From 04e0926a710eae2ee6124b5ad855add55912b36a Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Thu, 21 Nov 2024 22:50:24 +0000 Subject: [PATCH 1/5] add istio 1.24 folder --- .../1.24/rancher-istio/charts/Chart.yaml | 24 ++ .../1.24/rancher-istio/charts/README.md | 79 ++++++ .../1.24/rancher-istio/charts/app-readme.md | 65 +++++ .../charts/configs/istio-base.yaml | 140 +++++++++++ .../rancher-istio/charts/requirements.yaml | 9 + .../charts/samples/overlay-example.yaml | 37 +++ .../charts/templates/_helpers.tpl | 27 +++ .../charts/templates/admin-role.yaml | 43 ++++ .../charts/templates/base-config-map.yaml | 7 + .../charts/templates/clusterrole.yaml | 143 +++++++++++ .../charts/templates/clusterrolebinding.yaml | 12 + .../charts/templates/edit-role.yaml | 43 ++++ .../charts/templates/istio-cni-psp.yaml | 51 ++++ .../charts/templates/istio-install-job.yaml | 66 ++++++ .../charts/templates/istio-install-psp.yaml | 30 +++ .../charts/templates/istio-psp.yaml | 81 +++++++ .../charts/templates/istio-uninstall-job.yaml | 53 +++++ .../charts/templates/overlay-config-map.yaml | 9 + .../charts/templates/service-monitors.yaml | 51 ++++ .../charts/templates/serviceaccount.yaml | 5 + .../templates/validate-psp-install.yaml | 7 + .../charts/templates/view-role.yaml | 41 ++++ .../1.24/rancher-istio/charts/values.yaml | 121 ++++++++++ .../dependencies/kiali/dependency.yaml | 2 + .../dependencies/tracing/dependency.yaml | 2 + .../1.24/rancher-istio/package.yaml | 2 + .../overlay/templates/deployment.yaml.orig | 224 ++++++++++++++++++ .../overlay/templates/psp.yaml | 67 ++++++ .../templates/validate-psp-install.yaml | 7 + .../overlay/templates/web-root-configmap.yaml | 12 + .../generated-changes/patch/Chart.yaml.patch | 31 +++ .../patch/templates/_helpers.tpl.patch | 49 ++++ .../patch/templates/deployment.yaml.patch | 69 ++++++ .../generated-changes/patch/values.yaml.patch | 39 +++ .../1.24/rancher-kiali-server/package.yaml | 2 + .../1.24/rancher-tracing/charts/.helmignore | 23 ++ .../1.24/rancher-tracing/charts/Chart.yaml | 12 + .../1.24/rancher-tracing/charts/README.md | 5 + .../charts/templates/_affinity.tpl | 92 +++++++ .../charts/templates/_helpers.tpl | 47 ++++ .../charts/templates/deployment.yaml | 94 ++++++++ .../rancher-tracing/charts/templates/psp.yaml | 76 ++++++ .../rancher-tracing/charts/templates/pvc.yaml | 16 ++ .../charts/templates/service.yaml | 70 ++++++ .../charts/templates/serviceaccount.yaml | 9 + .../templates/validate-psp-install.yaml | 7 + .../1.24/rancher-tracing/charts/values.yaml | 53 +++++ .../1.24/rancher-tracing/package.yaml | 2 + 48 files changed, 2156 insertions(+) create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/Chart.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/README.md create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/configs/istio-base.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/samples/overlay-example.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/_helpers.tpl create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/admin-role.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/base-config-map.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrole.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrolebinding.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/edit-role.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-cni-psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-job.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-uninstall-job.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/overlay-config-map.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/service-monitors.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/serviceaccount.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/validate-psp-install.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/view-role.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/values.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/package.yaml create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/deployment.yaml.orig create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/package.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/.helmignore create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/README.md create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/_affinity.tpl create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/_helpers.tpl create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/deployment.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/pvc.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/service.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/serviceaccount.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/validate-psp-install.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/package.yaml diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/Chart.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/Chart.yaml new file mode 100644 index 0000000000..c7337bd268 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 +apiVersion: v1 +appVersion: 1.23.2 +description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. +icon: https://charts.rancher.io/assets/logos/istio.svg +keywords: +- networking +- infrastructure +name: rancher-istio +version: 1.23.2 diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/README.md b/packages/rancher-istio/1.24/rancher-istio/charts/README.md new file mode 100644 index 0000000000..2230c61859 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/README.md @@ -0,0 +1,79 @@ +# Rancher-Istio Chart + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. + +See the app-readme for known issues and deprecations. + +## Installation Requirements + +#### Chart Dependencies +- rancher-monitoring chart or other Prometheus installation + +#### Install +To install the rancher-istio chart with helm, use the following command: +``` +helm install rancher-istio --create-namespace -n istio-system +``` + +#### Uninstall +To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. + +**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** +`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` + +## Addons +The addons that are included with rancher-istio are: + +- Kiali +- Jaeger + +Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. +### Kiali Addon + +Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. + +#### Kiali Dependencies +##### rancher-monitoring chart or other Prometheus installation + +This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. + +#### Prometheus Configuration for Kiali +> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. + +The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. + +To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. + +1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. +1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. + +#### Kiali External Services + +The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. + +##### Prometheus +The `kiali.external_services.prometheus` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Grafana +The `kiali.external_services.grafana` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Tracing +The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: +``` +http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} +``` +The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. + +## Jaeger Addon + +Jaeger allows you to trace and monitor distributed microservices. + +> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md b/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md new file mode 100644 index 0000000000..8be230ff00 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md @@ -0,0 +1,65 @@ +# Rancher Istio + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: +* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh +* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Warnings +- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. + +## Known Issues + +#### Airgapped Environments +**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) + +#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. +To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. +`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` +See [this issue](https://github.com/rancher/rancher/issues/33291) for details. + +## Installing istio with distroless-images. +Istio `104.5.0+up1.23.2` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. + +## Deprecations + +#### v1alpha1 security policies +As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ + +If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. + +> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: +``` +Error: found 6 CRD of unsupported v1alpha1 security policy +``` +``` + Error: found 1 unsupported v1alpha1 security policy + ``` + ``` + Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x + ``` + Continue with the migration steps below before retrying the upgrade process. + +#### Migrating Resources: +Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). + +You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/configs/istio-base.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/configs/istio-base.yaml new file mode 100644 index 0000000000..17fb5ff8c3 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/configs/istio-base.yaml @@ -0,0 +1,140 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: {{ .Values.base.enabled }} + cni: + enabled: {{ .Values.cni.enabled }} + k8s: + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + egressGateways: + - enabled: {{ .Values.egressGateways.enabled }} + name: istio-egressgateway + k8s: + {{- if .Values.egressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.egressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + ingressGateways: + - enabled: {{ .Values.ingressGateways.enabled }} + name: istio-ingressgateway + k8s: + {{- if .Values.ingressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.ingressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31380 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31390 + - name: tcp + port: 31400 + targetPort: 31400 + nodePort: 31400 + - name: tls + port: 15443 + targetPort: 15443 + istiodRemote: + enabled: {{ .Values.istiodRemote.enabled }} + pilot: + enabled: {{ .Values.pilot.enabled }} + k8s: + {{- if .Values.pilot.hpaSpec }} + hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.pilot.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} + profile: default + tag: {{ .Values.tag }} + revision: {{ .Values.revision }} + meshConfig: + defaultConfig: + {{- if .Values.tracing.enabled }} + tracing: + zipkin: + address: {{ .Values.tracing.zipkinAddress }} + {{- end }} + proxyMetadata: + {{- if .Values.dns.enabled }} + ISTIO_META_DNS_CAPTURE: "true" + {{- end }} + values: + gateways: + istio-egressgateway: + name: istio-egressgateway + type: {{ .Values.egressGateways.type }} + istio-ingressgateway: + name: istio-ingressgateway + type: {{ .Values.ingressGateways.type }} + global: + istioNamespace: {{ template "istio.namespace" . }} + proxy: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} + proxy_init: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} + {{- if .Values.global.defaultPodDisruptionBudget.enabled }} + defaultPodDisruptionBudget: + enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} + {{- end }} + {{- if .Values.pilot.enabled }} + pilot: + image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} + {{- end }} + telemetry: + enabled: {{ .Values.telemetry.enabled }} + v2: + enabled: {{ .Values.telemetry.v2.enabled }} + {{- if .Values.cni.enabled }} + cni: + image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} + excludeNamespaces: + {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} + logLevel: {{ .Values.cni.logLevel }} + {{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml new file mode 100644 index 0000000000..cb4c3fe75c --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml @@ -0,0 +1,9 @@ +dependencies: +- condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.89.3 +- condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.60.0 diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/samples/overlay-example.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/samples/overlay-example.yaml new file mode 100644 index 0000000000..5cf3cf3b0b --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/samples/overlay-example.yaml @@ -0,0 +1,37 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - enabled: true + name: ilb-gateway + namespace: user-ingressgateway-ns + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal + - enabled: true + name: other-gateway + namespace: cattle-istio-system + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/_helpers.tpl b/packages/rancher-istio/1.24/rancher-istio/charts/templates/_helpers.tpl new file mode 100644 index 0000000000..30b429a800 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "istio.namespace" -}} + {{- .Release.Namespace | default "istio-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/admin-role.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/admin-role.yaml new file mode 100644 index 0000000000..ad1313c4f1 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/admin-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: istio-admin + namespace: {{ template "istio.namespace" . }} +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/base-config-map.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/base-config-map.yaml new file mode 100644 index 0000000000..5323917bc3 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/base-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-base + namespace: {{ template "istio.namespace" . }} +data: +{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrole.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrole.yaml new file mode 100644 index 0000000000..31163f9325 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-installer +rules: +# istio groups +- apiGroups: + - extensions.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - telemetry.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - ingresses + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/exec + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + verbs: + - 'get' + - 'list' + - 'watch' +{{- if and .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrolebinding.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..9d74a04345 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-installer +subjects: +- kind: ServiceAccount + name: istio-installer + namespace: {{ template "istio.namespace" . }} +roleRef: + kind: ClusterRole + name: istio-installer + apiGroup: rbac.authorization.k8s.io diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/edit-role.