

@ -0,0 +1,45 @@
apiVersion: batch/v1
kind: Job
metadata:
name: istioctl-uninstaller
namespace: {{ template "istio.namespace" . }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
spec:
containers:
- name: istioctl-uninstaller
image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }}
env:
- name: RELEASE_NAME
value: {{ .Release.Name }}
- name: ISTIO_NAMESPACE
value: {{ template "istio.namespace" . }}
command: ["/bin/sh","-c"]
args: ["/usr/local/app/scripts/uninstall_istio_system.sh"]
volumeMounts:
- name: config-volume
mountPath: /app/istio-base.yaml
subPath: istio-base.yaml
{{- if .Values.overlayFile }}
- name: overlay-volume
mountPath: /app/overlay-config.yaml
subPath: overlay-config.yaml
{{ end }}
volumes:
- name: config-volume
configMap:
name: istio-installer-base
{{- if .Values.overlayFile }}
- name: overlay-volume
configMap:
name: istio-installer-overlay
{{ end }}
serviceAccountName: istio-installer
securityContext:
runAsUser: 101
runAsGroup: 101
restartPolicy: OnFailure

9
packages/rancher-istio/charts/templates/overlay-config-map.yaml Normal file
View File

@ -0,0 +1,9 @@
{{- if .Values.overlayFile }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-installer-overlay
namespace: {{ template "istio.namespace" . }}
data:
overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }}
{{- end }}

51
packages/rancher-istio/charts/templates/service-monitors.yaml Normal file
View File

@ -0,0 +1,51 @@
{{- if .Values.kiali.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: envoy-stats-monitor
namespace: {{ template "istio.namespace" . }}
labels:
monitoring: istio-proxies
spec:
selector:
matchExpressions:
- {key: istio-prometheus-ignore, operator: DoesNotExist}
namespaceSelector:
any: true
jobLabel: envoy-stats
endpoints:
- path: /stats/prometheus
targetPort: 15090
interval: 15s
relabelings:
- sourceLabels: [__meta_kubernetes_pod_container_port_name]
action: keep
regex: '.*-envoy-prom'
- action: labeldrop
regex: "__meta_kubernetes_pod_label_(.+)"
- sourceLabels: [__meta_kubernetes_namespace]
action: replace
targetLabel: namespace
- sourceLabels: [__meta_kubernetes_pod_name]
action: replace
targetLabel: pod_name
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: istio-component-monitor
namespace: {{ template "istio.namespace" . }}
labels:
monitoring: istio-components
spec:
jobLabel: istio
targetLabels: [app]
selector:
matchExpressions:
- {key: istio, operator: In, values: [pilot]}
namespaceSelector:
any: true
endpoints:
- port: http-monitoring
interval: 15s
{{- end -}}

5
packages/rancher-istio/charts/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-installer
namespace: {{ template "istio.namespace" . }}

41
packages/rancher-istio/charts/templates/view-role.yaml Normal file
View File

@ -0,0 +1,41 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
namespace: {{ template "istio.namespace" . }}
name: istio-view
rules:
- apiGroups:
- config.istio.io
resources:
- adapters
- attributemanifests
- handlers
- httpapispecbindings
- httpapispecs
- instances
- quotaspecbindings
- quotaspecs
- rules
- templates
verbs: ["get", "watch", "list"]
- apiGroups:
- networking.istio.io
resources:
- destinationrules
- envoyfilters
- gateways
- serviceentries
- sidecars
- virtualservices
- workloadentries
verbs: ["get", "watch", "list"]
- apiGroups:
- security.istio.io
resources:
- authorizationpolicies
- peerauthentications
- requestauthentications
verbs: ["get", "watch", "list"]

80
packages/rancher-istio/charts/values.yaml Normal file
View File

@ -0,0 +1,80 @@
overlayFile: ""
tag: 1.10.1
##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install
forceInstall: false
installer:
repository: rancher/istio-installer
tag: 1.10.1-rancher1
##Native support for dns added in 1.8
dns:
enabled: false
base:
enabled: true
cni:
enabled: false
repository: rancher/mirrored-istio-install-cni
tag: 1.10.1
logLevel: info
excludeNamespaces:
- istio-system
- kube-system
egressGateways:
enabled: false
type: NodePort
ingressGateways:
enabled: true
type: NodePort
istiodRemote:
enabled: false
pilot:
enabled: true
repository: rancher/mirrored-istio-pilot
tag: 1.10.1
telemetry:
enabled: true
v2:
enabled: true
global:
cattle:
systemDefaultRegistry: ""
proxy:
repository: rancher/mirrored-istio-proxyv2
tag: 1.10.1
proxy_init:
repository: rancher/mirrored-istio-proxyv2
tag: 1.10.1
defaultPodDisruptionBudget:
enabled: true
rbac:
pspEnabled: false
# Kiali subchart from rancher-kiali-server
kiali:
enabled: true
auth:
strategy: anonymous
deployment:
ingress_enabled: false
external_services:
prometheus:
custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090"
url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090"
tracing:
in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger"
grafana:
in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80"
url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80"
tracing:
enabled: false
contextPath: "/jaeger"