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/edit-role.yaml new file mode 100644 index 0000000000..d1059d58d7 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/edit-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-edit +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-cni-psp.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-cni-psp.yaml new file mode 100644 index 0000000000..a71561e676 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-cni-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-job.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-job.yaml new file mode 100644 index 0000000000..c2e362e684 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-installer + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + spec: + {{- if .Values.installer.releaseMirror.enabled }} + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "github.com" + {{- end }} + containers: + - name: istioctl-installer + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + - name: FORCE_INSTALL + value: {{ .Values.forceInstall | default "false" | quote }} + - name: RELEASE_MIRROR_ENABLED + value: {{ .Values.installer.releaseMirror.enabled | quote }} + - name: SECONDS_SLEEP + value: {{ .Values.installer.debug.secondsSleep | quote}} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/run.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{- end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{- end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 499 + runAsGroup: 487 + restartPolicy: Never diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-psp.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-psp.yaml new file mode 100644 index 0000000000..9da3391d40 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-psp.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-psp.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-psp.yaml new file mode 100644 index 0000000000..cfada1bf7f --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-psp.yaml @@ -0,0 +1,81 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-uninstall-job.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-uninstall-job.yaml new file mode 100644 index 0000000000..0091d0c176 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-uninstall-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-uninstaller + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + containers: + - name: istioctl-uninstaller + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{ end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{ end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 101 + runAsGroup: 101 + restartPolicy: OnFailure diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/overlay-config-map.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/overlay-config-map.yaml new file mode 100644 index 0000000000..287d26b2c3 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/overlay-config-map.yaml @@ -0,0 +1,9 @@ +{{- if .Values.overlayFile }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-overlay + namespace: {{ template "istio.namespace" . }} +data: + overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/service-monitors.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/service-monitors.yaml new file mode 100644 index 0000000000..c3d60c4fce --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/service-monitors.yaml @@ -0,0 +1,51 @@ +{{- if .Values.kiali.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-stats-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-proxies +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + endpoints: + - path: /stats/prometheus + targetPort: 15090 + interval: 15s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-components +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s +{{- end -}} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/serviceaccount.yaml new file mode 100644 index 0000000000..82b6cbb7e6 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..4b0e5cfb65 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/view-role.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/view-role.yaml new file mode 100644 index 0000000000..5947d3eba9 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/view-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-view +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: ["get", "watch", "list"] + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: ["get", "watch", "list"] diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml new file mode 100644 index 0000000000..ad46defdb6 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml @@ -0,0 +1,121 @@ +overlayFile: "" +tag: 1.23.2 +##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install +forceInstall: false + +installer: + repository: rancher/istio-installer + tag: 1.23.2-rancher1 + ##releaseMirror are configurations for istio upgrades. + ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal + ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. + releaseMirror: + enabled: false + + ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging + debug: + secondsSleep: 0 + +##Native support for dns added in 1.8 +dns: + enabled: false + +base: + enabled: true + +cni: + enabled: false + repository: rancher/mirrored-istio-install-cni +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + logLevel: info + excludeNamespaces: + - istio-system + - kube-system + +egressGateways: + enabled: false + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +ingressGateways: + enabled: true + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +istiodRemote: + enabled: false + +pilot: + enabled: true + repository: rancher/mirrored-istio-pilot +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + hpaSpec: {} + podDisruptionBudget: {} + +telemetry: + enabled: true + v2: + enabled: true + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + proxy: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + proxy_init: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + defaultPodDisruptionBudget: + enabled: true + +# Kiali subchart from rancher-kiali-server +kiali: + enabled: true + # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ + auth: + strategy: token + server: + web_root: / + deployment: + ingress_enabled: false + external_services: + prometheus: + custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + tracing: + in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" + use_grpc: false + grafana: + in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + +tracing: + enabled: false + contextPath: "/jaeger" + zipkinAddress: zipkin.istio-system.svc:9411 + + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml new file mode 100644 index 0000000000..9d9b1e0930 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml @@ -0,0 +1,2 @@ +workingDir: "" +url: packages/rancher-istio/1.23/rancher-kiali-server diff --git a/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml new file mode 100644 index 0000000000..2a6aec62e4 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml @@ -0,0 +1,2 @@ +workingDir: "" +url: packages/rancher-istio/1.23/rancher-tracing diff --git a/packages/rancher-istio/1.24/rancher-istio/package.yaml b/packages/rancher-istio/1.24/rancher-istio/package.yaml new file mode 100644 index 0000000000..8f552eac43 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/package.yaml @@ -0,0 +1,2 @@ +url: local +version: 105.4.0+up1.23.2 diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/deployment.yaml.orig b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/deployment.yaml.orig new file mode 100644 index 0000000000..34560fceaf --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/deployment.yaml.orig @@ -0,0 +1,224 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: +{{- if not .Values.deployment.hpa.spec }} + replicas: {{ .Values.deployment.replicas }} +{{- end }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ .Values.deployment.image_name }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.image_version }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + volumeMounts: + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + {{- if .Values.deployment.tolerations }} + tolerations: + {{- toYaml .Values.deployment.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.deployment.node_selector }} + nodeSelector: + {{- toYaml .Values.deployment.node_selector | nindent 8 }} + {{- end }} +... diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml new file mode 100644 index 0000000000..e31d706d4b --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml @@ -0,0 +1,67 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "kiali-server.fullname" . }}-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml new file mode 100644 index 0000000000..970d4e4f5d --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.web_root_override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + env.js: | + window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch new file mode 100644 index 0000000000..198d245ac1 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch @@ -0,0 +1,31 @@ +--- charts-original/Chart.yaml ++++ charts/Chart.yaml +@@ -1,17 +1,26 @@ ++annotations: ++ catalog.cattle.io/hidden: "true" ++ catalog.cattle.io/os: linux ++ catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 ++ catalog.rancher.io/namespace: cattle-istio-system ++ catalog.rancher.io/release-name: rancher-kiali-server + apiVersion: v2 + appVersion: v1.89.3 + description: Kiali is an open source project for service mesh observability, refer +- to https://www.kiali.io for details. ++ to https://www.kiali.io for details. This is installed as sub-chart with customized ++ values in Rancher's Istio. + home: https://github.com/kiali/kiali + icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg + keywords: + - istio + - kiali ++- networking ++- infrastructure + maintainers: + - email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +-name: kiali-server ++name: rancher-kiali-server + sources: + - https://github.com/kiali/kiali + - https://github.com/kiali/kiali-operator diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch new file mode 100644 index 0000000000..0515e17753 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch @@ -0,0 +1,49 @@ +--- charts-original/templates/_helpers.tpl ++++ charts/templates/_helpers.tpl +@@ -46,8 +46,15 @@ + Selector labels + */}} + {{- define "kiali-server.selectorLabels" -}} ++{{- $releaseName := .Release.Name -}} ++{{- $fullName := include "kiali-server.fullname" . -}} ++{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} + app.kubernetes.io/name: kiali +-app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }} ++{{- if (and .Release.IsUpgrade $deployment)}} ++app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} ++{{- else }} ++app.kubernetes.io/instance: {{ $fullName }} ++{{- end }} + {{- end }} + + {{/* +@@ -168,6 +175,29 @@ + {{- end }} + {{- end }} + ++{{- define "system_default_registry" -}} ++{{- if .Values.global.cattle.systemDefaultRegistry -}} ++{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} ++{{- else -}} ++{{- "" -}} ++{{- end -}} ++{{- end -}} ++ ++{{/* ++Windows cluster will add default taint for linux nodes, ++add below linux tolerations to workloads could be scheduled to those linux nodes ++*/}} ++{{- define "linux-node-tolerations" -}} ++- key: "cattle.io/os" ++ value: "linux" ++ effect: "NoSchedule" ++ operator: "Equal" ++{{- end -}} ++ ++{{- define "linux-node-selector" -}} ++kubernetes.io/os: linux ++{{- end -}} ++ + {{/* + Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. + Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch new file mode 100644 index 0000000000..c3b3d5fa15 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch @@ -0,0 +1,69 @@ +--- charts-original/templates/deployment.yaml ++++ charts/templates/deployment.yaml +@@ -6,6 +6,9 @@ + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} ++ annotations: ++ "helm.sh/hook": post-install, post-upgrade ++ "helm.sh/hook-weight": "-4" + spec: + {{- if not .Values.deployment.hpa.spec }} + replicas: {{ .Values.deployment.replicas }} +@@ -64,7 +67,7 @@ + {{- end }} + {{- end }} + containers: +- - image: "{{ .Values.deployment.image_name }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.image_version }}" ++ - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: +@@ -126,6 +129,11 @@ + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + volumeMounts: ++ {{- if .Values.web_root_override }} ++ - name: kiali-console ++ subPath: env.js ++ mountPath: /opt/kiali/console/env.js ++ {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert +@@ -153,6 +161,14 @@ + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: ++ {{- if .Values.web_root_override }} ++ - name: kiali-console ++ configMap: ++ name: kiali-console ++ items: ++ - key: env.js ++ path: env.js ++ {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} +@@ -213,12 +229,12 @@ + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} +- {{- if .Values.deployment.tolerations }} +- tolerations: +- {{- toYaml .Values.deployment.tolerations | nindent 8 }} +- {{- end }} +- {{- if .Values.deployment.node_selector }} +- nodeSelector: +- {{- toYaml .Values.deployment.node_selector | nindent 8 }} +- {{- end }} ++ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} ++{{- if .Values.deployment.tolerations }} ++{{ toYaml .Values.deployment.tolerations | indent 8 }} ++{{- end }} ++ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} ++{{- if .Values.deployment.node_selector }} ++{{ toYaml .Values.deployment.node_selector | indent 8 }} ++{{- end }} + ... diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch new file mode 100644 index 0000000000..e2dcbac0a9 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch @@ -0,0 +1,39 @@ +--- charts-original/values.yaml ++++ charts/values.yaml +@@ -13,6 +13,8 @@ + # do this, a PR would be welcome. + kiali_route_url: "" + ++# rancher specific override that allows proxy access to kiali url ++web_root_override: true + # + # Settings that mimic the Kiali CR which are placed in the ConfigMap. + # Note that only those values used by the Helm Chart will be here. +@@ -56,10 +58,10 @@ + api_version: "autoscaling/v2" + spec: {} + image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") +- image_name: quay.io/kiali/kiali ++ repository: rancher/mirrored-kiali-kiali + image_pull_policy: "Always" + image_pull_secrets: [] +- image_version: v1.89.3 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash ++ tag: v1.89.3 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + ingress: + additional_labels: {} + class_name: "nginx" +@@ -123,3 +125,13 @@ + enabled: true + port: 9090 + web_root: "" ++ ++# Common settings used among istio subcharts. ++global: ++ # Specify rancher clusterId of external tracing config ++ # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 ++ cattle: ++ systemDefaultRegistry: "" ++ clusterId: ++ psp: ++ enabled: false +\ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml new file mode 100644 index 0000000000..bf47a78602 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml @@ -0,0 +1,2 @@ +url: https://kiali.org/helm-charts/kiali-server-1.89.3.tgz +doNotRelease: true \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/.helmignore b/packages/rancher-istio/1.24/rancher-tracing/charts/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml new file mode 100644 index 0000000000..fa5fa11f38 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml @@ -0,0 +1,12 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.rancher.io/certified: rancher + catalog.rancher.io/namespace: istio-system + catalog.rancher.io/release-name: rancher-tracing +apiVersion: v1 +appVersion: 1.60.0 +description: A quick start Jaeger Tracing installation using the all-in-one demo. + This is not production qualified. Refer to https://www.jaegertracing.io/ for details. +name: rancher-tracing +version: 1.60.0 diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/README.md b/packages/rancher-istio/1.24/rancher-tracing/charts/README.md new file mode 100644 index 0000000000..25534c6288 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/README.md @@ -0,0 +1,5 @@ +# Jaeger + +A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. + +> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_affinity.tpl b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_affinity.tpl new file mode 100644 index 0000000000..bf6a9aee5c --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_affinity.tpl @@ -0,0 +1,92 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} +{{- define "nodeAffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_helpers.tpl b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_helpers.tpl new file mode 100644 index 0000000000..09c6b05467 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_helpers.tpl @@ -0,0 +1,47 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/deployment.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/deployment.yaml new file mode 100644 index 0000000000..f8a6828085 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ .Values.provider }} + template: + metadata: + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jaeger + image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + {{- if eq .Values.jaeger.spanStorageType "badger" }} + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + {{- end }} + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumeMounts: + - name: data + mountPath: /badger +{{- end }} + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeAffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.global.cattle.psp.enabled }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + {{- end }} + serviceAccountName: {{ include "tracing.fullname" . }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumes: + - name: data +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: istio-jaeger-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/psp.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/psp.yaml new file mode 100644 index 0000000000..4d5c271e1b --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/psp.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/pvc.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/pvc.yaml new file mode 100644 index 0000000000..9b4c55e4fb --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-jaeger-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} +spec: + storageClassName: {{ .Values.jaeger.storageClassName }} + accessModes: + - {{ .Values.jaeger.accessMode }} + resources: + requests: + storage: {{.Values.jaeger.persistentVolumeClaim.storage }} +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/service.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/service.yaml new file mode 100644 index 0000000000..3ee5a54247 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/service.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: 16686 + selector: + app: {{ .Values.provider }} +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + name: zipkin + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} + selector: + app: {{ .Values.provider }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: {{ .Values.provider }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1bff77ff66 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml new file mode 100644 index 0000000000..cb58f51fdb --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml @@ -0,0 +1,53 @@ +provider: jaeger +contextPath: "" +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] +nameOverride: "" +fullnameOverride: "" + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + defaultResources: {} + imagePullPolicy: IfNotPresent + imagePullSecrets: [] + arch: + arm64: 2 + amd64: 2 + s390x: 2 + ppc64le: 2 + defaultNodeSelector: + kubernetes.io/os: linux + rbac: + pspEnabled: false + +jaeger: + repository: rancher/mirrored-jaegertracing-all-in-one + tag: 1.60.0 + # spanStorageType value can be "memory" and "badger" for all-in-one image + spanStorageType: badger + resources: + requests: + cpu: 10m + persistentVolumeClaim: + enabled: false + storage: 5Gi + storageClassName: "" + accessMode: ReadWriteMany + memory: + max_traces: 50000 +zipkin: + queryPort: 9411 +service: + annotations: {} + name: http-query + type: ClusterIP + externalPort: 16686 diff --git a/packages/rancher-istio/1.24/rancher-tracing/package.yaml b/packages/rancher-istio/1.24/rancher-tracing/package.yaml new file mode 100644 index 0000000000..27691a8e3f --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/package.yaml @@ -0,0 +1,2 @@ +url: local +doNotRelease: true \ No newline at end of file From 318b419876361f683caa6049053299f6dd564c80 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Thu, 21 Nov 2024 22:51:44 +0000 Subject: [PATCH 2/5] add jaegertracing-all-in-one 1.63.0 --- packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml | 4 ++-- .../rancher-istio/1.24/rancher-tracing/charts/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml index fa5fa11f38..94b067974d 100644 --- a/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml @@ -5,8 +5,8 @@ annotations: catalog.rancher.io/namespace: istio-system catalog.rancher.io/release-name: rancher-tracing apiVersion: v1 -appVersion: 1.60.0 +appVersion: 1.63.0 description: A quick start Jaeger Tracing installation using the all-in-one demo. This is not production qualified. Refer to https://www.jaegertracing.io/ for details. name: rancher-tracing -version: 1.60.0 +version: 1.63.0 diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml index cb58f51fdb..4929fb82a4 100644 --- a/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml @@ -31,7 +31,7 @@ global: jaeger: repository: rancher/mirrored-jaegertracing-all-in-one - tag: 1.60.0 + tag: 1.63.0 # spanStorageType value can be "memory" and "badger" for all-in-one image spanStorageType: badger resources: From 0ff1fd874b4cb948852016eb0c59a345d0ae29af Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Thu, 21 Nov 2024 22:53:32 +0000 Subject: [PATCH 3/5] add istio 1.24.0 --- .../1.24/rancher-istio/charts/app-readme.md | 2 +- .../1.24/rancher-istio/charts/values.yaml | 20 +++++++++---------- .../dependencies/kiali/dependency.yaml | 2 +- .../dependencies/tracing/dependency.yaml | 2 +- .../1.24/rancher-istio/package.yaml | 2 +- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md b/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md index 8be230ff00..12075362f7 100644 --- a/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md +++ b/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md @@ -38,7 +38,7 @@ To install istio with CNI enabled, e.g. when cluster has a default PSP set to "r See [this issue](https://github.com/rancher/rancher/issues/33291) for details. ## Installing istio with distroless-images. -Istio `104.5.0+up1.23.2` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. +Istio `104.5.0+up1.24.0` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. ## Deprecations diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml index ad46defdb6..07aa9d3f8d 100644 --- a/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml +++ b/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml @@ -1,11 +1,11 @@ overlayFile: "" -tag: 1.23.2 +tag: 1.24.0 ##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install forceInstall: false installer: repository: rancher/istio-installer - tag: 1.23.2-rancher1 + tag: 1.24.0-rancher1 ##releaseMirror are configurations for istio upgrades. ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. @@ -28,8 +28,8 @@ cni: repository: rancher/mirrored-istio-install-cni # If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting # the distroless tag: -# tag: 1.23.2 - tag: 1.23.2-distroless +# tag: 1.24.0 + tag: 1.24.0-distroless logLevel: info excludeNamespaces: - istio-system @@ -55,8 +55,8 @@ pilot: repository: rancher/mirrored-istio-pilot # If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting # the distroless tag: -# tag: 1.23.2 - tag: 1.23.2-distroless +# tag: 1.24.0 + tag: 1.24.0-distroless hpaSpec: {} podDisruptionBudget: {} @@ -74,14 +74,14 @@ global: repository: rancher/mirrored-istio-proxyv2 # If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting # the distroless tag: -# tag: 1.23.2 - tag: 1.23.2-distroless +# tag: 1.24.0 + tag: 1.24.0-distroless proxy_init: repository: rancher/mirrored-istio-proxyv2 # If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting # the distroless tag: -# tag: 1.23.2 - tag: 1.23.2-distroless +# tag: 1.24.0 + tag: 1.24.0-distroless defaultPodDisruptionBudget: enabled: true diff --git a/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml index 9d9b1e0930..4f796a73a1 100644 --- a/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml +++ b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml @@ -1,2 +1,2 @@ workingDir: "" -url: packages/rancher-istio/1.23/rancher-kiali-server +url: packages/rancher-istio/1.24/rancher-kiali-server diff --git a/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml index 2a6aec62e4..f59bcaa7b2 100644 --- a/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml +++ b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml @@ -1,2 +1,2 @@ workingDir: "" -url: packages/rancher-istio/1.23/rancher-tracing +url: packages/rancher-istio/1.24/rancher-tracing diff --git a/packages/rancher-istio/1.24/rancher-istio/package.yaml b/packages/rancher-istio/1.24/rancher-istio/package.yaml index 8f552eac43..954d58d572 100644 --- a/packages/rancher-istio/1.24/rancher-istio/package.yaml +++ b/packages/rancher-istio/1.24/rancher-istio/package.yaml @@ -1,2 +1,2 @@ url: local -version: 105.4.0+up1.23.2 +version: 105.5.0+up1.24.0 From 620d39b65abbbb02231565b82589915a060b7a8d Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Thu, 21 Nov 2024 22:57:54 +0000 Subject: [PATCH 4/5] adding kiali server 2.1.0 --- .../overlay/templates/deployment.yaml.orig | 12 +++++++++--- .../generated-changes/patch/Chart.yaml.patch | 2 +- .../patch/templates/deployment.yaml.patch | 18 ++++++++++-------- .../generated-changes/patch/values.yaml.patch | 8 ++++---- .../1.24/rancher-kiali-server/package.yaml | 2 +- 5 files changed, 25 insertions(+), 17 deletions(-) diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/deployment.yaml.orig b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/deployment.yaml.orig index 34560fceaf..2c392330bd 100644 --- a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/deployment.yaml.orig +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/deployment.yaml.orig @@ -1,9 +1,10 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "kiali-server.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: "{{ .Release.Namespace }}" labels: {{- include "kiali-server.labels" . | nindent 4 }} spec: @@ -125,6 +126,10 @@ spec: value: "{{ .Values.deployment.logger.time_field_format }}" - name: LOG_SAMPLER_RATE value: "{{ .Values.deployment.logger.sampler_rate }}" + {{- range .Values.deployment.custom_envs }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} volumeMounts: - name: {{ include "kiali-server.fullname" . }}-configuration mountPath: "/kiali-configuration" @@ -158,7 +163,7 @@ spec: name: {{ include "kiali-server.fullname" . }} - name: {{ include "kiali-server.fullname" . }}-cert secret: - {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} secretName: {{ include "kiali-server.fullname" . }}-cert-secret {{- else }} secretName: istio.{{ include "kiali-server.fullname" . }}-service-account @@ -173,7 +178,7 @@ spec: - name: {{ include "kiali-server.fullname" . }}-cabundle configMap: name: {{ include "kiali-server.fullname" . }}-cabundle - {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + {{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }} optional: true {{- end }} {{- range .Values.deployment.custom_secrets }} @@ -222,3 +227,4 @@ spec: {{- toYaml .Values.deployment.node_selector | nindent 8 }} {{- end }} ... +{{- end }} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch index 198d245ac1..2052836ad7 100644 --- a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch @@ -8,7 +8,7 @@ + catalog.rancher.io/namespace: cattle-istio-system + catalog.rancher.io/release-name: rancher-kiali-server apiVersion: v2 - appVersion: v1.89.3 + appVersion: v2.1.0 description: Kiali is an open source project for service mesh observability, refer - to https://www.kiali.io for details. + to https://www.kiali.io for details. This is installed as sub-chart with customized diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch index c3b3d5fa15..82619452f2 100644 --- a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch @@ -1,7 +1,7 @@ --- charts-original/templates/deployment.yaml +++ charts/templates/deployment.yaml -@@ -6,6 +6,9 @@ - namespace: {{ .Release.Namespace }} +@@ -7,6 +7,9 @@ + namespace: "{{ .Release.Namespace }}" labels: {{- include "kiali-server.labels" . | nindent 4 }} + annotations: @@ -10,7 +10,7 @@ spec: {{- if not .Values.deployment.hpa.spec }} replicas: {{ .Values.deployment.replicas }} -@@ -64,7 +67,7 @@ +@@ -65,7 +68,7 @@ {{- end }} {{- end }} containers: @@ -19,9 +19,9 @@ imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} name: {{ include "kiali-server.fullname" . }} command: -@@ -126,6 +129,11 @@ - - name: LOG_SAMPLER_RATE - value: "{{ .Values.deployment.logger.sampler_rate }}" +@@ -131,6 +134,11 @@ + value: {{ .value | quote }} + {{- end }} volumeMounts: + {{- if .Values.web_root_override }} + - name: kiali-console @@ -31,7 +31,7 @@ - name: {{ include "kiali-server.fullname" . }}-configuration mountPath: "/kiali-configuration" - name: {{ include "kiali-server.fullname" . }}-cert -@@ -153,6 +161,14 @@ +@@ -158,6 +166,14 @@ {{- toYaml .Values.deployment.resources | nindent 10 }} {{- end }} volumes: @@ -46,7 +46,7 @@ - name: {{ include "kiali-server.fullname" . }}-configuration configMap: name: {{ include "kiali-server.fullname" . }} -@@ -213,12 +229,12 @@ +@@ -218,13 +234,13 @@ {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} {{- end }} {{- end }} @@ -67,3 +67,5 @@ +{{ toYaml .Values.deployment.node_selector | indent 8 }} +{{- end }} ... + {{- end }} +\ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch index e2dcbac0a9..1b8095de0d 100644 --- a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/values.yaml +++ charts/values.yaml -@@ -13,6 +13,8 @@ +@@ -6,6 +6,8 @@ # do this, a PR would be welcome. kiali_route_url: "" @@ -9,7 +9,7 @@ # # Settings that mimic the Kiali CR which are placed in the ConfigMap. # Note that only those values used by the Helm Chart will be here. -@@ -56,10 +58,10 @@ +@@ -49,10 +51,10 @@ api_version: "autoscaling/v2" spec: {} image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") @@ -17,12 +17,12 @@ + repository: rancher/mirrored-kiali-kiali image_pull_policy: "Always" image_pull_secrets: [] -- image_version: v1.89.3 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash +- image_version: v2.1.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + tag: v1.89.3 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash ingress: additional_labels: {} class_name: "nginx" -@@ -123,3 +125,13 @@ +@@ -112,3 +114,13 @@ enabled: true port: 9090 web_root: "" diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml index bf47a78602..88936168db 100644 --- a/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml +++ b/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml @@ -1,2 +1,2 @@ -url: https://kiali.org/helm-charts/kiali-server-1.89.3.tgz +url: https://kiali.org/helm-charts/kiali-server-2.1.0.tgz doNotRelease: true \ No newline at end of file From 5a78a0ea56feb4f3d38b070da2bb89627654cc5c Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Thu, 21 Nov 2024 23:02:20 +0000 Subject: [PATCH 5/5] make charts --- .../rancher-istio-105.5.0+up1.24.0.tgz | Bin 0 -> 21167 bytes .../rancher-istio/105.5.0+up1.24.0/Chart.yaml | 24 ++ .../rancher-istio/105.5.0+up1.24.0/README.md | 79 ++++++ .../105.5.0+up1.24.0/app-readme.md | 65 +++++ .../105.5.0+up1.24.0/charts/kiali/Chart.yaml | 28 ++ .../charts/kiali/templates/NOTES.txt | 20 ++ .../charts/kiali/templates/_helpers.tpl | 222 ++++++++++++++++ .../charts/kiali/templates/cabundle.yaml | 15 ++ .../charts/kiali/templates/configmap.yaml | 30 +++ .../charts/kiali/templates/deployment.yaml | 246 ++++++++++++++++++ .../kiali/templates/deployment.yaml.orig | 230 ++++++++++++++++ .../charts/kiali/templates/hpa.yaml | 19 ++ .../charts/kiali/templates/ingress.yaml | 64 +++++ .../charts/kiali/templates/oauth.yaml | 31 +++ .../charts/kiali/templates/psp.yaml | 67 +++++ .../charts/kiali/templates/role-viewer.yaml | 103 ++++++++ .../charts/kiali/templates/role.yaml | 110 ++++++++ .../charts/kiali/templates/rolebinding.yaml | 24 ++ .../charts/kiali/templates/route.yaml | 36 +++ .../charts/kiali/templates/service.yaml | 53 ++++ .../kiali/templates/serviceaccount.yaml | 9 + .../kiali/templates/validate-psp-install.yaml | 7 + .../kiali/templates/web-root-configmap.yaml | 12 + .../105.5.0+up1.24.0/charts/kiali/values.yaml | 126 +++++++++ .../charts/tracing/.helmignore | 23 ++ .../charts/tracing/Chart.yaml | 12 + .../105.5.0+up1.24.0/charts/tracing/README.md | 5 + .../charts/tracing/templates/_affinity.tpl | 92 +++++++ .../charts/tracing/templates/_helpers.tpl | 47 ++++ .../charts/tracing/templates/deployment.yaml | 94 +++++++ .../charts/tracing/templates/psp.yaml | 76 ++++++ .../charts/tracing/templates/pvc.yaml | 16 ++ .../charts/tracing/templates/service.yaml | 70 +++++ .../tracing/templates/serviceaccount.yaml | 9 + .../templates/validate-psp-install.yaml | 7 + .../charts/tracing/values.yaml | 53 ++++ .../105.5.0+up1.24.0/configs/istio-base.yaml | 140 ++++++++++ .../105.5.0+up1.24.0/requirements.yaml | 9 + .../samples/overlay-example.yaml | 37 +++ .../105.5.0+up1.24.0/templates/_helpers.tpl | 27 ++ .../templates/admin-role.yaml | 43 +++ .../templates/base-config-map.yaml | 7 + .../templates/clusterrole.yaml | 143 ++++++++++ .../templates/clusterrolebinding.yaml | 12 + .../105.5.0+up1.24.0/templates/edit-role.yaml | 43 +++ .../templates/istio-cni-psp.yaml | 51 ++++ .../templates/istio-install-job.yaml | 66 +++++ .../templates/istio-install-psp.yaml | 30 +++ .../105.5.0+up1.24.0/templates/istio-psp.yaml | 81 ++++++ .../templates/istio-uninstall-job.yaml | 53 ++++ .../templates/overlay-config-map.yaml | 9 + .../templates/service-monitors.yaml | 51 ++++ .../templates/serviceaccount.yaml | 5 + .../templates/validate-psp-install.yaml | 7 + .../105.5.0+up1.24.0/templates/view-role.yaml | 41 +++ .../105.5.0+up1.24.0/values.yaml | 121 +++++++++ index.yaml | 37 +++ .../rancher-istio/charts/requirements.yaml | 4 +- release.yaml | 2 + 59 files changed, 3141 insertions(+), 2 deletions(-) create mode 100644 assets/rancher-istio/rancher-istio-105.5.0+up1.24.0.tgz create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/Chart.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/README.md create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/app-readme.md create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/Chart.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/NOTES.txt create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/_helpers.tpl create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/cabundle.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/configmap.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/deployment.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/deployment.yaml.orig create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/hpa.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/ingress.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/oauth.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/psp.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/role-viewer.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/role.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/rolebinding.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/route.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/service.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/web-root-configmap.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/values.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/.helmignore create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/Chart.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/README.md create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/_affinity.tpl create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/_helpers.tpl create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/deployment.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/psp.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/pvc.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/service.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/values.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/configs/istio-base.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/requirements.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/samples/overlay-example.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/_helpers.tpl create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/admin-role.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/base-config-map.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/clusterrole.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/edit-role.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/istio-cni-psp.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/istio-install-job.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/istio-install-psp.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/istio-psp.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/istio-uninstall-job.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/overlay-config-map.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/service-monitors.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/templates/view-role.yaml create mode 100644 charts/rancher-istio/105.5.0+up1.24.0/values.yaml diff --git a/assets/rancher-istio/rancher-istio-105.5.0+up1.24.0.tgz b/assets/rancher-istio/rancher-istio-105.5.0+up1.24.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c5357a1012d110a2632f5f8022f95ceabb76f1c4 GIT binary patch literal 21167 zcmV*MKx4ljiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvFcjGp)I1JC<{1g~^?k{a$lajo4>vuEn^>jNK-}K_w?o6J! zIXP;Gge1fi!2qCbrPI%6e+~)&32u_Sv^$v*&rI4Pu@nl0LZMI#$7wVpJfK2S)_Xa_ zT!srgPyY0XPru*q9~~UPzx{r{{_o)M@aRv2gX6*R@&4id@$sMfgZ<;OuSee_>w5bh7upI^0BRZWWwM`VbA zS_82VlFVDnGBHF6P4nBQI-$U@u1&6z@pfk%o$${(cb>x;0a3VC*psHaZh!nkqO_?x_iR-C%MHV-V$71LOC?)cS@hh56y#Ud4 z!m*G%k7Uk?*EX#sUiydOVc7rAJR5|22Vvj)(yP7sRQdlkPI4k1djnX(|BsIL1~vYF zu(#je@c*ZH*frq^UVK9nGDN=bNj!zss;G5q>yk)G)2Uif5joS#a)>0)3A&+4f;gG8 zYXVC&nvv)VmL8B2GK&DX`cZg`a2o46DU%4NI9dEk(1PXME_chIP{t{PC2l@=)!rvK z5ybP%N5a*%#Yx5lmB0uMMeDU36vaG*oUsL_)WAb%Ys>KHH#moz-4MIf;?xr6Ej+)03JZgbJ*f2{ibF76ge{8jH(>kW97B^Auqu z;Ah0TS~W+@Ep)b z;-E5+AWEsXh0Z2w`JfvrW@^-uvwWNoF=I^XEp->ZM>s{|hQeGi#K|;IFt-#pUZ6Zx z2qq~Ih?qSsNgxsA%Dx`DUtBSqiJ{BFnbSZT8$~bAaf>38?|IKVY02mHRuBB{vj!1 zP2@?EkU5cj(T1Swy&8Yf>uj2^F;2{xMkd58aUh~sWPBxw*RrpP@(B0;srNPnB^P}F+m`n*T zpcG^@#56QNn`nD+Fi>K=64zj3MhPC1L<{Xo;=@AFX{xAGmAD|2QXQZK3!V~5M6p70 zL3l9DX-s-4i%B3zLL$99wzfR=>Jr{CuJ@*`E%cfSiP!|Gk4R#gN&%dYB}A%Iv|afK~e6{Xt#-d$fNv z*qr~L;`#Wow}Vbok#m9y1*lk%(p_&dmv5&X^!>i(X?Q;bQH~G>wPorRH20EFs>UNE~AcvZxlj%!#qH89beGGR0CcnE zQfxxsrs$0UzL|IC+VA5>WGS>|-wDyDPae+`t46{Z{g$&lD-IQbQR{~G&d3~Y1+~G)~;IO18uq6&Z=fG>vIGZT(ih1hrlok@C$i zIg_}xf#OT~3PxP~DpoMOxh8z9#7cikq`!;&8!V%l`Xix2`agA{sl4!7iK>_gNmH2N zDj+1iW{U|;DtMe4&06uooC8TJIdv)v8j}b+6|X6mxjHZCV`K5&ZhLM6deB9YuXeub z8mAyp&Z%6iCJ2|3GnUZEg*GFESC7)p?C5*iw$CkaKK=Ud;{RhTNT8QXFvr=0Hh~rV zzrS}>=l{n?hesR!{}fN{&fai%nD;k0tMGT1ITv>-fg+SUb7|eADwrkcS@;c2hzP$; z*ckbm=0tDD-wscNh6IJ^H$+pl%F&*x|E00^uk&=Re{(!}6ajF>`akIJAJ^Ca-tp%A z|0K^N$$qW8!3twr=1zGE+pkyKiUZIJrwRn&Zp4*s*ly#+o~d6nnyT)z4{ok0FW##e zgOLZf(=M0Yt0|c4hc?nCKi#XL;)3t4Ep4Hz=c1Fa)Dc1`!ZHdYm!_K?%yWq)O{X_x zJY(#tY61c!u5m)+rDayqXGR@r?}9|%e%P0w7@^QZ*inB;m9>D%L~S89VTv)Cvs4hN zishh)q;OuZ-a>b#YvXX2p0_ri6xojiFvWc0%sz^i8kJ-!3d0tr4lC@ zi)~2_#;SJ9yNfVloG=kaY~Jj_96(IzTEkN!^;~d*C295n2Zu$o(Tv4$aqT#UYsYm! z?qt_31Xb?l&XKb6-po$rFQ@D(VBiM5-Ycw*Ikwc5#u=lQV90erJB4&8EIP_RdgPWw z<*$r!Ibr+;^H{%BdzX+TmDeoE=OjunoeRsHctK?4xv}_xqlo3{T9|GQ4!{OAYULak zps%Jxer5kwr|jYfoV~xY+G?D}9SY}6WQA!KXkJ%Q5h&MP%Nf_^tx0N@X*{|aMrt*=lf7ZDFIjGh2Tz6xzEUjETf{XEhL^cLcZ0Eu5`6fpT8H@ z#<``IAg^hf-*$h`vn(NCgq>8`O{1vRSCooWZk0#H-5c=Hc_tUHC^zaY0ami!JvMDu zw14bLam4O*L}@FWSETYP1m%fAjl1K_P~HDkwR_^_@e!iMkUObv>ODS@;$}Jjw;pFd zv+)D=fK~T@`}>3X`G4@(i#3U~EnK6#8*ktmW&ecI>;Gtr0#!JSOQ%`LxE$|bzyWIjJ)T7w?NkXx3Wlow6 zkw4fw4*Ow099V}8T{yK|!xr|nS8f=wx$gjDSb=^Ku~cH35?-mfWKQh^E?KpC?X<^M z^ZW5*D-Ns+8T#~T*jhy5X$dX@udC~!^V33mar*l7S&iF=tS>_V?|SHBdnAa`B<0iE>zwvA|?y(9y*YTtkI=8?I;H*gdQo8__ z^Hv_k(7}rr)z{{Laq#@uo~?+I;iNut4$)h3P58g8!v2w;_2mDD>3~-0e+G5^|6YH8 zu(y%_pW=CP{m(=1_^ia8S>=!8NnBCtxG&GnUshk7pS^NIuT=FuT2=Gan_NiH*Suxv z1!G{yQPKaHa#pAF)e`+ry-95p!f`rvWq$C585GQJj&FzP={8U*?hC6&!TKwlMGYhli!RaReZj79#~&vO3%aNYl(R`dV;y+-`cqoc!({l}9$ z_vQZ&Ryh|0_C?gqW$*V;HR}je<~B1h=Y#+krPpl6*u_4$ojJWF{QlLgYj&Wp2Vs2H zt{dOKS98Z3(DY|G#@xH5h;b69;y(3_zU2|G4IV($_qZ}}d%MqdL4Dj0l?A7;q zRw9`&KBjR@(#wU2WKwYos9*L~1R)TGT-m1(h+O$di&TX~1sK&)4PSAVy~G(F(}YTD z5v-Ma9XEz`(b21%TswQbs}T2q+sH@3P~{49$-QO9nOfu|uHSXW>?XazJU%%;t66jZ z1DbxBU^?GOn4j}mF8}4}W846)lK=MW{(pP@qy5eO-;+G|zyB*}<1^g=a$;`o9^uNb z<94t6E^n>dvML7bv$-!@>%Qy}E_@37kD#-WjS0881G@Je(7*W=(B=l{_jm&|=nq7wu|_?eAgE08PW zhd9_K9D>o{+q@o7=R983C-4{|Co=b^pKP{muRVlRT{we(lE8S6g^8AyUH`< zFEfJhk?#b7@R6_nx4n(}u$OM##iqy>PMJi{Lie6MJUKrztVx7_#{&6P`-EP@GQr<2 zTAW~-ApiZ07)hl_w-7TTptBh^i7Ok;pp)~n!k!{T=WsKEVk#8S==}2BFiJ1 zp$ui5MT9`8B)>$2Q9gA1{iUbBd;L>#^JMW~4x09V2OIt0lRRHG{)?irM~eTVn%cyF z*~EXj=b(QN!C<<9{(S4d%KtA;PhPz_4d?Nr_OYD*5Bf(3_4wcW`+J-7-;+FB=)zEd zPQ(9FNi?4KF6Zb+c=OYvA4CgwWYCuUXhHXF-c*C2dJ3<(a3*{BPM5rqw_*- zYcT{pm_|*f-uoi6xz3*Lu0Ye`4V5!M)-I$9uckk>mNVXm4<9_hsBNy=)PE(+B=%&J zo}7_hb*)2Be?@_gfk1*X`&*D!Q!uN3^bo$c7B^}TL}!hwc3Rlv2oy2SNhFhnPWU>{ zg)BeUsuelkivlHjV`m!BGeJn(dz~*$=V5d|Y=`K*Ns&G#It#n%-3gG5Qle9&jS0fn zm?j|R(-bito4o6sWrQaSG|p)fw@ez-E(8Dsq{PQb=y^LkCc~@Al5fG1=;g&LJqA$@ z911~_cDHGRI=nz61!atas6q_{GOX|HcppyTuM&fry7l6bB-TVV&=sDEZB-J6s)h~& zD;3|B5ou#Ow>T#eo2K+vf_#67Ql?eCW)_r?h!FDM6wBll7PB$KJoXh@ueGR&d`BT( zB&od~;3S*jfe#diPU2W?k?I_W;ZG!ISVD$=W5r^IRh&(EmV6QO`TY z(M&glW*D-#0}0@y%33VbD53q$uj{R8-*09ud?DNz?-oZ}QviF(Z)yR+EJRcKDc49OX1 z`E;hZEWrYj_^VYA+erz{+BW@GnBEqAc>v>swP#QnEl|N5U=3NMzPxy)Nyl0G08EH3 zX&Tx5#%c-YO5BFb`!MZ#&#IipcM;XAE@qW;z97{pwOd%ctMO->a+VIHW}IM}gf>^R zX){aImX)Gh6rk=x!pskq`_r$%ci{uNnUT~To9;>t7$Y!B6_Y%vbY0AegV>jDt^ug6 z$@{NpXXh=GWVo|~-q$t?w}#CbjfKePKr|XR1tN43Z8KMvr%N)W^Hi@FLtJM9{c zR?pJZiFmM#jkJME?x41Bg*<^iI4PIQKQA*9h59D;ZT&7tlqjar49y8v156Spq`aO* zNQcRBMq)HxxL6%8tQ(NoDD)6Tk#rjto8)*hq0uff38`WAO*zhHmg$>wg2{uRNmQ?m z5)_33h7vlbQbPmD%o!LS(+Q27qK2IAfe>|;{s8ddI7TcbYDcUK5N_5A&5??Eg+${l zl{C#s!E9EIAEv$-dV!4)dEOvYtPEj$sbFVbF^_W=7e7rZ^HK_d1uhE>o}Q5#oJv3$ zOlDZLo;u9@626(tQIcukT6mZ}d6(@0>Dca+*jk~a8lyZlxy5N$#R=by{se@_Umk+%vqmEC;<=hEvb0?vTp|l=H-9^fg#^HYg)T z>KxyWow*wKyKBNZjS2en$xVk|D+Snbib7KEj~|_^?x6uI%ovyG(iXcq@?ls1uJrn07m)R#qstFyOw^1U40I7hv7NOLNihLta+YJ?Bu0NE z)Y~-cYvSD&e=4N6_4k+9K2uY(r~KgDqpx zVqrel)8S5d3yAleu+|A$2FbFCGGLXnWM5RK$Vk^#U^Tz060536w8(1MeN2T>s>Wze zBhHGM^lB0f6-H#I!U$Y&=1-DI^aSnDorNI89 zX~U3Osq?tGxe0%UZ+4C->%}Y*y+OD)=uL@~G@S-ueNN)uHi}u4gU6*+VZ=ldKBpoa~lBDCYH}Vvi-h z41)nof0|kkqL3Vl?4w4!CgO zI5|HHJ?}&ytWH9CB6rcwjyVtK%Z9eIgPy6qR;`)|C!&}vy^tE1u!rq!&=PY2dNHew z0>vfaYW~zRqiFyps|EsdDlAMG;IQ?f(^BID$On?459Yj0Cx}W=q5(QGPOd4-MY1Rg z!a20MnR|alXBEQ<6NFTWDT|^FG@%5vtXQHO4EhQdQCw&+RoU~)bLY(6oEDm*3BFdi zoFI&p(2x+MN2i+~E*oqUYOVdTsH-SC+DO!DKMI{L7>!