2
packages/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml Normal file
View File

@ -0,0 +1,2 @@
workingDir: ""
url: packages/rancher-kiali-server

2
packages/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml Normal file
View File

@ -0,0 +1,2 @@
workingDir: ""
url: packages/rancher-tracing

2
packages/rancher-istio/package.yaml Normal file
View File

@ -0,0 +1,2 @@
url: local
version: 100.0.0

5
packages/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch
View File

@ -2,7 +2,7 @@
+++ charts/Chart.yaml
@@ -1,20 +1,29 @@
apiVersion: v2
appVersion: v1.32.0
appVersion: v1.35.0
-description: Kiali is an open source project for service mesh observability, refer
- to https://www.kiali.io for details.
+description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details. This is installed as sub-chart with customized values in Rancher's Istio.
@ -24,8 +24,7 @@
- https://github.com/kiali/kiali-ui
- https://github.com/kiali/kiali-operator
- https://github.com/kiali/helm-charts
-version: 1.32.0
+version: 1.32.1
version: 1.35.0
+annotations:
+ catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1
+ catalog.rancher.io/namespace: cattle-istio-system

20
packages/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch
View File

@ -1,19 +1,15 @@
--- charts-original/templates/_helpers.tpl
+++ charts/templates/_helpers.tpl
@@ -17,11 +17,7 @@
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
- {{- if contains $name .Release.Name }}
- {{- .Release.Name | trunc 63 | trimSuffix "-" }}
- {{- else }}
- {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
- {{- end }}
+ {{- printf "%s" $name | trunc 63 | trimSuffix "-" }}
{{- end }}
@@ -19,7 +19,7 @@
Create chart name and version as used by the chart label.
*/}}
{{- define "kiali-server.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- printf "%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
@@ -186,3 +182,11 @@
{{/*
@@ -176,3 +176,11 @@
{{- end }}
{{- end }}
{{- end }}

4
packages/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch
View File

@ -9,7 +9,7 @@
imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }}
name: {{ include "kiali-server.fullname" . }}
command:
@@ -98,6 +98,11 @@
@@ -103,6 +103,11 @@
- name: LOG_SAMPLER_RATE
value: "{{ .Values.deployment.logger.sampler_rate }}"
volumeMounts:
@ -21,7 +21,7 @@
- name: {{ include "kiali-server.fullname" . }}-configuration
mountPath: "/kiali-configuration"
- name: {{ include "kiali-server.fullname" . }}-cert
@@ -113,6 +118,14 @@
@@ -118,6 +123,14 @@
{{- toYaml .Values.deployment.resources | nindent 10 }}
{{- end }}
volumes:

12
packages/rancher-kiali-server/generated-changes/patch/values.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -9,6 +9,9 @@
@@ -13,6 +13,9 @@
# do this, a PR would be welcome.
kiali_route_url: ""
@ -10,7 +10,7 @@
#
# Settings that mimic the Kiali CR which are placed in the ConfigMap.
# Note that only those values used by the Helm Chart will be here.
@@ -37,10 +40,10 @@
@@ -41,10 +44,10 @@
hpa:
api_version: "autoscaling/v2beta2"
spec: {}
@ -18,12 +18,12 @@
+ repository: rancher/mirrored-kiali-kiali
image_pull_policy: "Always"
image_pull_secrets: []
- image_version: v1.32.0
+ tag: v1.32.0
- image_version: v1.35.0
+ tag: v1.35.0
ingress_enabled: true
instance_name: "kiali"
logger:
log_format: "text"
@@ -78,3 +81,13 @@
@@ -83,3 +86,13 @@
metrics_enabled: true
metrics_port: 9090
web_root: ""

2
packages/rancher-kiali-server/package.yaml
View File

@ -1,4 +1,4 @@
url: https://kiali.org/helm-charts/kiali-server-1.32.0.tgz
url: https://kiali.org/helm-charts/kiali-server-1.35.0.tgz
version: 100.0.0
additionalCharts:
- workingDir: charts-crd

2
packages/rancher-kiali-server/templates/crd-template/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2
version: 1.32.1
version: 1.35.0
description: Installs the CRDs for rancher-kiali-server.
name: rancher-kiali-server-crd
type: application