(0j4=8DoX|A&0X-wvB(*B5 zIZkt&BnuQJ1g9v^%0X@`BBD}D3kk8tD}Psw88m7t8FO|;Qk_;25N2dt3$MtdnMUp; z=OEQV8`=&R^Z{BRVNxqNpBaFyR#_bdDnr;sL`LCus4!LFid+5mlt?6G9$gh$I)JR; zUlB{y5&;nHPNdeP!)^*>K)aO@n;d_k=Y5~CRM8&rg=K^+nGPwktFdCJKS`{XzDZt% zUPH;CQc?U2CzEpN8_bqW+ZE6)NLq1hDZk_ouqYM7h7yWS>KyFECNX^o3oA0A_O_9j zu{?>Kq|7uyTe|BySj+)0A<0>mblG5>CTiGzgEvTLsr3d=cJm zgSsvyNJx^|eU~ZefWmr|L@53Pnm#4nkTh19yClTON(FDIZhnQ}1V$NBPn94t&w8dp zZ@YnCJ;3ka7V`{lF^%Hsgz_oQG7_WH^qO*(>MP5gof9zpU|b1b6M9?nWgN$PCvcc< zAzT>(!+?d|uUAM9m)tOogMT8 zfh|i&wf=B?4fmC1vA~iSk`p|KG11iM%_XSL=P)m7ktVDxZD9(CP! z#@nEnE+eWUPB2_xf&9nduEgr`ILR0&`z^XudFg8UpoAfsLbp0jNN5MBB)uzpa#e#V zxBu8-%nqo=ivdmJOu~v;+y4T z?gcfiHfW0OBDIM0y@uUa;6klndy0b^NxqY`g9I_xY7?W5K>Hf(!o#rtpLsS2_YT7T2elOlr-F`RViZfIXWim@PwoHJ;J|87TG3<*(uBzmA$rwl zEoSLgj^(YIL6#zj5I@y2F-rtW=oLX9##qc$Us28zBV$-O?1qY&)+(`loDeZntNpCJ zE{|}E#0{0vOkY+{^8|AX!+3%6OegV19~@QR2RMOhbiQ&7M$96!7t@8I7%FVPPJ|LO z2jS7KS$|dv6?q1_S3sg|;6t;8Le@Z<6@g5kdCbZAnUT$n)$@m{0b0>Uh?ed-a6%(# zM0%P*m107rIeXOcJcDY*y`r3Rl1jyH^E7RkD4_rP8V$nZ@Kz(=T2svFlq(Tb$y4N3 zl>~$@!Gbz9tQe(ZC*mHYv_x?$t9yM-lW0dI)m|yfHb~j1hFLYL)o|JzypRNqF$SH^ zlw3!&C51qO&Z#0W$+WuI*kMdqp2p}1j6K){<*6YD5_b{P0;;S3qe>ft^(rH%3IBP? zQnmEZd4f|?L=i+8i_5Tq`c+`DHAJ`JZFpN6$b(IXa{*TvZa_JwBe*FnBs+scC5=mx zDLF*R8pVM~@`c?9OZ2mdh~j$fO)&`^qZco>;D;6|W$j{ z^sTRU+iX-zHYcVtRC06TY6GgZJj?K9Mj{u9=2cq^n2yTzVV50O=4Ux18H-<0!E?Bt z_*)*U?a+a$SqdIKi9n+v`w#t>|)+uZHzrN%Qr#??&`pweLsu_0}GT z?AK{^L-$Wc_o$3)=mtqtr;FD3m_lNii$Hy^#8k{|IGVjd<$Wz!P35a?Q%T8tEv-H8 zcQ*CBU;C)=s6Xuw_AB4qUPMbT2M7Dz-PAu;x_Qyojf}FEPWA@}{qE5;zq{if3-QI->*4&a%o-V5z89qikK_ZalAA=YE_{xA8dqt-Gxa zS9>C^Hp|BqI@D$que37y!bDqkGi=5zx*|NJ%-0QMoK0xrCz{<#1bk5 z{qCDesFwzeaoQsMAQKz<&FTA-(W|$Yqn9V=@4vq|bsW1J9hyK-@M&6+z);)C!8z!y zI9wnk7a3W0UQypm;M-)j_TF0Mx|Z(h;*Q&&zL%~H^z9ve-ixU!p?pZhadT4+Ep`VT zuav699fwyVno{}r@IbTc0i}ypAZw38VgNXAa_c5xcb6^4+O`YcqpR9#Y~8JvZN?8l zxo*7^&HA&0+8V5qBxFt`Un~<0ibBnyU+*o)W?A)muU@-`rxrbtqgi?gj#SH?7*ZcA zq(^RHZ!DH}Mf$1jaR76@d_4fSuAQ*yYjRDJhHlJ$Xqll^`oF6FmpiV|kD>Y1&#L%O z`+K$g{~)z)^uJH>xIU3X4`QTfKdK?B_%asJR^Tm2L3T9^;pTMM>xJ5oswwXy3eF(L-6P=wlEb?T7tMSh>4B)%7p%JWHJD@8lLkN5oa}1Vi8lPas||g)uUfR%pFlp2NGrZ z5bgE*^Lr`8WRwLFl{h9zFy&bkv@2$w_m7rovyM7cNkN>pwRX6FxL=3%q@F{`j4ok$ z98MXVCIl{^6Nckpj1!zjga`V-0-y%-ya+e>hj;w{=s0w|DWQi43^0=9lN zX9^KauX#rlbjMr0cRg@gvCc!3^;YtnmO91~J<#jdk~&Z~)avjR7t6Igfv+ySK{kP_#Q;6iJ;401#-;M%@c*N|hWvkY)ZfJady;3X;4+mMSH5CyVn!#@2UA=m zB*&6W7ooR>{%OPiNCv_75S|engGV8q6Ld4fQX9}-uv`-K{l)7d2#<-u=4~MkX0)lX zTrAy#QH0a4Brk)9MuOk+w$P<^Ju?Al=5$UY2R$z@j6*Qy1R0BS<0@Dr_)?SomPrE)OOpkXGbU^h z6Ya`8UX-4QFH3j2v6@s)LT}6S%Gf-kn2IdHi;>ynAme!@msL?WPpLW+lw+D}HE zg_OjsHdHDTG6Z}1SFQ`R=jq&_j`-mFXsfshqypV2ILn>A*lj&eQ9fiL%ScM&A^P~q z{D75Ve%qCyr_{KanEN`MOBNGJA~`ayiux?jJZ>dAzlvXsZJsBRno!GM7qXZBEr#gF zpFB@fwHhk)RU+9)AS0754f5?yAmE`<(x*&O%13jNz+(6B5l$sFFSfv&N~1;#OfKOA zK^VhyVPOky6!mIa{lA6#qxm>eA4er2gD0kSohnS+L+H71LXV6wyCQMTTr3qAF{MnV z3hntpNEtO#gKl*eVTnQ)l42UP`SToSBUdcesL+Deh@{sV`^6hOvHE3fk9)c;2eCRe zrLU%O#)KTlq3t46yKtp3is_UHX$V`5 z+!r&vcX;H3n>G}&w);wQMfxk6VKGC`Vus$ndyg_sCiGVGHdx)p*&6x(?QhqVvDT1% zPB~|s#73gFT3_8`mM6)m81+eVgBQZDeyw5-?%S^i;qw>aKH4h04Zs`7zaE79FMNpp zSxR)j8+lFExUr@mu0?s!I{&35gOf0m5G^S8v__sV+os1iOFh|u<1xgTu=utax4Afb)s*6 ze40*}eycXa5qPtgb@uxGqo6+s`g`vOhr|BCuz&c!{o`T3Z%7B!xqPHJ))4sv2)fQ< zG7_cn37A6w8>laVB2!oKf>Xw+T#PDc@_}6DOp=jZY=!z~qZoF`z#LC0VOvuFQYkZ3wmX-XNQAN}vnP6qq^ zf&Y`|C2UI5kz`i{Y-t3YrZk<7AUm0YQg3)e&uaPh`h7?^yag);-YIdwJ>Z+fXF5n? z<38Nct?CwE=v01Ih_gcBOYIjato#OI7M`=hyHn(2eNqd((xPMwU4js~D1=J0`p!T! zFT9m)*crV+LB*Eysy+`EHvz_H>0oehRCQT8c(H$Yu;1U`(;66=*kt-`7FdSHQ3;tY zoQbS~ETFg$7(LZOO2efp`4Oi}7IY3c-hg_;*y zZ5tN$Fsdp<{jxhhCpcap!NAGa$skqODV8Ed+sWh8C-3X(E(}5MBFT?}u6dZ8(~&z_E@D?H34IGBl3@I&|zy zA~Kc=s`qnn3NL~(L7oHvRc8c17c4RHK-6DjBpe622R8F zTs$MyJA_II;%5r*p@#fxXQ8RZqSnbSGRx=d##+*!&2n_>IxBR0V?gt7^{lo3k7gvv z2p6Hu9zXx%;OOY!u#x}qaC86rB+ti>y&ZH-=R??%)NxB4M!%jbv_vy9L_0mjfmJc@ zrDlL-l%Gki_+lAew}_~&I9BNWK-7^Zji8c5NBf{REEBN^C3rZ&^HePzo==A|ghRL! zzv`J$HNSd$smemw;*3Pw5V1(md7fDQe1mmKdnX6c$Anf3I@?A?Clh)wRJHGD{ewB# zo15ZL4OW%YxgAxp7HOl>BKl2_UyZ!#u~NaOR;EG)wUt=K7q05pbtzB+tb!DZmSAR_ zrgDP({}91{2*0vl)cF5zHuwzk|IiD7qbkc4wp&)t56}&9lXCkQXkl5c#EYs}WCO-oCUoN8S49E8 z?W9)pt5-%7O|JEYIk`PkY_DkROnh$w13AEKx3*=uEzIn*DUs;eGq+M`b?}D5w_zY1 zjriNn+?VLHYby~Q^Iid>Sx*zd5=QAp3k8)Vk~)H`)<>c%vRH#{SWRZ=s4+{LaeQPt z%4*jUm*Xrc=psZ{;y8^@l5B?G=5sVSy5Hz;$QabctA=a-v1-%SVb;o^5>!QS7MyQI8dby)sQQRQJ!G@3i1xse)BHLF5->d5500uj0yX7gj*8c2Wb=*HV55 z7#87XBkNBWz2v-U)Fcd~4znzfK$RBKFCcORc+u2jA5snOOY_n#eo z+2-U$UB_x@<#MT-BeiZ`wK6R$qFJDc+g3gL9fn`A`?Gl;Dmd^#I`H9!pghJaY0kAD zybF!0K117QD{d+!s=K=C_?iB%v%yy@IDl=VXYQRr%|dT`yY?O0DbIhL#FUdrj&e@L z_I8!-XoCEIvK+-U2Bo+eYsGkpwwOmg3j%fMt%34&7>3&+`hiN5pG0S`+O;YU4N+~r zDpCAHbV?!C|1-R;?;d7Y?xJVoZA5Ofgho^*3k#(k8T$U>OlK|7P%T5iE@B)#i?)GA zFpB8};?359QjIB~od)eUHAs{HC2X?PD)~2P;L#aNK~Bpk(_hm4pR=gGwedkz^b`C+9UfkRh>Qm zUJbzb><{0ssMhL#YohpprZKxI%wP4Y!f{-XgT&Ni_s}8jA>940r;6y<$ojP#>&T?b zNEnU-tGQxI8}zVgfL;xd0xjw`A*$Bph%quVU26lmzgfMfW&3=K{(#}C2)_+|0Apu@88oGa8>-Dql4qx{r{kU zw2A-oB+tjC#&b)}_??~SK1Zz}2&&%KHq1!je&)@cXoULSsPlT!z0CUbDX4cQ^Jkm? z_13@ji@F~JSh4>1_m21L>woWHs?G>)W@*<2N_f;dtTg18mU9poe54TajOcW{8dWb?vFxq%XeuqjE^0hYuX?zwSB zm*7?g*G&;lc6E+Vi>YonO|({5L({nr*2-1Yj@8kFX3Q_O;T>((bmpsCEO#R0M+qgV z9MO2B{XaYVa2EEG=H2P4Si(K9-PY^eE)2I^6tCBI^Cogt7tI>WdU6aZkY6#==;)`@ ztYcX(9r`@v*L8>;ovy2bTn2+#;eKhM(a~AMlB0ILr&+ODVKpwR1f?&%b^c2{Ysr7k z9(W%CaJl@qx7R;9s>^=|M~55v?IYxQv_FW!Z6;AIG)!PkL~A-GCD%NeD{gMsk5ZNiej=squ@_HBhi(} z=e;88NQs|ka4ClV623Qh4gZD(Imb%2tex!rZ5X(Y4}o*7gICUW8z%lP)7B8^PDnRhd9KZ|||lmJF*ICImSNB=pCZ>RZw8nyobEyH$_h z4plP{O<4=Ro##n%=|*jGZ<6lVU{La{a0Rq$g73xC=C=w^b|k@uL~Wu)Vm>eo^wqV*S`TUDk^eDauXJWI{%{ z{Odk@KLjYB<1{XJ%K-U3mPt1rj_-a9^c+{-S)*Y1l51Ovo}<<)3)?6_FHI1jHTZr# zaM0R(zh2SJlGR_e3nCp}@SM|Ynvf|u6%kHMh&>yi$v&Aa6gR(dg5!5-vbbPOenS(Y zNw*U228!kBiFnJ>3y5@6`xrUychzv)W-enFo;^=1Soa`tPrX&7nCRF%dC_tE>=M?^EC5dQb~@6RtAtv6RlwMMf- z6^#hdluC+|S0urUOA@hENq~p$LL!{9xcIbR2AWUkHQ7wT7o7rRa>v944+}Edn}>M!&D$eLH%6`j6As^$xYD z(5W&u4#Z()Lv|be=H11cllSedE_XN9VFo)Jet-7nbo9;H>FZbb?4uFUu(PYnlQ-wD zPcKFnC+`~*vZ@z12x6s!rP93<|FeyQs~+2rBo17vkPfcdbx^Gm^EFHIIeDW_WOeOD zx#u)O0JnixNH2mV?!GJXu_j28UWY%sd(T|;s=qnHl4+q=E8YToa94{BSF&n{qg4oN z(#P68k_vZg>xgi9|MvAEaCr~9%mc z#+g@Sv5Wq4jT5lVY#)D@d2G0ieuL{;Yd+Tk@?Q!+=Owsm@1UouE6CO!O^dOtjo#cQ zKsq5s?}zY};MclXIgFN9?WdRGR-h_THWL0UKgyJ?EIq@xKxy{am0EfUUtG==BWo$( z?%&JVDA)#9(-DDveS@o7!L9P4F|fzsolC}Xw@PX78k@1h|@9 zxn1gX+t(N1>$82(qy|{4QtLg{#Z~7<=mBE2c8kJE<6!+@+N$BJIi0ncXxCD-@wN`A zAG`%VobKywx^r|_vR!AQTJ?r^-k!Vn3dZVf8e%Ho5lA1moyg3ys=z6Jg3? zvW=dtDweT$du0j8OyMr5YElcdR7$BpR8cCkn4GjW)Ge%38(UjoSqr|5)s&g>y`fW0 zJvwkO3v~!nNgo2GZgXu=8!swR^Iaz2zD}zmyF3R`x~maUjbRcbXjIy zXotCUn7jkPm4pr}L9UkW1iI>(@TIMmHqT={_p$#A8K=`b^s&PJZ_uyj|J>U<7;NId zKFPDO|10eOHWqpt3%!kn-o`?2W1+XP(A!w(Z7lR!E%Z96%B-2EwY#e(cidRuSx&jJ zz}r~hZ7lFM=3g5Nyg%3!Y%K6L7I?pZ3%reO+s3wSW81c|ZF@S~wv9#D#v*KE5w@`i z+gOBcEW)ZYxUmS^ScGjX!tQX(P_yUK#a#n3Zyi{xmR{@LG^}Z`Rg&Rl#ZX`sP<30b zx_FuCM-!t?#JS*b=4*HGw-~Ik3|M$~8548VUa{KLAO4Y5z+7AV)2F|E+ zooUR-{?0i4m8B9V=PW+SB@+=&2>;{QlpzEVzsGz^WTBRBvztR;qf)b-L-#nPudpew zlT(7b*W3~|yTiZ!vljoisT}XQ2dv=#2S@$7{cr#HaBsu^pW=BO{(pZx$hxY(Wywp+ zd=hp$TAs~6CGv*xD|N2Edag6X4|-?1Rj_t(Idfa#T1N2Yg~vqVfy-4je>eSonN6(S zLdoD2$1&AJVj#_IA zeZx31Z3gL-rnkrlK?1QPCLGBbPEkMH>xX?vpa^D1BpBo9ilng!O*_v7F}5sX*y~NH zoaN&%V)I^^Ypqx5r$>dziRkSg434(o?}*LS5QBsL=X(doFAkn>uZGb8hSM0S4TA%S z2DTvMOtOe2p*u(SQfx!71@5cq<7x=07%nfXSBG+ld@zgfTW9KS5IEM#_W;4~S}5kH z6)iumnYOt~tjJgO{dI)Jc4BW6AL|HPy&&uM#^(J>Q{%4s6?E}D(Kl!TED5Va$*`O` z7i)L7<7rWlJ#fP*6lYk@-h<1#I4Q{1T@H!TBe%k65Di9UVm z;f(fFC%p(KiDK||m>mvj+3|`thwc2;)b8l9$x){qr}7PvGZqgK&LvxcO-QRVqA89f zy{2+8l5|d34iMugB0{`ZCC-Wh@Adb>YSjVz4o%m9Uj^SB-;VH<)PQ<}Z%?LVZAhF( z*4muDG*8+*Pxq{~|7YT!nIHADYX3hx+^g^ZgZ^g!f0F0pvSj;e-W{JAcXQ@r909js zoc;=`4o5wv_vj0jkiXG1rs?zndvqqU>UP|@X>*nkbGd>u`YmU9wggVkUbI}WB2Dbw zpc47`XA((s!qkmjR-AO5n;Y$5To-ZH#NyMSPoI{90(oX&+Aq*6&0e9F{&qJgDt5D~ z;n;f5K_8R|520(q$EH9oNCRUUnnJCradZyOB+!y}cYG3rSq02$AHE6WV;aXKy8Q116B6w0`3akfK;p4qI}c9?mN_S*NrI;$jHv*b%f1#yA*r{_Uc#o; zXhP1GIW^oVp+f(0gJm>ZXAs4XCyJin4->;kO<2TI$yt&RE(|x+8Dbv`1Q?w<_fHsC zthL&1#EFhR6hPv|dV}Ovk`#3A{x0%ymWj45Voc^N6-4S0l%!r6Z1G)4EXgEK%!@mZ za;#pqk_>0*&upxFF@M~xbvLBuwXIbsr4xaRhe`QM)Tt{l5YMSlglW>8twO{+msrwtdPBxD z#;z*PZtD?qi+>wIuyeeREE2Z&^9K|TYcm^@gxE=bV&So~&y5(l5hMTA#K^Vfzp=i_`3(BM z!9gSb_u%ljzmfl*;(3^W)^@%3Su~1;P0l^^fK}VX`#4e+qSixY%KP0=x)SlfGJeYo z)z0hG&*LGX*!Y)Th+pVglm9C@<+Is;?jP(o>_7L9H~jx8p2zY3dVu-pBY1vop%a1F z1QlJNgYa+{rG&&tGH^x-0&}VklpKpQ8eHRq#=vgT&5Wdorb1#!bAYZXMt>*Cys5ot z$m_11MlK(wu=w}(=6XEmt(srh=kw(HV>#nUOEZ%2IZcg;3MV9u_#)G`N;K78OsDab zyf2H{7~&Vko>;ZUhK{qk*{AR2sa`ssNbrwe?cMRm^04@QKWpv(M$`A1{J-~)oBkii z8~y*&JP+Le>pNtz9a@g?2Z+(p?MZy!fRuKcZriI$LF8{-hFG(h=_>E~;1$Vs$gLzi#YvF!q|2X9cZ5ED8uofiJ?`$|saf|< z{5*gycVxLQ*sZ?5%SAs!er<`0mJ1hc72U?pKJxciI2%BLA8A#dj71SIB?;{XyOScW-~=|NAu0Dgn-_UjG1c z+`q9F_x{gX>)+_gNRWvvFp9D}aDi3p|ES-ut^fV~{muQ~lRR5y6Prr(EFmd+mN0ge zXUJc65$Ge|xs&pdul~2ajrwp2zI7L$!Y$WGYDE~8s_$2?;q|4Z8)$KYX@dOsGh&oV z$Q)r&%!q)_X84*QIU`NyF?4c%R+tKe=p2|8GWuh5et9ksO_7{YfndF$F_|zLTiPE=rl{e*sw|@%)Nw347#Sr}l4c*W*W;fvvr+*t=ynFZl>#urO z&qdFM({~T_RW@ZxoW(W<#r2?9+DP`ghG9iz(SwLn0QnGd7WOjEZWnrKef58TH;#d= z>tAvl(RA8-seV4h^It!!*8g#R{~sJ3ZPx$OJT=v4ge6Yc)UE=`dNXibcH-$Zi!d=n z2~G1`=c}PB^*JJ3(g`K;5Sh2_n)EMYArtO8fUVKJ*YN^-|Zk=P{EGvEv!lV7L z@5Mw!oM!qG>;(Oi)94B*Qjq9>FqsmL-s`sP#jw6A&V_oV#0H!s0Zjvz5)_j;3q6G1 zE0KU|@gn0a&LgPvOO6v5e~2!~gm5HT5u)+t<|h0Z`ZJ)bv7rg$C?*oqM1-EvR+*7q z*T(VC`Cq#JuQg|UC<9or{`Us^wfmpJ@nHXGv;Lpr$vC^FG2ug`$-`mPty37)e}qVx^#tE%lebKsb0T!e_(paF4PU4`# zA%l|hdI(88EqEb9TS#O$y_AgODS5xhh|c?oBAlWzLH?Y~8DIFIU-!p2o)Yc@Njuye z5a*$KOGBi~*UiXvuni*0{Gd^m57D5nHm=s75V~Aro)Hqdw;?+GmU_icCl)GDi;e^K zhADcxAUOVkQ%T-nh?=3tr#qPA+mS+xyR$5?V*fup z?$_gg4Gs=A`~Q`g6!+vG(@W6tGz#+5Ao zSRI~swdOa%ZFZuj8|c=QU`j}FgDqhh%}#GKPQV4K5+Lb{EQSb-QL59bgaIdH63dj- zq@@;mD@5b))XnK@oM;HN7W2uy?f2ANfj#@zOw{r8k5^y^cO10++Bt1 zOlqJH@AX`gYb-6b8dQ(r5|&kzv9DU0zAmCyT(v-R6$10V#)(h^6)TpCXyIEArI8EgQ`Trq${=FIiOI-WI zFX6Fa7u>%+b)xl7Z!?_6a8U!vf!GB82Ko-Y#tGG4zG$kETjU2#ST%evA<_oIWuE&yNfzZ*5yDvpkcZw6M7Iv*rRqbC zLZC5;Fr)%wbK)w&VZ0Mcl2{^=HY?A@3&6#zx0k9cO{Yj?B-#$Wvk5ZS zYPyk#r4rNBnz_I`D$xy15;P_#7Ya^+FaU3$?L=*971%;ebxnFvrnA6WD0j)`F95!K z3S2d-4x9xhbSsss{}R^9+dBhTu9DzCgkNh-_j?yQTfRPi0J8{Dm_@;y;y5m_16MAf z8V5x_Xdc9_r;3b8!fwoKHx0UE=!WsDgyC4Ah~+!mYk0v|z>6gZ9R z@fj(@cdwp(&j5= z)9>=Ex&J!`>UX~lUa9{*IIP=$^*8pPPxG`Tp>8CgUT*x|t?5}zf#o=1dcYZ9Y9urVpoQ#?%=05LOF+%Rl{0)Xe))Ts>G_5$Kef(JWgK01N8!~o&&ud2?7?zn(^_Xp%@QNlwQ>-y>D9>ha&#OHW>})O( zfkW-WR|B-XwXXU9neP%$jc-GxSNGb!X@OWPQaw|W^t!Gp(T=LMp6mDE#cg*@BchS> zx06@jo?eVj&;Ne<=Jev^b@Qm*B$KlC<@w3m(dGMh7boAIj^6+C{Is>Y0ie70S7#Te zFW8aJWR#V@d{&Q(VS7hO@(gNAWU%q?&8k!yb@7eixXKzP; ze|PzQbpGz*eQOsl4hDlZ7~h<}QINek`F}?5FHT;bUbfb55|h5%56gS~8fn?~|Nq~g zUi@?Px0B1$(fP^yzqhrn*mt==9g`pQ>61&5%`e6&67|~I85F7GFQL~YB|@BYHm>C> zok^K}OB#tsbxzh^{jIhwP)x@8!U>M)V>kc6b)~b5ykU7NYdR`BNs54L{m)f#ZFgm; zv(D@6fD7}Jc1~LqSjuF}QU!k?xe&Ss$&?beu6|gXwWyRx)x3%Dh_qc6u6yY6slePR;#rh zR9xfu=csw!u3u6%r@2yM=?08Y#oVp~w#r#<6?pEcvK2bFKqqhySi??spvI!@kZ#&6 zy_)p3)Fezlk$R!YLz_YC9)j#T^6G&M)ML{Xfwk71Rm5wa{~nY9aK-s=e{kH0|Gu&R zd7|eoEb_DE|NBFoARjx;V8`I^lwEL*_C8PQ!9Ui_Jut&z=U{&~i4Ffy)3M2)_^*;b zv63;-$&vU6&58K$^sFoYT}Piy{_7td)#JbS4>tP$r+Myqnlal`>-w%aUp9BF#vf7?zr)mhx%kO0PBcohs%!-noYK_27Bc@XFdjuYL`>3`^>~vSoea>D&mH0!)ei z7aR-G$@y7`-ZPLr6*S@oXBkbWh~*N>8R|h}99@w#-bFWHMTD@WIKW11+6(U*SyuZu z-fK6hHSm}O@hG#cAqxw?O-K3K9yGhX!ri9(j_5ZVdc+dl$?yEw+4Ny8W-90yQBVe_ zEbfY)dyTbKysfXo&UU9fi>mD&_S@PuZ=3CAr7v&2TJh5H<1Gl?);!oB96N;+JOPs= zsTO%&Z^sl_pRB(0cDH$I&)wv|`$YgOh|t^8A@0oiULY|eNrKe+))v$>o$jjr7fX6g zz{<{fkJH%OLMfT*NP5pQPA2r0#OQ{~8T#{fh~A~i0;^4Z4lZC^iT*f^(VV4JGOl)3$>}(kBt~-@ zab{!ahMxCVw6pV;Niy8oL25T2V?iSq46BfI;kcR6Xl4U(mM)bLy08e#8KUon765*% z2K@Z#*|OlA+bCvH4)^NNmt-g=I-?%39lNloQ3Dbn8>Iqa!EzT4_#if!3pUT@**s7F S{C@!e0RR68Jj=QO90CA_odpj7 literal 0 HcmV?d00001 diff --git a/charts/rancher-istio/105.5.0+up1.24.0/Chart.yaml b/charts/rancher-istio/105.5.0+up1.24.0/Chart.yaml new file mode 100644 index 0000000000..f5171a8296 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 +apiVersion: v1 +appVersion: 1.23.2 +description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. +icon: https://charts.rancher.io/assets/logos/istio.svg +keywords: +- networking +- infrastructure +name: rancher-istio +version: 105.5.0+up1.24.0 diff --git a/charts/rancher-istio/105.5.0+up1.24.0/README.md b/charts/rancher-istio/105.5.0+up1.24.0/README.md new file mode 100644 index 0000000000..2230c61859 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/README.md @@ -0,0 +1,79 @@ +# Rancher-Istio Chart + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. + +See the app-readme for known issues and deprecations. + +## Installation Requirements + +#### Chart Dependencies +- rancher-monitoring chart or other Prometheus installation + +#### Install +To install the rancher-istio chart with helm, use the following command: +``` +helm install rancher-istio --create-namespace -n istio-system +``` + +#### Uninstall +To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. + +**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** +`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` + +## Addons +The addons that are included with rancher-istio are: + +- Kiali +- Jaeger + +Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. +### Kiali Addon + +Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. + +#### Kiali Dependencies +##### rancher-monitoring chart or other Prometheus installation + +This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. + +#### Prometheus Configuration for Kiali +> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. + +The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. + +To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. + +1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. +1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. + +#### Kiali External Services + +The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. + +##### Prometheus +The `kiali.external_services.prometheus` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Grafana +The `kiali.external_services.grafana` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Tracing +The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: +``` +http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} +``` +The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. + +## Jaeger Addon + +Jaeger allows you to trace and monitor distributed microservices. + +> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/105.5.0+up1.24.0/app-readme.md b/charts/rancher-istio/105.5.0+up1.24.0/app-readme.md new file mode 100644 index 0000000000..12075362f7 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/app-readme.md @@ -0,0 +1,65 @@ +# Rancher Istio + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: +* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh +* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Warnings +- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. + +## Known Issues + +#### Airgapped Environments +**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) + +#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. +To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. +`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` +See [this issue](https://github.com/rancher/rancher/issues/33291) for details. + +## Installing istio with distroless-images. +Istio `104.5.0+up1.24.0` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. + +## Deprecations + +#### v1alpha1 security policies +As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ + +If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. + +> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: +``` +Error: found 6 CRD of unsupported v1alpha1 security policy +``` +``` + Error: found 1 unsupported v1alpha1 security policy + ``` + ``` + Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x + ``` + Continue with the migration steps below before retrying the upgrade process. + +#### Migrating Resources: +Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). + +You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/Chart.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/Chart.yaml new file mode 100644 index 0000000000..ea10fb720d --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 + catalog.rancher.io/namespace: cattle-istio-system + catalog.rancher.io/release-name: rancher-kiali-server +apiVersion: v2 +appVersion: v2.1.0 +description: Kiali is an open source project for service mesh observability, refer + to https://www.kiali.io for details. This is installed as sub-chart with customized + values in Rancher's Istio. +home: https://github.com/kiali/kiali +icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg +keywords: +- istio +- kiali +- networking +- infrastructure +maintainers: +- email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +name: kiali +sources: +- https://github.com/kiali/kiali +- https://github.com/kiali/kiali-operator +- https://github.com/kiali/helm-charts +version: 2.1.0 diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/NOTES.txt b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/NOTES.txt new file mode 100644 index 0000000000..fac4e8d6c9 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/NOTES.txt @@ -0,0 +1,20 @@ +Welcome to Kiali! For more details on Kiali, see: https://kiali.io + +The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon. + +{{- if not .Values.deployment.cluster_wide_access }} +=============== +!!! WARNING !!! +=============== +This Kiali Server Helm Chart does NOT support "deployment.cluster_wide_access" set to "false"! + +This feature, as well as others, is only available when using the Kiali Operator to install +the Kiali Server. It is for this reason this Kiali Server Helm Chart, while provided for +convenience, is not the recommended installation mechanism for installing the Kiali Server. +{{- end }} + +When installing with "deployment.cluster_wide_access=false" using this Kiali Server Helm Chart, +it is your responsibility to manually create the proper Roles and RoleBindings for the Kiali Server +to have the correct permissions to access the service mesh namespaces. + +(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}]) diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/_helpers.tpl b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000000..b5fd639061 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,222 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified instance name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +To simulate the way the operator works, use deployment.instance_name. +*/}} +{{- define "kiali-server.fullname" -}} +{{- .Values.deployment.instance_name | trunc 63 }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Determine if on OpenShift (when debugging the chart for OpenShift use-cases, set "simulateOpenShift") +*/}} +{{- define "kiali-server.isOpenShift" -}} +{{- .Values.isOpenShift | default (.Capabilities.APIVersions.Has "operator.openshift.io/v1") -}} +{{- end }} + +{{/* +Identifies the log_level. +*/}} +{{- define "kiali-server.logLevel" -}} +{{- .Values.deployment.logger.log_level -}} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kiali-server.labels" -}} +helm.sh/chart: {{ include "kiali-server.chart" . }} +app: kiali +{{ include "kiali-server.selectorLabels" . }} +version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/part-of: "kiali" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kiali-server.selectorLabels" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullName := include "kiali-server.fullname" . -}} +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} +app.kubernetes.io/name: kiali +{{- if (and .Release.IsUpgrade $deployment)}} +app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} +{{- else }} +app.kubernetes.io/instance: {{ $fullName }} +{{- end }} +{{- end }} + +{{/* +Determine the default login token signing key. +*/}} +{{- define "kiali-server.login_token.signing_key" -}} +{{- if .Values.login_token.signing_key }} + {{- .Values.login_token.signing_key }} +{{- else }} + {{- randAlphaNum 16 }} +{{- end }} +{{- end }} + +{{/* +Determine the default web root. +*/}} +{{- define "kiali-server.server.web_root" -}} +{{- if .Values.server.web_root }} + {{- if (eq .Values.server.web_root "/") }} + {{- .Values.server.web_root }} + {{- else }} + {{- .Values.server.web_root | trimSuffix "/" }} + {{- end }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- "/" }} + {{- else }} + {{- "/kiali" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity cert file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.cert_file" -}} +{{- if hasKey .Values.identity "cert_file" }} + {{- .Values.identity.cert_file }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- "/kiali-cert/tls.crt" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity private key file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.private_key_file" -}} +{{- if hasKey .Values.identity "private_key_file" }} + {{- .Values.identity.private_key_file }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- "/kiali-cert/tls.key" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default deployment.ingress.enabled. Disable it on k8s; enable it on OpenShift. +*/}} +{{- define "kiali-server.deployment.ingress.enabled" -}} +{{- if hasKey .Values.deployment.ingress "enabled" }} + {{- .Values.deployment.ingress.enabled }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- true }} + {{- else }} + {{- false }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the istio namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.istio_namespace" -}} +{{- if .Values.istio_namespace }} + {{- .Values.istio_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift. +*/}} +{{- define "kiali-server.auth.strategy" -}} +{{- if .Values.auth.strategy }} + {{- if (and ((and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url))) (not .Values.auth.openshift.redirect_uris)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either (a) set that, (b) explicitly define redirect URIs via --set auth.openshift.redirect_uris, or (c) use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- .Values.auth.strategy }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- if (and (not .Values.kiali_route_url) (not .Values.auth.openshift.redirect_uris)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either (a) set that, (b) explicitly define redirect URIs via --set auth.openshift.redirect_uris, or (c) use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- "openshift" }} + {{- else }} + {{- "token" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the root namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.external_services.istio.root_namespace" -}} +{{- if .Values.external_services.istio.root_namespace }} + {{- .Values.external_services.istio.root_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. +Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. +*/}} +{{- define "kiali-server.remote-cluster-secrets" -}} +{{- $theDict := dict }} +{{- if .Values.clustering.autodetect_secrets.enabled }} + {{- $secretLabelToLookFor := (regexSplit "=" .Values.clustering.autodetect_secrets.label 2) }} + {{- $secretLabelNameToLookFor := first $secretLabelToLookFor }} + {{- $secretLabelValueToLookFor := last $secretLabelToLookFor }} + {{- range $i, $secret := (lookup "v1" "Secret" .Release.Namespace "").items }} + {{- if (and (and (hasKey $secret.metadata "labels") (hasKey $secret.metadata.labels $secretLabelNameToLookFor)) (eq (get $secret.metadata.labels $secretLabelNameToLookFor) ($secretLabelValueToLookFor))) }} + {{- $clusterName := $secret.metadata.name }} + {{- if (and (hasKey $secret.metadata "annotations") (hasKey $secret.metadata.annotations "kiali.io/cluster")) }} + {{- $clusterName = get $secret.metadata.annotations "kiali.io/cluster" }} + {{- end }} + {{- $theDict = set $theDict $clusterName $secret.metadata.name }} + {{- end }} + {{- end }} +{{- end }} +{{- $theDict | toJson }} +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/cabundle.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/cabundle.yaml new file mode 100644 index 0000000000..e0bc1f2c2f --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/cabundle.yaml @@ -0,0 +1,15 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }}-cabundle + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + service.beta.openshift.io/inject-cabundle: "true" +... +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/configmap.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/configmap.yaml new file mode 100644 index 0000000000..45b571ec16 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/configmap.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.configmap_annotations }} + annotations: + {{- toYaml .Values.deployment.configmap_annotations | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}} + {{- $cm := omit .Values "kiali_route_url" }} + {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}} + {{- $_ := set $cm.deployment "namespace" .Release.Namespace }} + {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}} + {{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }} + {{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }} + {{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }} + {{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }} + {{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }} + {{- $_ := set $cm.external_services.istio "root_namespace" (include "kiali-server.external_services.istio.root_namespace" .) }} + {{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }} + {{- toYaml $cm | nindent 4 }} +... diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/deployment.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/deployment.yaml new file mode 100644 index 0000000000..1c3043b442 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/deployment.yaml @@ -0,0 +1,246 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-weight": "-4" +spec: +{{- if not .Values.deployment.hpa.spec }} + replicas: {{ .Values.deployment.replicas }} +{{- end }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + {{- range .Values.deployment.custom_envs }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} + volumeMounts: + {{- if .Values.web_root_override }} + - name: kiali-console + subPath: env.js + mountPath: /opt/kiali/console/env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + {{- if .Values.web_root_override }} + - name: kiali-console + configMap: + name: kiali-console + items: + - key: env.js + path: env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.deployment.tolerations }} +{{ toYaml .Values.deployment.tolerations | indent 8 }} +{{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.deployment.node_selector }} +{{ toYaml .Values.deployment.node_selector | indent 8 }} +{{- end }} +... +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/deployment.yaml.orig b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/deployment.yaml.orig new file mode 100644 index 0000000000..2c392330bd --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/deployment.yaml.orig @@ -0,0 +1,230 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: +{{- if not .Values.deployment.hpa.spec }} + replicas: {{ .Values.deployment.replicas }} +{{- end }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ .Values.deployment.image_name }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.image_version }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + {{- range .Values.deployment.custom_envs }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} + volumeMounts: + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + {{- if .Values.deployment.tolerations }} + tolerations: + {{- toYaml .Values.deployment.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.deployment.node_selector }} + nodeSelector: + {{- toYaml .Values.deployment.node_selector | nindent 8 }} + {{- end }} +... +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/hpa.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/hpa.yaml new file mode 100644 index 0000000000..d04cb0cda6 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/hpa.yaml @@ -0,0 +1,19 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if .Values.deployment.hpa.spec }} +--- +apiVersion: {{ .Values.deployment.hpa.api_version }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kiali-server.fullname" . }} + {{- toYaml .Values.deployment.hpa.spec | nindent 2 }} +... +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/ingress.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/ingress.yaml new file mode 100644 index 0000000000..911b63c46c --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/ingress.yaml @@ -0,0 +1,64 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +--- +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- else }} + # For ingress-nginx versions older than 0.20.0 use secure-backends. + # (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948) + # For ingress-nginx versions 0.20.0 and later use backend-protocol. + {{- if (include "kiali-server.identity.cert_file" .) }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + {{- else }} + nginx.ingress.kubernetes.io/secure-backends: "false" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + {{- end }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + {{- if .Values.deployment.ingress.class_name }} + ingressClassName: {{ .Values.deployment.ingress.class_name }} + {{- end }} + rules: + - http: + paths: + - path: {{ include "kiali-server.server.web_root" . }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ include "kiali-server.fullname" . }} + port: + number: {{ .Values.server.port }} + {{- else }} + backend: + serviceName: {{ include "kiali-server.fullname" . }} + servicePort: {{ .Values.server.port }} + {{- end }} + {{- if not (empty .Values.server.web_fqdn) }} + host: {{ .Values.server.web_fqdn }} + {{- end }} + {{- end }} +... +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/oauth.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/oauth.yaml new file mode 100644 index 0000000000..223b8cdc3b --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/oauth.yaml @@ -0,0 +1,31 @@ +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} +{{- if (or (.Values.kiali_route_url) (.Values.auth.openshift.redirect_uris)) }} +--- +apiVersion: oauth.openshift.io/v1 +kind: OAuthClient +metadata: + name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +redirectURIs: +{{- if .Values.auth.openshift.redirect_uris }} +{{- range .Values.auth.openshift.redirect_uris }} +- {{ . }} +{{- end }} +{{- else }} +- {{ .Values.kiali_route_url }}/api/auth/callback +{{- if .Values.server.web_port }} +- {{ .Values.kiali_route_url }}:{{ .Values.server.web_port }}/api/auth/callback +{{- end }} +{{- end }} +grantMethod: auto +{{- if .Values.auth.openshift.token_inactivity_timeout }} +accessTokenInactivityTimeoutSeconds: {{ .Values.auth.openshift.token_inactivity_timeout }} +{{- end }} +{{- if .Values.auth.openshift.token_max_age }} +accessTokenMaxAgeSeconds: {{ .Values.auth.openshift.token_max_age }} +{{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/psp.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/psp.yaml new file mode 100644 index 0000000000..e31d706d4b --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/psp.yaml @@ -0,0 +1,67 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "kiali-server.fullname" . }}-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/role-viewer.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/role-viewer.yaml new file mode 100644 index 0000000000..cbe6d0d7fa --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/role-viewer.yaml @@ -0,0 +1,103 @@ +{{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }}-viewer + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch +... +{{- end -}} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/role.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/role.yaml new file mode 100644 index 0000000000..74c574d318 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/role.yaml @@ -0,0 +1,110 @@ +{{- if not (or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous")) -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch +... +{{- end -}} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/rolebinding.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/rolebinding.yaml new file mode 100644 index 0000000000..dd0d585fb1 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" +... diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/route.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/route.yaml new file mode 100644 index 0000000000..77b2906bf2 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/route.yaml @@ -0,0 +1,36 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + annotations: + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ include "kiali-server.fullname" . }} + port: + targetPort: {{ .Values.server.port }} + {{- end }} +... +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/service.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/service.yaml new file mode 100644 index 0000000000..89b6860fbd --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/service.yaml @@ -0,0 +1,53 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret + {{- end }} + {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }} + {{- if empty .Values.server.web_port }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ include "kiali-server.server.web_root" . }} + {{- else }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{ include "kiali-server.server.web_root" . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.service_annotations }} + {{- toYaml .Values.deployment.service_annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.deployment.service_type }} + type: {{ .Values.deployment.service_type }} + {{- end }} + ports: + {{- if (include "kiali-server.identity.cert_file" .) }} + - name: tcp + appProtocol: https + {{- else }} + - name: http + appProtocol: http + {{- end }} + protocol: TCP + port: {{ .Values.server.port }} + {{- if and (not (empty .Values.server.node_port)) (eq .Values.deployment.service_type "NodePort") }} + nodePort: {{ .Values.server.node_port }} + {{- end }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + appProtocol: http + protocol: TCP + port: {{ .Values.server.observability.metrics.port }} + {{- end }} + selector: + {{- include "kiali-server.selectorLabels" . | nindent 4 }} + {{- if .Values.deployment.additional_service_yaml }} + {{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }} + {{- end }} +... +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/serviceaccount.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/serviceaccount.yaml new file mode 100644 index 0000000000..995d580465 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +... diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/validate-psp-install.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/web-root-configmap.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/web-root-configmap.yaml new file mode 100644 index 0000000000..970d4e4f5d --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/templates/web-root-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.web_root_override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + env.js: | + window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/values.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/values.yaml new file mode 100644 index 0000000000..729250e9cf --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/kiali/values.yaml @@ -0,0 +1,126 @@ +# This is required for "openshift" auth strategy. +# You have to know ahead of time what your Route URL will be because +# right now the helm chart can't figure this out at runtime (it would +# need to wait for the Kiali Route to be deployed and for OpenShift +# to start it up). If someone knows how to update this helm chart to +# do this, a PR would be welcome. +kiali_route_url: "" + +# rancher specific override that allows proxy access to kiali url +web_root_override: true +# +# Settings that mimic the Kiali CR which are placed in the ConfigMap. +# Note that only those values used by the Helm Chart will be here. +# + +additional_display_details: +- annotation: kiali.io/api-spec + icon_annotation: kiali.io/api-type + title: API Documentation + +istio_namespace: "" # default is where Kiali is installed + +auth: + openid: {} + openshift: {} + strategy: "" + +clustering: + autodetect_secrets: + enabled: true + label: "kiali.io/multiCluster=true" + clusters: [] + +deployment: + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + # The Kiali server helm chart only supports cluster-wide access; setting cluster_wide_access to false is not supported. + # For more control over what the Kial Service Account can see, use the Kiali Operator. + cluster_wide_access: true + configmap_annotations: {} + custom_envs: [] + custom_secrets: [] + dns: + config: {} + policy: "" + host_aliases: [] + hpa: + api_version: "autoscaling/v2" + spec: {} + image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") + repository: rancher/mirrored-kiali-kiali + image_pull_policy: "Always" + image_pull_secrets: [] + tag: v1.89.3 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + ingress: + additional_labels: {} + class_name: "nginx" + #enabled: + override_yaml: + metadata: {} + instance_name: "kiali" + logger: + log_format: "text" + log_level: "info" + time_field_format: "2006-01-02T15:04:05Z07:00" + sampler_rate: "1" + node_selector: {} + pod_annotations: {} + pod_labels: {} + priority_class_name: "" + remote_cluster_resources_only: false + # if deployment.hpa is defined, this replicas setting will be ignored + replicas: 1 + resources: + requests: + cpu: "10m" + memory: "64Mi" + limits: + memory: "1Gi" + secret_name: "kiali" + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v2.1.0 # v1.39 # v1.39.0 # see: https://quay.io/repository/kiali/kiali?tab=tags + view_only_mode: false + +external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: "" + +identity: {} + #cert_file: + #private_key_file: + +kiali_feature_flags: + disabled_features: [] + validations: + ignore: ["KIA1301"] + +login_token: + signing_key: "" + +server: + port: 20001 + #node_port: + observability: + metrics: + enabled: true + port: 9090 + web_root: "" + +# Common settings used among istio subcharts. +global: + # Specify rancher clusterId of external tracing config + # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 + cattle: + systemDefaultRegistry: "" + clusterId: + psp: + enabled: false \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/.helmignore b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/Chart.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/Chart.yaml new file mode 100644 index 0000000000..a96d6e2043 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/Chart.yaml @@ -0,0 +1,12 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.rancher.io/certified: rancher + catalog.rancher.io/namespace: istio-system + catalog.rancher.io/release-name: rancher-tracing +apiVersion: v1 +appVersion: 1.63.0 +description: A quick start Jaeger Tracing installation using the all-in-one demo. + This is not production qualified. Refer to https://www.jaegertracing.io/ for details. +name: tracing +version: 1.63.0 diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/README.md b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/README.md new file mode 100644 index 0000000000..25534c6288 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/README.md @@ -0,0 +1,5 @@ +# Jaeger + +A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. + +> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/_affinity.tpl b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/_affinity.tpl new file mode 100644 index 0000000000..bf6a9aee5c --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/_affinity.tpl @@ -0,0 +1,92 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} +{{- define "nodeAffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/_helpers.tpl b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/_helpers.tpl new file mode 100644 index 0000000000..09c6b05467 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/_helpers.tpl @@ -0,0 +1,47 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/deployment.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/deployment.yaml new file mode 100644 index 0000000000..f8a6828085 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ .Values.provider }} + template: + metadata: + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jaeger + image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + {{- if eq .Values.jaeger.spanStorageType "badger" }} + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + {{- end }} + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumeMounts: + - name: data + mountPath: /badger +{{- end }} + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeAffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.global.cattle.psp.enabled }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + {{- end }} + serviceAccountName: {{ include "tracing.fullname" . }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumes: + - name: data +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: istio-jaeger-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/psp.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/psp.yaml new file mode 100644 index 0000000000..4d5c271e1b --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/psp.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/pvc.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/pvc.yaml new file mode 100644 index 0000000000..9b4c55e4fb --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-jaeger-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} +spec: + storageClassName: {{ .Values.jaeger.storageClassName }} + accessModes: + - {{ .Values.jaeger.accessMode }} + resources: + requests: + storage: {{.Values.jaeger.persistentVolumeClaim.storage }} +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/service.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/service.yaml new file mode 100644 index 0000000000..3ee5a54247 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/service.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: 16686 + selector: + app: {{ .Values.provider }} +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + name: zipkin + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} + selector: + app: {{ .Values.provider }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: {{ .Values.provider }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/serviceaccount.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1bff77ff66 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/validate-psp-install.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/values.yaml b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/values.yaml new file mode 100644 index 0000000000..4929fb82a4 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/charts/tracing/values.yaml @@ -0,0 +1,53 @@ +provider: jaeger +contextPath: "" +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] +nameOverride: "" +fullnameOverride: "" + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + defaultResources: {} + imagePullPolicy: IfNotPresent + imagePullSecrets: [] + arch: + arm64: 2 + amd64: 2 + s390x: 2 + ppc64le: 2 + defaultNodeSelector: + kubernetes.io/os: linux + rbac: + pspEnabled: false + +jaeger: + repository: rancher/mirrored-jaegertracing-all-in-one + tag: 1.63.0 + # spanStorageType value can be "memory" and "badger" for all-in-one image + spanStorageType: badger + resources: + requests: + cpu: 10m + persistentVolumeClaim: + enabled: false + storage: 5Gi + storageClassName: "" + accessMode: ReadWriteMany + memory: + max_traces: 50000 +zipkin: + queryPort: 9411 +service: + annotations: {} + name: http-query + type: ClusterIP + externalPort: 16686 diff --git a/charts/rancher-istio/105.5.0+up1.24.0/configs/istio-base.yaml b/charts/rancher-istio/105.5.0+up1.24.0/configs/istio-base.yaml new file mode 100644 index 0000000000..17fb5ff8c3 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/configs/istio-base.yaml @@ -0,0 +1,140 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: {{ .Values.base.enabled }} + cni: + enabled: {{ .Values.cni.enabled }} + k8s: + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + egressGateways: + - enabled: {{ .Values.egressGateways.enabled }} + name: istio-egressgateway + k8s: + {{- if .Values.egressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.egressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + ingressGateways: + - enabled: {{ .Values.ingressGateways.enabled }} + name: istio-ingressgateway + k8s: + {{- if .Values.ingressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.ingressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31380 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31390 + - name: tcp + port: 31400 + targetPort: 31400 + nodePort: 31400 + - name: tls + port: 15443 + targetPort: 15443 + istiodRemote: + enabled: {{ .Values.istiodRemote.enabled }} + pilot: + enabled: {{ .Values.pilot.enabled }} + k8s: + {{- if .Values.pilot.hpaSpec }} + hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.pilot.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} + profile: default + tag: {{ .Values.tag }} + revision: {{ .Values.revision }} + meshConfig: + defaultConfig: + {{- if .Values.tracing.enabled }} + tracing: + zipkin: + address: {{ .Values.tracing.zipkinAddress }} + {{- end }} + proxyMetadata: + {{- if .Values.dns.enabled }} + ISTIO_META_DNS_CAPTURE: "true" + {{- end }} + values: + gateways: + istio-egressgateway: + name: istio-egressgateway + type: {{ .Values.egressGateways.type }} + istio-ingressgateway: + name: istio-ingressgateway + type: {{ .Values.ingressGateways.type }} + global: + istioNamespace: {{ template "istio.namespace" . }} + proxy: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} + proxy_init: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} + {{- if .Values.global.defaultPodDisruptionBudget.enabled }} + defaultPodDisruptionBudget: + enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} + {{- end }} + {{- if .Values.pilot.enabled }} + pilot: + image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} + {{- end }} + telemetry: + enabled: {{ .Values.telemetry.enabled }} + v2: + enabled: {{ .Values.telemetry.v2.enabled }} + {{- if .Values.cni.enabled }} + cni: + image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} + excludeNamespaces: + {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} + logLevel: {{ .Values.cni.logLevel }} + {{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/requirements.yaml b/charts/rancher-istio/105.5.0+up1.24.0/requirements.yaml new file mode 100644 index 0000000000..a73e982184 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/requirements.yaml @@ -0,0 +1,9 @@ +dependencies: +- condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 2.1.0 +- condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.63.0 diff --git a/charts/rancher-istio/105.5.0+up1.24.0/samples/overlay-example.yaml b/charts/rancher-istio/105.5.0+up1.24.0/samples/overlay-example.yaml new file mode 100644 index 0000000000..5cf3cf3b0b --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/samples/overlay-example.yaml @@ -0,0 +1,37 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - enabled: true + name: ilb-gateway + namespace: user-ingressgateway-ns + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal + - enabled: true + name: other-gateway + namespace: cattle-istio-system + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/_helpers.tpl b/charts/rancher-istio/105.5.0+up1.24.0/templates/_helpers.tpl new file mode 100644 index 0000000000..30b429a800 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "istio.namespace" -}} + {{- .Release.Namespace | default "istio-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/admin-role.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/admin-role.yaml new file mode 100644 index 0000000000..ad1313c4f1 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/admin-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: istio-admin + namespace: {{ template "istio.namespace" . }} +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/base-config-map.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/base-config-map.yaml new file mode 100644 index 0000000000..5323917bc3 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/base-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-base + namespace: {{ template "istio.namespace" . }} +data: +{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/clusterrole.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..31163f9325 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-installer +rules: +# istio groups +- apiGroups: + - extensions.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - telemetry.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - ingresses + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/exec + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + verbs: + - 'get' + - 'list' + - 'watch' +{{- if and .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/clusterrolebinding.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..9d74a04345 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-installer +subjects: +- kind: ServiceAccount + name: istio-installer + namespace: {{ template "istio.namespace" . }} +roleRef: + kind: ClusterRole + name: istio-installer + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/edit-role.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/edit-role.yaml new file mode 100644 index 0000000000..d1059d58d7 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/edit-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-edit +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-cni-psp.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-cni-psp.yaml new file mode 100644 index 0000000000..a71561e676 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-cni-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-install-job.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-install-job.yaml new file mode 100644 index 0000000000..c2e362e684 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-install-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-installer + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + spec: + {{- if .Values.installer.releaseMirror.enabled }} + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "github.com" + {{- end }} + containers: + - name: istioctl-installer + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + - name: FORCE_INSTALL + value: {{ .Values.forceInstall | default "false" | quote }} + - name: RELEASE_MIRROR_ENABLED + value: {{ .Values.installer.releaseMirror.enabled | quote }} + - name: SECONDS_SLEEP + value: {{ .Values.installer.debug.secondsSleep | quote}} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/run.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{- end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{- end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 499 + runAsGroup: 487 + restartPolicy: Never diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-install-psp.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-install-psp.yaml new file mode 100644 index 0000000000..9da3391d40 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-install-psp.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-psp.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-psp.yaml new file mode 100644 index 0000000000..cfada1bf7f --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-psp.yaml @@ -0,0 +1,81 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-uninstall-job.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-uninstall-job.yaml new file mode 100644 index 0000000000..0091d0c176 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/istio-uninstall-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-uninstaller + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + containers: + - name: istioctl-uninstaller + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{ end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{ end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 101 + runAsGroup: 101 + restartPolicy: OnFailure diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/overlay-config-map.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/overlay-config-map.yaml new file mode 100644 index 0000000000..287d26b2c3 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/overlay-config-map.yaml @@ -0,0 +1,9 @@ +{{- if .Values.overlayFile }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-overlay + namespace: {{ template "istio.namespace" . }} +data: + overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} +{{- end }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/service-monitors.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/service-monitors.yaml new file mode 100644 index 0000000000..c3d60c4fce --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/service-monitors.yaml @@ -0,0 +1,51 @@ +{{- if .Values.kiali.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-stats-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-proxies +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + endpoints: + - path: /stats/prometheus + targetPort: 15090 + interval: 15s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-components +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s +{{- end -}} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/serviceaccount.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..82b6cbb7e6 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/validate-psp-install.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..4b0e5cfb65 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/105.5.0+up1.24.0/templates/view-role.yaml b/charts/rancher-istio/105.5.0+up1.24.0/templates/view-role.yaml new file mode 100644 index 0000000000..5947d3eba9 --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/templates/view-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-view +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: ["get", "watch", "list"] + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-istio/105.5.0+up1.24.0/values.yaml b/charts/rancher-istio/105.5.0+up1.24.0/values.yaml new file mode 100644 index 0000000000..07aa9d3f8d --- /dev/null +++ b/charts/rancher-istio/105.5.0+up1.24.0/values.yaml @@ -0,0 +1,121 @@ +overlayFile: "" +tag: 1.24.0 +##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install +forceInstall: false + +installer: + repository: rancher/istio-installer + tag: 1.24.0-rancher1 + ##releaseMirror are configurations for istio upgrades. + ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal + ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. + releaseMirror: + enabled: false + + ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging + debug: + secondsSleep: 0 + +##Native support for dns added in 1.8 +dns: + enabled: false + +base: + enabled: true + +cni: + enabled: false + repository: rancher/mirrored-istio-install-cni +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.0 + tag: 1.24.0-distroless + logLevel: info + excludeNamespaces: + - istio-system + - kube-system + +egressGateways: + enabled: false + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +ingressGateways: + enabled: true + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +istiodRemote: + enabled: false + +pilot: + enabled: true + repository: rancher/mirrored-istio-pilot +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.0 + tag: 1.24.0-distroless + hpaSpec: {} + podDisruptionBudget: {} + +telemetry: + enabled: true + v2: + enabled: true + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + proxy: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.0 + tag: 1.24.0-distroless + proxy_init: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.0 + tag: 1.24.0-distroless + defaultPodDisruptionBudget: + enabled: true + +# Kiali subchart from rancher-kiali-server +kiali: + enabled: true + # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ + auth: + strategy: token + server: + web_root: / + deployment: + ingress_enabled: false + external_services: + prometheus: + custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + tracing: + in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" + use_grpc: false + grafana: + in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + +tracing: + enabled: false + contextPath: "/jaeger" + zipkinAddress: zipkin.istio-system.svc:9411 + + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/index.yaml b/index.yaml index 7b0ea40b6b..2ba0f02923 100755 --- a/index.yaml +++ b/index.yaml @@ -13315,6 +13315,43 @@ entries: - assets/rancher-gke-operator-crd/rancher-gke-operator-crd-101.0.0+up1.1.5.tgz version: 101.0.0+up1.1.5 rancher-istio: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 + apiVersion: v1 + appVersion: 1.23.2 + created: "2024-11-21T22:58:08.242795086Z" + dependencies: + - condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 2.1.0 + - condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.63.0 + description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. + digest: b12a91eaebbc413b074e168b1bad21feee0e9a4ae4f8b0592be84d28fa15b763 + icon: https://charts.rancher.io/assets/logos/istio.svg + keywords: + - networking + - infrastructure + name: rancher-istio + urls: + - assets/rancher-istio/rancher-istio-105.5.0+up1.24.0.tgz + version: 105.5.0+up1.24.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: Istio diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml index cb4c3fe75c..a73e982184 100644 --- a/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml +++ b/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml @@ -2,8 +2,8 @@ dependencies: - condition: kiali.enabled name: kiali repository: file://./charts/kiali - version: 1.89.3 + version: 2.1.0 - condition: tracing.enabled name: tracing repository: file://./charts/tracing - version: 1.60.0 + version: 1.63.0 diff --git a/release.yaml b/release.yaml index 6fdf265e89..e3e7d62446 100644 --- a/release.yaml +++ b/release.yaml @@ -15,6 +15,8 @@ rancher-cis-benchmark-crd: - 105.0.0+up7.0.0 rancher-csp-adapter: - 105.0.0+up5.0.1 +rancher-istio: + - 105.5.0+up1.24.0 rancher-logging: - 105.1.0-rc.1+up4.10.0 rancher-logging-crd: