From e905ed72e16cfd21fdb43b1ff5cc070745d30881 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:18:06 -0300 Subject: [PATCH 01/10] update istio 1.22 --- packages/rancher-istio/1.22/rancher-istio/charts/Chart.yaml | 2 +- packages/rancher-istio/1.22/rancher-istio/package.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/rancher-istio/1.22/rancher-istio/charts/Chart.yaml b/packages/rancher-istio/1.22/rancher-istio/charts/Chart.yaml index f7e9bfdce3..7fe0c3aec8 100644 --- a/packages/rancher-istio/1.22/rancher-istio/charts/Chart.yaml +++ b/packages/rancher-istio/1.22/rancher-istio/charts/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/namespace: istio-system catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' catalog.cattle.io/release-name: rancher-istio catalog.cattle.io/requests-cpu: 710m catalog.cattle.io/requests-memory: 2314Mi diff --git a/packages/rancher-istio/1.22/rancher-istio/package.yaml b/packages/rancher-istio/1.22/rancher-istio/package.yaml index a7f66fc3ec..70caa23398 100644 --- a/packages/rancher-istio/1.22/rancher-istio/package.yaml +++ b/packages/rancher-istio/1.22/rancher-istio/package.yaml @@ -1,2 +1,2 @@ url: local -version: 105.3.0+up1.22.1 +version: 106.0.0+up1.22.1 From 2270645eb06109a1551e8d6eade37ae6d78a9a8a Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:29:47 -0300 Subject: [PATCH 02/10] make charts --- .../rancher-istio-106.0.0+up1.22.1.tgz | Bin 0 -> 20770 bytes .../rancher-istio/106.0.0+up1.22.1/Chart.yaml | 24 ++ .../rancher-istio/106.0.0+up1.22.1/README.md | 79 ++++++ .../106.0.0+up1.22.1/app-readme.md | 65 +++++ .../106.0.0+up1.22.1/charts/kiali/Chart.yaml | 28 +++ .../charts/kiali/templates/NOTES.txt | 5 + .../charts/kiali/templates/_helpers.tpl | 222 ++++++++++++++++ .../charts/kiali/templates/cabundle.yaml | 13 + .../charts/kiali/templates/configmap.yaml | 30 +++ .../charts/kiali/templates/deployment.yaml | 238 ++++++++++++++++++ .../charts/kiali/templates/hpa.yaml | 17 ++ .../charts/kiali/templates/ingress.yaml | 62 +++++ .../charts/kiali/templates/oauth.yaml | 25 ++ .../charts/kiali/templates/psp.yaml | 67 +++++ .../kiali/templates/role-controlplane.yaml | 23 ++ .../charts/kiali/templates/role-viewer.yaml | 96 +++++++ .../charts/kiali/templates/role.yaml | 103 ++++++++ .../templates/rolebinding-controlplane.yaml | 17 ++ .../charts/kiali/templates/rolebinding.yaml | 24 ++ .../charts/kiali/templates/route.yaml | 34 +++ .../charts/kiali/templates/service.yaml | 51 ++++ .../kiali/templates/serviceaccount.yaml | 9 + .../kiali/templates/validate-psp-install.yaml | 7 + .../kiali/templates/web-root-configmap.yaml | 12 + .../106.0.0+up1.22.1/charts/kiali/values.yaml | 136 ++++++++++ .../charts/tracing/.helmignore | 23 ++ .../charts/tracing/Chart.yaml | 12 + .../106.0.0+up1.22.1/charts/tracing/README.md | 5 + .../charts/tracing/templates/_affinity.tpl | 92 +++++++ .../charts/tracing/templates/_helpers.tpl | 47 ++++ .../charts/tracing/templates/deployment.yaml | 94 +++++++ .../charts/tracing/templates/psp.yaml | 76 ++++++ .../charts/tracing/templates/pvc.yaml | 16 ++ .../charts/tracing/templates/service.yaml | 70 ++++++ .../tracing/templates/serviceaccount.yaml | 9 + .../templates/validate-psp-install.yaml | 7 + .../charts/tracing/values.yaml | 53 ++++ .../106.0.0+up1.22.1/configs/istio-base.yaml | 140 +++++++++++ .../106.0.0+up1.22.1/requirements.yaml | 9 + .../samples/overlay-example.yaml | 37 +++ .../106.0.0+up1.22.1/templates/_helpers.tpl | 27 ++ .../templates/admin-role.yaml | 43 ++++ .../templates/base-config-map.yaml | 7 + .../templates/clusterrole.yaml | 143 +++++++++++ .../templates/clusterrolebinding.yaml | 12 + .../106.0.0+up1.22.1/templates/edit-role.yaml | 43 ++++ .../templates/istio-cni-psp.yaml | 51 ++++ .../templates/istio-install-job.yaml | 66 +++++ .../templates/istio-install-psp.yaml | 30 +++ .../106.0.0+up1.22.1/templates/istio-psp.yaml | 81 ++++++ .../templates/istio-uninstall-job.yaml | 53 ++++ .../templates/overlay-config-map.yaml | 9 + .../templates/service-monitors.yaml | 51 ++++ .../templates/serviceaccount.yaml | 5 + .../templates/validate-psp-install.yaml | 7 + .../106.0.0+up1.22.1/templates/view-role.yaml | 41 +++ .../106.0.0+up1.22.1/values.yaml | 120 +++++++++ index.yaml | 37 +++ 58 files changed, 2903 insertions(+) create mode 100644 assets/rancher-istio/rancher-istio-106.0.0+up1.22.1.tgz create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/Chart.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/README.md create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/app-readme.md create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/Chart.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/NOTES.txt create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/cabundle.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/configmap.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/deployment.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/hpa.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/ingress.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/oauth.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/psp.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role-controlplane.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role-viewer.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/rolebinding-controlplane.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/rolebinding.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/route.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/service.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/web-root-configmap.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/values.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/.helmignore create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/Chart.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/README.md create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/_affinity.tpl create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/deployment.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/psp.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/pvc.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/service.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/values.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/configs/istio-base.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/requirements.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/samples/overlay-example.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/admin-role.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/base-config-map.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/clusterrole.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/edit-role.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/istio-cni-psp.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/istio-install-job.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/istio-install-psp.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/istio-psp.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/istio-uninstall-job.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/overlay-config-map.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/service-monitors.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/templates/view-role.yaml create mode 100644 charts/rancher-istio/106.0.0+up1.22.1/values.yaml diff --git a/assets/rancher-istio/rancher-istio-106.0.0+up1.22.1.tgz b/assets/rancher-istio/rancher-istio-106.0.0+up1.22.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..dd09d670fb3bbb1b9c85e850175481b208107551 GIT binary patch literal 20770 zcmV)qK$^cFiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ_d*e2;C^|p$ufV0}+;00=)Z(pM_hjDjbbB(M^x|hb$(xfe zpBf?|2{A=50BBq3^!wZIhXO!?n-Bnv`}^>3uh*;o+dnus{7ZlT=-_D3>+S9B|E1U8J383^3+g>45^YZ= zB<6qVJ-DrE=YA&-P7)@uq%09b51|lC9J6TcDf?lVG{tNYky}tVMSz}cNTBJB6Lj=^? z5ep&7ys<13Lln~_yKVfM5@Q!3GZY-A3 zPRQmdOGqNk5I2`gh2#X!ivj5egF(>ua7w?kuddb4^t(!lh=`EWRKmMsG{%C4nplt^ zGE0%1VTouWB#vW&Zm66gIU^dGP{si|ClkVvWN0R3Du&%Id{St|SP~(-9zqkwQA8xB zu?RdGsRpk=4dam*dL5JydBgY>O{QK4(PYB0 zkUR@z#);Q7t;M+X4uf9M`_C*j{r}Rdz5bN>|22*?A|87KSi%1f5BpXAzdz`2`2UkU z?3(ZxFaAMeGDN=bNj%M0>(?z0+QfytTxPIphBDp!^Tw4)Q@qNL@|jFO%R>qDG_MG*}M&XRVyWY!sZAk77Nrt zaz+JG|BDEY0VjnkrhJN1%~M5ymZGU3!9;vyy_Rj_%MAdCe34B33Hi06a; z`Co3?zljg3IF4g>gCw03^^4q+5Ya>tP-P5L7MaaqoK2^SpCkRZ#?Xa4L_N>j+Ioj2 zy(UOxY09|Nl@oz*6zQ4k2QR!xi%!-4jj1Gn1!|;))Q|d@3OsKbo zPA6*lpc^V?s@IaUY#b9YV@&ETbr-&eI6>lu!dx-L$ux^Gw-h&Cpe#`XOcEdvH5U`6 zMiYMFDJnh2$(ILcoerZylylUS>sE522V%-;iq(57j2BWD9Z|##uz( zS-}p*u~U`qItYYD^V=g+PK5XxOLBu3O(Tzx7I@yVh@3GlJ%nZ{zDP+pL?1tSNRh#7 zDtHER$ltSQN+f*oXwnWFX72%@RiC1BGG~%BQAL{^p< zDOl7ne4w{Eku#DByZpjTNH!m-MNdO9%6L3PzUtDjo1e$$EKxK`lWC^_V9u%TN4@3) zaUBj{_FndU)5PP$lpKdNnc6%;bPzu#A~8tlp_#$ys|iCu|%SO_{z6ltmw=VVgo0+dw26C#Pomq#WD?@Tiqk#52w z(h(#kpX0OYze{cCLL*ak#Esxq)S?p_%0_`NuaF0S9dyMftb@4*~uKs%c;>V%Jke#zdWS z^=pT9D1LLp_*KksBv8n*SQSMgoRKIqCww_$g18X9+C;*~4)8q(xb9O2T@fWGyBc=I zqCsIeGQojqA|ZAvUQ;eJbzacN#{9kA_FMqE(|M6+JI~tsDM*-cDi^B> z!lmSt#WZxWO$p)UqqH+S`kuDwa|51Fzy90!{}>C>(aWVX$LWJMfff9}H#n^F|D(gb z!wvs`il=gCZ#X>6`&*or_`A!T^E;J}B9uFGX$?{pOk?ys_y>)N2)>Tl82Os!M0dyE z4vvM!1O@01>s7Ym4rqlFg@SN5;?g#3xAA<>)GunF%KPkt!PVu(dx0?{@?bd4a@oB= z!CXHSNR#|@FF^SP-(4YXp{p07m9W$iLMXyA3L}@M>kZ5^i6u>@H)K3x?5b=60wu0- zOrxb`R?=rm9cpjGMBjecm!KG-&_d8se@T_KkV-{mA=Yt_!NsY!TxW(N? z5He1f2tqcmw_pw+rgR1Hlt?`noM1`nZNR}{Q3sl`D9W!L$8hbq4$7_Ux`CjI-P}1+ zmfoA$DgEV?U4;zXpjTUk)iKAGx{@em)DjH2&S@u?4uu_#;*T!5C1LR^Wn4}ezrj4x zFV)^9BuV5oi?cZiV@&75GAEuBS#fU6f8a1=S+dqh*EvEqDk=iyx@$S(+Pu|C%`$E080+*u6C_utZUpT={!0;kdwD@CP@CJI&F#Zl zv($L1aujv<34IFfUiZgDV!Jb(vFO4qsxy5`tqX^#NIN-k-I?br=BHqR$Ilt3*EA+m zaw0+;W9?OH%&R9ti*#mzDeg2x=UH+rjuUlwo-rZcX+~GLTBy(83TxxsP)m?EG|6t; zzh`M06EMP#%j~9BRO>4WMJl(-qx|j-_~<;9i`SGJ^_BoDS??a3wkz5{_M|vs_d24q z70ydic^QM^#Gv}!a%L#+|Ek(O$K~+{M2jJJQr%Qrd?Lloa{g~U&VFL!2kZf>?*I1o z`qlIQV1IM}|0IvQT*gX1ESAQ<*tqR*AIkUv$8>}$Q6~`cXC$5nV%D88cIB(>MM&Gi zF8nYqul3TM8$zcu=?{_LIq)04gPRcP=*8y`(U?paCmr|(s(Q+jUHB!kFeD@*QNGWN zad^chlQ(p(4l3ZwW;$oQWK22rRJPK5e1c}TTNnuSD7JnaQ!HGWlcq!D_XkHoFX#n* z>yV)fCzfm2!oK#(4MH~e9b^nE&@V!kNK6yLOEs6wseQmDt1_>x_SkBEKYnZ+1M5PD zK7ATC7Lj;bpo_rk>U!w>wAh}Xyg50(I2pY=etY74&W({3aM$p>4Aeq7y|_Gm4=^sy zj$gF_T20DTxc_*6{_13O`tIWL_|2O(^i1Df$9C5;9z0`w^eY_rTJX1{@b>il{Qddp zfEo!tI?bt0ZSYsHDfV$qG<&x{L z)c#VlvAc}U%CWf<0tSlL+J8}!H{Z4Bj-i3FU)V=P6Yy(q@ns0muP8CrY%fsVfyD)< zKO@QhjpuQ5iQF%;!dsd$MGaCDRtbJr)RIqFV0S1JE2#~dLON-dGKKc<}3 z={#Ga|EYr1Mj;$0Q&;8(UzmQ*?B@7(hz<`9_71B0tcQc+1V`_ac%eE5*4H4=7ei9o z{5$AbzP0A&ELvstY-23)`+k=5|A*`T|FW9@?+t44KMxQ0HufJ+^4ypIKUn3Q6WA9~ zHy5qnL)EM!P?_7zjyWfEa9(;%Fvc$S!EomEmhk&mx31Y8HF^-nXYIPt{aZD6yd9eS z1jm?rLkbxuQ6lbB-{@N&@!H@4M17Ad1GlyNTo+XP{Xm)SKHXk@pJyeK3FBiLMI^ac zh)~8Qr-15ZUr7)GQOK2ja)HQ|kF-dYOH?qTI;!Do&eB&n#bX*%N$mh@WL-QAVhAg}LP3GUZGyauQYVIwN+I++ZFZpPg2$xxWL@uVPH+8wvAs zKFj65EP0F@z*X|!Ue*6^&^zpJ?*E?Tx&QrNP8*-;29OhTbN2{Wel53q?RR-=-IkR{ zz&@M%vbFBZ9^t|#AO8_FHnK6{Hg`bxz61J`Ujc1yfPRZNK>c37@dl`PU%3H#pZo*U zIOAj^Fs^#q*!u*CK~4LWu3u(2 zF52ZtF`L8V@~3V6TXmZCbbrV-z>4)h*zeWOe}n!e{@;^4mG!Tqg}3PZ8)GCC=S8Du zeXC0~Fb8l7>IjLYuyl2glcVcqR$!DXAvwFHMC3<2D|DIi>V$i8n{onSLGt^}j}YB7 zhhXAoa{Q$OJ6f0-Z6P{ONIR8B7ae82Pcc%tKcU#expz>^&jG3n{Wt5W2>ck z_}VRS0B{oXDUoN4%OUC?^j`MhElnih*Em-1bU997aA-2kd#1I*Z}gaL_K=C_n9vQpV*-b;_QgaH!R=SA?Xwur(#OL-Z`z>F6FQZ0)_UEf0u9oK-6M%?Lp0 z(evOxxBYeT&PTqADJN-+LwhLDLuV!+uXC5dX&Q|sZP+R`?fOGkk8uvL8QMPE3d&n3 z7EwXMHY=RdWi@g*O@F-4Vsn?)X|k&o2?`*jH2HDO6;@qIuuf)DrcOlqh85#RApX*9 z_=`O&_J4Dm_An!WRq}uTXi)Y4JL+%l|DWV(l<+GzrYo?Kwn`ad|T$^SVMnYs0VxL)?I9hY~h4S^gM9y*@NS=Q^T4>@J}p|U$#%^)+`hJ?Hu9+(-`@eGh!r_ zJl#UXh=9gs*d(s3fkDS-r@1{vfX?7%1VvORq|w>MnaR6E1=87{v_lz6ISUDaP)U9< z5JvgX^7ogX{`U1x$<33+f7!3w{|z?!zbARVZ2T8RWsem9MS>RRr8k1WSxl%39`JNXj zhBtDi0X-LlG`-jP(sU|D_rrF8E=`K`G0|DrRqIZGY?Kh4B5h0%zQ!~LF`p)g@yO&| z=PV^WUZ8PC7Iz>4 z9G6*(Wf}!_}B=JE*VDUu)8FmOda8pbMIWHovi2!kH4c zA@e>=yWX=(r}14x^{R_l>6|Y}c}ndT7VYZsv!I-%1F0D&n8tz4)ofs%)x75FZEKsPgzxP8-2sSaZVMyXOJQyX2VflGog`S;uJ&ab*QrC%iu#Ang zfeP-Rwr@3f0)22&E*F1Zq$CXVP3*hsU63e-n1(YnCs=hbj-8P5dKMuaCdVm>(0JjF z>Ud$@fXqgryD0Lc+pyRq$CC*Scacd*4Xba;aXPb1-<%Un9t2IIdTkV_s3Bk|rgJJa zHjvDmf#ETo(9kJr$mt#fqR!GE06!c>h$Terh*bf?&03*3Qa-PcXq+XICK<_@&8q&x z)aPB#MSHNO^0471*78>g{0gcKRQ|61A|tOGA_}lPtc@7Uty*>j!^tmGawxVNuvnV z^})sE!>;~aYW2e|4AzI1CO@DtQ8R8vpp78%?W}=F@(D1LvwZYTV)REEdYfi_&2hKI zpK8#X+I!3qH%nmoh?@lSdc*;(+!)!cASccIhsvCkrN_1zvVhi{23y7si^cg&Plr3< z4Jh7o!Wt)N879jn%Ai%ul6_H{A|qW}fz|vfORTCQ(ITs1_YoCFsT!d<4LQqa(yK@` zR2Y$+3L|jAnLmy@H0h}Q&9qn+-9R3o`l{#W499drjrg8&7G+?^QwZ!o7#N1s3Z2Kz z%}wwVe6w>zSvO*#==Os_zdI#T(q!5J>vIxyw^78x3_LEa3L_$t@HtJ0#mPkzwlpQ5 zz!@~(NedL=g9tvK0bi$byjfNEVx0=$#zkyPh^}-w315WbPxVB z#|zDV)E9!I!1MmW)Q${FmI>o?bAC+FObrw(RFVYCjFa603B|mAQ0%c7FT-HK*bx|~ zdC|Qd1h-w1XyQ`84!YZVL-`g$y_&<(H-%E_x*rS<{?qd=)Bx*!sP=gm{h&@2_C_C_ znHw61EbpmA3^btxw5(X78w~mi7E+vRFjd*Ji!v+>DWM@I zNcT>IA1>=`9c!)qu|ro5eCf2xE5cLg)=?4lZ=B@2Qai9 zF6aZaK*FR}a6UH(TdlG>3Y5CAi--(^?LduGK33f7x2HrRA+zu**U|xIIsXb-qLv7t zXm=vDCLMN@4+g+3_1NV23q0@JlqHJxfG;c~WXW_$kzGA1hWg{!YU%6bmFqQ>3@R1H z&u}~`mcAL;f@!+~xCe-dW5;K;?5gHTN zigMjv>r71SZV(ZPXkOnT6LAC@uFPdLgFOCJTfEg+!{Aoo)el|TkvHZMS3T2m~Jjy84O@{ zOl$;TAqm2HL!@ZPbXRI37a1wKS%e?YcX#`*zJ~4Y^QPoyoZY;EaBl z5q`Jf+}rOBw#)a*#mxe&vRCg;QSQotti>fu(D^@4-k=x3KDsyo2k`ux z)eN!(L4^3JmWf#`P)x4~`Y^^~rrHWK9vd0M%3(KD%(PaCW#gELnOg0q#dUdz6C`e^ z3}^bXdYZ+UTO7s^_K(yRz%0?lKN&rXeOZmga^lnu~w7y(+k=fDY#Bq8Z)233d& zC2;nr<9TMN7554=&PgH_yUmiMW}<-p>nqd`j)Ge~_|}?YPN!Unph})1x2hxz_>xgj zr-l{1bnHajgOrviZe@9|uV@l&kEGfwWdVZ}KsC+^s8+*ibMRaeG{zWoI#Y5T(Uuef z2|A~Wz$DY^Vq=FfVObKPLooJW6O<)}97xngObe*4{*Ov9`s-CjP!s<1iY034p|cn# zB#$D9QWh0q1NEzp9jzg{4Q_+m!ayEuI-Co*+;9WRISs*0VJ_L3F;vpHB&m`^l&p~- zh$LUwjj$Mg77~$Puf5GD;k>ZEd|QEPuG94R*ptN%njXh7n?eGab~#KH=?;2>e%Fv` z2gcNrzp*$jAo<&Y=l$ET7EnDI9f%<42dniVskjp_-#>i$atnTFky3VE4*D-&9=z-y zA>RS&Zh-k97HwJ(F1jiEA_wo)%<^ldq*4n z?~^>P?Z0*N%2$hJHOBBCb~h_R=gz@}zpyrvR#aonrH%MjN(}>4RY`&rCUjYqFroFd zNmnnNz*G+iz|xsW-k=hO& ztQtPAfngKSHL=|g{KE;}gx_9=;wwd$lYBX>_ez?t!oC~Px7EHM)mNcC4%x2*bwl@0 zM)#`XDwM4&+>Pgz>)emiX&8^g-`ZhqxY`qOwOKYU z(V;e@c&(Mu=O)^+n_)9z;T7QlWxfWGayFr{lM_NMqiG3d9&VYFYpM@S&R6?V7nu_= z(+0?z?hRD;RgEOAIZ18xm=6VS{)MJjG;w(~jv}?imhm<4bm?PVVhI(3e)nxD)JqM= zC}|LWkckcb_T=(-^!nY!=+*Jr<+tZ2j$?PNK@;c+K21v!7-~8>I0wBIhYN({A|=bt zE9!fJe3Q)9+*+et*U(&5+;Q8}_tK?~zPqE(dp=bKmJf+IZf?o}Vtdf>QmInhad9frd{wJO;uK7<8HNVGk(aBYv`@RtUo(L zTftS5n9Pafi)DgAUZ~#n>%sETEUI1)s5*I58}p@I zl71?C9N=6nUk$*mYsYN*hFp`lrW>;#8fIvf{;#b6<&G=#V`zT$vnu}6-k=))?O=bf zztR6b#pC)!4n2sGqW!3bsN~C-M_YlnAO+dgFoc`aVYeG-pK{T)W%8?~e(>Tj=#{}& zXW!6`%WZIcK6ciykus|XkcO0jk zJh)7htJM%qtOfrwp?B@To3Z>#q->s~7rPeOX{h>GxNhA9x}e&H!5TJ^)jDdNjfG$r z3qhplDk!2GvndP2_0+o}iyOuxI9}-Z@f~xDaAOUskI95%A$btii|$x-J@+7!Z%dt3W3#G2o=ACF$r*{~diI1@ zJso|K^}mGwJI1jOYhwlfKkE1TRsMf)u!;ZoB+nLlHp$}H4fgO1>6lGm0&T-uJ=0!L z;0R*f{~^!Cv%+t5D`!|Ni5I9aSyfDJjKixN%p*82U`aJY1dC@Ip~vyw!)THzCQ#V& zZlTjj3$6*1$OoGB0p2oPg)O=3Z6P@$$+FUbn8a63R4>FDv4C$1$@fZJzM+Ebwjiqm z_e5(T3f@^>70A$bz;njC6rapj`;wT^iS)sY8VSj(t1->DH(#onhRxlr9xGsv{NHKGz_={C3s2sS4y zA<#XM`z)ssmIfyWVadEL6lwpcU4+ruxkgVld_&@p%}LWK5 zW4ss{`2@1n=i;N)7eW*X+EIhzA*4isQEMS}+EKC)l`$EDufuECeckhPUROu-^L@0H z-{Mk%ZWNw{P?ifyo~I}uGRUPQq0tb1{A7N>$}qp}%Ft74T!hSBE6yZ~h$NvL88=gX zj;kM)W1Snv&-*sdVo6Py?5}dUS^pM8^uv#ySFC&m)vRQgC5R6u^h(qngE?{h76c)? zXq?&4Hn5gS*8!ebDdEPSQkWWuTob;KGYBT7TFjmNL*p!<$WS+HDXj(?JZn_zHUxmi zAlC^YL+ErIlVaLTL~eg)M~#C+P)1N5nY4b87kUDLIn8BK!qlqxXfC{1`dZ@h&zUr})3=4lksDG}1puo^&L%<$mg&Re22rJui!^#z?zlL^yr)xI}^paVsnL9ch%>GeCk!Dato*xMiW4*sWi zH0<>Z>44Uqj}&tnBEJu@@mWMhqOcJHs})!URf5kGs^u>@Wt_^zs5DHzCYP9oSPW6$ zt10QK>N!x%`TgG9&xdXfgytXazoljffO!q81^QpZcTGvPp|y@oBja#snX};z^&Z+U zT3ZG^DVZk$p&H5@8Sdfbg17>nR|`%yEVxh}b+u(P zfep_LzY+~fTc79Ah$K>RM?DT(A>k6-QDGBFIlab`jIPMSyfmVV3Dh#0#8_trRP~g| zf+Z0nC&*W4c!+-R zzd1eb@AdlrkDeE^DNRO_T@f&M5_Fo-WIBQba%w!Z5@+aHMeLy0gPhP?uv*}q+Vx!( zjLA)><5<>A7991rhWJuvTePy8mHl36*HvM~G?1q7oaGLXW8BL2`}>Dwud@A@dk6b_y}f}}lF8U;(i@HB z%yL2nX1Z`H(%N7Fy?^Ng?B;pUvqb+>Bm;W){_^A^khk)FZLG5Y*x%o;=KtyqHvWH4 z@_erkxe&%k&HDc;&IL}mmpsHZX;7y^jLPCDLOA;2<3|+e>!agbp^iR%`mu;iQmC|P z;spJLn&(<=ALRB>swzZ%D>OwoS|Gu|$@{rFz7F;I^(&`oRbAEGMF!wkHR$@YLC~%1 z;Jp2ZwkTO^{f}lOP6-!*Odmi0U;pr6zn1_1XtVyG=K1)syMwOjdt%>aXT% zSi%_@qMh!iPoAfWd9NT*h!f>ylEv}D39p(*)K&{R@V+NXo=QTfB+=m>DBX%g96~W3 zCwQ8wrNgu7PPo-2J4dcN(Q1&39Yth z)43v!b&y*K9HlD95vpom1Bi`ib=jh<%!bqh)f!eot@VE6OtvFHg)X)0DLkuycC{(S z4HaZ*KLQV??BmCd&T>M`Nz2@L1{SW)QD`h^pW`G#&&kh)rGFce=GeB4o+l(PUF)wclG>bKQl;IdX!mxANtsxgJ4 z#ek-qCUS!O{}7%35PoSts_ZYn+Hfz(|4$$JBj4?e`jgHtvdM(rBERD|cIgz3gcAs$ zG9!f!Vin5PX1Kt*VVt$nBglc~Wy_j>xw6i&opyR!(iS+LLUl3bS4hK03^GAE7T?pfq61V#o$*39WJMaQ zu5GN8VlF#uQYc<(^O(DXtu>R?QMRPuU6dSNbny0Z~R6$X#7)(_$ z&sK}mROrOCuk!+alO&n9yA3ew!{izVxXdw!bt=9!fomLOwi{ttHU+cvd`cvG{@kq; zSmmQx7TeH~79jq%LomhgRaoW9H|67(@h>IkD+8H29KVhvtn)i{Bp z!zt}RcD1yWt#1cQ3fA`!j+5v(PG|UCHb?!#`}O{Yj6o~6s=MYNt21isW~B@&P*nuy zY{b=qe%If2{XE*rwv8ay%a-PThQ&8z zQ8)@(jC`kfjm+yXKj&QN?x?1^G8RFo_TBc`dDM9^+H1v6KKJxg73J&AQoUCDWL3*P z;hX_u{k(HllEmSH&U*1c)JL5_QRWk+znM2{&sKXQ%ciSd3;B7qsU*yTsUPjjK&SEQl?>T)C)A6^_p~lcj$h}-pS@FD2;&+5`zy~ z%|i8{Bs|w{>Mn$;+6-))jbl?PQQqmR=k9V*2PJjjW->2Vu}RwAE)x-rk^gU&p@>GH zeK3fZtUG9fjo0%|M-Zc|D4>581i^NIzNgY8$k6GNcCC&@qgWaIQW*IFolwxOKu}#pAp0cC&?__$&Z5q>% z%6NgywJ9syQY(VBX>7HC#sh((W(5n-9qgEz#tg<)j>#E$t?(IsrSYn- zn8FG*sGFdc!&?AE{ROmem+TE=SN~ufbYq-M$?ZiNQ;Gbq{59cg&E#OaxdFu~N{vh? z7qSJ1MhJjJ2}F!nL*O`>67*NPYYUc?f1vlffcK3$Ki}UDs3dby*|4?n1^+Rp2m?LW z%OT(BtG8Q=7}Z_-Fl}#xfCuWoyH`ff+edG^kowF(o4K`m)mn3j(fk!v@?mHl0muAq z*)TZ897||}kndvJfa_PNadei$Y>l2{8n8?4E0AjPpQVPEj!;deY?d-|$iE`V{v~t_ zu#fA9VELlYTKE4U)`{2e=?k{X{^wx7;{P@1_x3jNU!LT7==rD9>6CqFZLo;k5yhK3 zG3E5_O6$#?d*$=#Q^(SsR|+}MW+LPnPYh$#2|a6UCC={!i!e+38UU_(?c1EWV4+1x3^cd|LG4l@t>aN`JC(b>6UFpgm%=r zjh;a*YyD$AI@?M}ji{KVZwF1+)CtAWuX$759rTt7iCB&}q$Q{GG+vZ_`A`Q5$!Usg zdRjQgXfH!fbdp%irOxT;)`P=JA#u%>P{`&q*Hao%vc7E_Y(2`Tzo5ICrK;_r!+E zY@xFp=?gZ`9U*IjriOG%5_Lo-k;Z#&9A2e5$?Hp=5XZYZ2c#X#c05fqPge)@yqU&p z<${u8x7>SB!uf^fxdmoLKfMZKvCAPpj44Uvh(;src-Gp6v+$RIcc-gl!u3G7jW?-n zBiwLDyB_TN{okr4>NS?NJzN zV@PL&z`~gB_aFt<1UlbZn9dlx@`sSh&8Dr~)xS&4N;rEKSX|K-_N5R79O+B z7M}LI#whpK)lP?4hO;+LFPHVRZp2#j_s~GM(F=^fC?o*=76M)59=Q1SBI8q{9emB3 zZxeitX^h8l{$6|1p1UACl*dWVeI`q>;qOWXd8h;@Al}{P`9)QU*evrG4$#%|?b5wd zXGwb{C1Z`;z-@9y!Yh%@yLn)NVtk&%1sD2jaB0Rh_&XNl3@a(Fa>n+zq2oFPfXL=c zI&Q|RR#IZjC>RDZRQc7=8GD=cdha-KT&%cTKyE^?P316DB0 zvGM)(nL$OE5y#;gP1&vuey|P+)eem7(oysIa2YXK?&4^iOvsIQ_gG|0x>b(^fSgeN z`r|A0EpK;CD7E=+)X6tvRgX1M)PiqkSsY)ue&_D3&>aDG3ceMrz;;da-7q0VdG+?# z#18S+p_~$!8n3@2PEjJ(EEbqVutnB`M4Z`pAkFh%s@0g@V|A;V-IZFcXGdutEC)p6 z3R^v&c{=ZWdO9{kfPb$P0c9be$P}Q~?h>*$@lHN{`tN2~l~Nx+nr;l6i|afD1#isP zkDb$HtvJD8++;Z>DvZm&?z8tJo3g#wEj!5XvQ)YOHhlMEN6&HTowawhiS`wr?K zqOgrC^2&r2S%dFaLy@e__p24%d_}!gyCBlR!p=CorZJh46A|Lr1kBPwMT(NCEfm$i zae|}wNxV2`O#Xw$M3ZhQss$9wl4J3XCFc;(qVh3xE`rK|nIq29@|zAie)DG8He3nQ zY}I;`tY>TVwB)2Hr?;8@OnDT9WdHcVAvIB*{gn|(w$BWl3^ zd3kwuQG;GzA>|tN3gux$h$d809KR+pUR;onB}xK3a2FEcltuZcy&~jyOs~mi3clzR zkmS0~HjZCio_=>SdUyQxFyp1gT| z&o*j7%UYYdIDUKf=Hz^IetcP*kX5a?an4E&T(dZvleg*sR8$vx%SQ!h&G2 zyUmGgtmmI3*TGLNtDmb@^*2X0F%Y_y;th1)xvPHAJ|) zKm0uS*OC@=nFsWtFb!GO4^yhFD`-78mP19hOlrl5uG+FH0l!NG-9RUfUE>v5?4rM3 z;~2~uoBQ8pSsHAkU*R6oTAnqa{MX!pcF9;ZH_%np6=rMqroqnChCXeQ*PNJu_Z#q) z=vSIp*^P!*&4-0NUSe5*t7SS_esUJ8L#@BR%W7EGtk7~TCjfbKKO9ruflZa z=w7tD&TKU*?C!i#x9=Ku?S+E63MoNL8NEY6Texu3I$2E(%O+iYx4#@6f#U$&IxZ~( z^*Q8-B~rx7?i;yb{TW^=GAtDsmWd0ir>PO-+E)UMqvs7YY9pCLruA*~d{wcOMcXS& zK+tp7nW7vo9W9ktN*I;2xhx{bjey$4mNKxlMVGbkOIbyW7~LB?1?tg}gITCzm`M5% zEH%uvQLVjrP=0>6Ice{EEmQxJK9zI!SK*gXRybW05zU)%F1!x!fN&{T`bw0`rCX8y zL)w(BW&brx@k7!;t@8gl+N;O^-P`2< z$l&UQ4!+s%o@%I|E^!xVQ{hV7#N~y@MB=`?xJ*iH-QJhrWX(1uW>jmba!}oD{!Z0v z#YTOMw*ySi(oEI!S?;&Y11X4XTw#G&9NECqy2jNDR%y-Xud*2W<6%tlE;A_bbgv+v=Bwi)XRTAE%atJz1w% z&K$$NyW3ziocSNP-Q>CeEN7QsPJaeIbNL5DBV|QYEwlZ7ZR?P=7b(3#D9Pqy!doq> zR#>LB<9r{(WT*O4Gp}~Vhbyj-c`6r8;cO>AM@i0bW=u3TWD7R#W|dR_$Hv$nUs`l~ zlxHpZpMhWKy)^(U(vNk3TkUtOeUzh)<;+~OT^s|Eh4-O6nHU015!G`}o#q)7lxK1_i zj;*}Q#rYVAu#y<3zrZosQLJcYe$Ha@cbY^rnLdD-ry^aGZ*vwCqn*Vm{hG5ZU4o}) zHMQp~4={B%tVA~ciGR zx4U6cGL2J!BkMH-ZBQa~+TO7#kO@*7F^x^Gkkeyy21eunNxL~c$$;6z`)c2v3FBiL zMI^ach)~9+d(U>Bsc%A4syXq1K}5-AW{z)%=w5Z!;m!v*cKK zI(0MUBznzR`l{m4W1V)u3+P*6b6VHH7zZI+vW#V|#X9btGLop=5kcP2B)csG1YpOB zA~unwX-wuMkvJ}>@$p8;F`?`fHdF8m&Xunz*F?&hTI3{xU%5G02Sw~AxxqX-K0DO~ z6@>~(68Rl~eidUn|Lsc*YwiDvvvxw3NY3Ik#>pK6L9ROg^$x4|zk{Rx(PsaDis$Kf zB$tkAoOa!)SdVi~(>q?{5w?^vJy;`Ox+^HTdno$B_kV2KJ?rLg_iedk2H9~u+sm5N z^6qOYm3Q2!VQw)M`i~nd!`UC+2xAtWM6?N~Ri|uw*f3necUH#d~Zlue8nY1NRqAr;oNfEaT-R@o|n* zq2U^M0 zO+=W?St9ht*Krb=l{%Y$7ZOV{$zrkYPFX=}tX?*f3}?wtY^+-`f7}hap0wgpQoHGZ zUZayoz9_#fhN%2r5_Qs&yi$CMCAqJIwB-+><9d2rMmmF@u=CoG>Ky~^%2 z4dxKHvN2Pxp^XZ_`h7?fI4HFmm|}`LqO8Leo8W<_niIv~MC0110IuJ(G(m+@I?$_l zn3iYBjY?$%T)ledH+wezGdyd{e-F3-SSA1M^$)80|G{9ek^i3JaYd9z6#~Dk6u1%p zeq-XFvC{g}0lg4H?+Aje{e5JSu(_Szp>SB4*@(o%PVy5AkF9NP#K?^p`A2)!mjA~3 zCjUOyKr7_G-qB$-{`>ymaO3~?B+otXe;#hv@f*4ZdP2LAQm+dGl2-GP&*4i{y282Z z`u`02|NefjmjB`4U}OLFB+tVRXiaS3v)m};#C?x@fU;l1eLQjVqt=(YVbq{67YRy_)`Se`EjiG|waXe>{Tc_ZB*aWPI;al3YOgx&7c^7t#PC z$-o`8(=ocSjzR^ev~!JP8UfQpH#3shEbug$qHBuLKS?~V>mZvtlgqZ5e3;tt&+N_p zc+T4uzwpoJ$^H9s#+8<4B;j+K7&Bu|ND}fzs_o5bqP>_;qA9s7irM@R=f*inL1RNF zVu{&n?-j13a6FX|BxSXC=by^S<~RJTwg1~B*q%$8G-fx*_!G)3DoJ>T!RMNDbBK1fK`7<-WA{MY}Qf$8yonkY7_0y5+(} zQ$=^htd2sm1gKo3RuX{-7i|%btEEfb&XWS&KaPwI_bS8G#9~X&^2jR?I;SQ&xe0!n z>s0ZCyo2WZg-Fb*1}8G5G2C|GUV4 zCZ_wH#lThfe|7t>!Qg0f|Mw)%D*4Z4Inq?3x&=Fh$Z7g)9a z4|~=4KYM%qjsMS+JX>Z1oJ#aOCJA~TGj^4w$X|95=p)~`lk$L=z-uR3KO{XiO%I6D90~guo@aUkrrV-P`{D((}L8`oAILjyl(L%1O%C zZDaNNug3o!9BuCZpXT|vM((Ia`QTL^GodaTRI^1ri2z_x&>5zN=vM%ALz9Tz1mBqkm*Jc-Sl>ucoWlEf?McTzF?Oyl0g^hH#ts7QU7F~!|378KdS8X@t z>~^7-*0cZfo6&MNu7AmKNRw&zmHPRR$WQuNwf>K)`+xuNaI^lO=BemTLo9L3rgjxj z)}2A%8YdQSy$BOS1Q|P=uZFJFXA{DJL_=iWHkWg_1W;o~r>|}<%=O|kidRd;hH$GK z3#V!RvmYEB1wAh!BIGpH7ih=m=ZuC|NRfg>|H5QSIJ(rZ?3J>OrHY^-`m~*gmO)!5 z^|rRWN*D!pnoVy!>I!6v|Cr`?q^EAy3!Cxe0 zf=Z?a#qgx=oN~@Mi8>_?*(o@$hmge6oEIXrg+z*z3&}X1lFLO(bRKFH;slKe^5yg$a#lyDzN+TrFfa2~2c8X{f3>iMFBtr1Zqst(g^i26OXaWw`7)8%UOjF8Z+ z4bj2Z)XRT5anylYbd1xtOwrpp!O{1eO7a#%)HK~c-M}2*j?|DTiaAg$$@_(-S2R&y zf6fSB=&OU5`~AM>#36SD0!?X-#vkhCw?9S)aC)YsZgUH#f%Xp%UmSk%v+d?t{Vd)8 z3k|?1PgN(=JIewq_Wy&UUN!z}e}Ayq|DWXf__4c_Cy_Ks7Fss(kR>5WCHzrjUG8d0 zpp&u)683e`PS;p*MPxz~f_yiskUA^(kOjO3BcaaJHgIQNU3t^@F2ohC06@n#gU`E0^lz zxn_SwKW9vmI*|2}w*S=~Erp;>v0Fj3L8!@#lt6SU4KxixxlyNrnT5t|{A&)p9UDD% zwXtcop=>3$B_x|)P2X{vS50sS-4HsR$)VE?nmGAB^r9q*n-b;e2zv?bwPgos8|cb` z!Znq5sB77|q^(fxY+`I`8WPY}bh}GiGyQxp7p^q21|x1ZiMs0mJO)FrG_;DRx39T1 zsbVF=ca|VcB67Qn{z@g8yQ^@WN$u#vd-=q+*3wd|LA4kxVOe<@`>K)Y>mqu^l?&8Y zAu#W291GP^k;YUaf7f3E!W}2YsDKdzfQFsrdhLCsG0SqwVm4iTQyLxT?Q+6cMh&a@ z@qNglwpI#~aFS}PQpNbU(8@AuS%Y5gKrw63OcT}IgKpNQoE5awLOqSI*QOwpZ8 zZsyfeP7^sn{(p$Be=h)F#cO}~1wJj;7>Zg$R-ndi~LR8*h_r)n-o_-0 z<3({*gm9Vy=7IM;(a@p1RBfnU2s9=khBTsVPFy88^mjr@90`OuK{1_EseLHHX65;K z0b}v{-GwSklPMA@3AY39bb`#ang$ZGL}Hp)GZ%PACAy(;jK&0ILg6V82ILL4twUQ_ z1vXGqRg<2VX)UnUkh^5_S3uuA1+JP^2hV&YG?dcSe}QZ1?VS-UR!QeSgkOQC+r0~& zEngqsgIR>g&7xpVaTMjF16MAf8V5x_Xdc9_r;3b8%x=tU=cYvw*bU=XF~gBSA)Nz38{uwF5cdwp(&jc}*rVXeqD4sACb4x}&5)9>=Ex&J%H?RUQoUa9}xui1b1Huj%S^SG80I88<2 z3jaEv@)gG4bq;@TyKkJPCFc-(J8fm+8R1mI6`2drn5q{#40v5{)b({LyO6-q=8c2M zDpc&sFx8#$$&XOZ;bc{}*6!NM?wR(g4w32+G$JA9c^JnoO@7i$(#dg+wA0R<$Qj9W zO6-v1l$3ID*9&Q{9>2doIDF|>H+Ow|tB-zA=+PoMm1tM0XZ-2$;v zq7#KZDwasq&j{vy(S3};*7I#CD-{(%JgeeOIoh;xp%8?wQYf7GR_xHa6}&)`~%mO z&Mx^4SDNsPx#Lbs#GyKdk@6=sb=k4kxWqq1UC6;c$2$jt3T5v0!Mb) z&D;YsT(@@iHHM(G4E|$VvWBOVW@~{FZI6m*hJd%H^QX=Q=`b{e2d2C}EZM%>^urO6brOhP$BJ!p)>E0RRJ z=mxBa5VjNtqY)W+!CeE>YX8Q2?Islfk4X@ZGTR!nAotsJl&{SJx0@^6ZMyF`{ANQB zS*#oRjUPMfKCJmnby|AVDFR#OcSSF}+SK$$LzfbaPp))Kc;o5&g&$UjaHqL0Qh#93gyuwo=0&h!)xHIQ_ zfy9i&F;eSWTTs(vx~ukIEa^1?D?8^sP9kp$C1k22={-+5nb2Djp&Ke^=znbo=zS6| z5KEw@LJ6e=+)qg01+Ong7m{(}ZJ}3eK4%H~?$rf~C>LHZrLqhE)#!V{_!r)V|JoO` zX;=Nn{uI|qw*WN8q2hQG8WZ8|1mY(3c7id!@^%6_SAR23r{2#0?`@&)FsCdN==Al8 z@B)+P-3w?$a90=S>?bd{79opB_lqy?HJ+vG|NP|m_1lwR9zCp$mHU6cUyc7c*xdg- z&0|%1o_CDSH7(d(4GR(>mcS-y^nOm5G#xRs6daR5IL$ya2@OR1mBlf;K?|0F3m8|T zKTaYvX9<;ztDRMHI?g1C(42;x*%-Qk=lu=s?7U-=40m>r+RevU(9lK0DkNPzZe}!` z*+86yOC^LZ%)@d9=v$!$fFH^MKYx6_EI8*jiddMzy*jid8H$L`#z$= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.22.1 +apiVersion: v1 +appVersion: 1.22.1 +description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. +icon: https://charts.rancher.io/assets/logos/istio.svg +keywords: +- networking +- infrastructure +name: rancher-istio +version: 106.0.0+up1.22.1 diff --git a/charts/rancher-istio/106.0.0+up1.22.1/README.md b/charts/rancher-istio/106.0.0+up1.22.1/README.md new file mode 100644 index 0000000000..2230c61859 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/README.md @@ -0,0 +1,79 @@ +# Rancher-Istio Chart + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. + +See the app-readme for known issues and deprecations. + +## Installation Requirements + +#### Chart Dependencies +- rancher-monitoring chart or other Prometheus installation + +#### Install +To install the rancher-istio chart with helm, use the following command: +``` +helm install rancher-istio --create-namespace -n istio-system +``` + +#### Uninstall +To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. + +**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** +`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` + +## Addons +The addons that are included with rancher-istio are: + +- Kiali +- Jaeger + +Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. +### Kiali Addon + +Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. + +#### Kiali Dependencies +##### rancher-monitoring chart or other Prometheus installation + +This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. + +#### Prometheus Configuration for Kiali +> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. + +The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. + +To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. + +1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. +1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. + +#### Kiali External Services + +The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. + +##### Prometheus +The `kiali.external_services.prometheus` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Grafana +The `kiali.external_services.grafana` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Tracing +The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: +``` +http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} +``` +The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. + +## Jaeger Addon + +Jaeger allows you to trace and monitor distributed microservices. + +> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/106.0.0+up1.22.1/app-readme.md b/charts/rancher-istio/106.0.0+up1.22.1/app-readme.md new file mode 100644 index 0000000000..284f0720f3 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/app-readme.md @@ -0,0 +1,65 @@ +# Rancher Istio + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: +* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh +* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Warnings +- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. + +## Known Issues + +#### Airgapped Environments +**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) + +#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. +To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. +`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` +See [this issue](https://github.com/rancher/rancher/issues/33291) for details. + +## Installing istio with distroless-images. +Istio `104.4.0+up1.22.1` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. + +## Deprecations + +#### v1alpha1 security policies +As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ + +If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. + +> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: +``` +Error: found 6 CRD of unsupported v1alpha1 security policy +``` +``` + Error: found 1 unsupported v1alpha1 security policy + ``` + ``` + Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x + ``` + Continue with the migration steps below before retrying the upgrade process. + +#### Migrating Resources: +Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). + +You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/Chart.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/Chart.yaml new file mode 100644 index 0000000000..d117115029 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 + catalog.rancher.io/namespace: cattle-istio-system + catalog.rancher.io/release-name: rancher-kiali-server +apiVersion: v2 +appVersion: v1.86.0 +description: Kiali is an open source project for service mesh observability, refer + to https://www.kiali.io for details. This is installed as sub-chart with customized + values in Rancher's Istio. +home: https://github.com/kiali/kiali +icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg +keywords: +- istio +- kiali +- networking +- infrastructure +maintainers: +- email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +name: kiali +sources: +- https://github.com/kiali/kiali +- https://github.com/kiali/kiali-operator +- https://github.com/kiali/helm-charts +version: 1.86.0 diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/NOTES.txt b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/NOTES.txt new file mode 100644 index 0000000000..751019401b --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/NOTES.txt @@ -0,0 +1,5 @@ +Welcome to Kiali! For more details on Kiali, see: https://kiali.io + +The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon. + +(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}]) diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/_helpers.tpl b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000000..91c9ff0ca5 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,222 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified instance name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride. +For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali, +use fullnameOverride, otherwise use deployment.instance_name. +*/}} +{{- define "kiali-server.fullname" -}} +{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }} + {{- .Values.fullnameOverride | trunc 63 }} +{{- else }} + {{- .Values.deployment.instance_name | trunc 63 }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Identifies the log_level. +*/}} +{{- define "kiali-server.logLevel" -}} +{{- .Values.deployment.logger.log_level -}} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kiali-server.labels" -}} +helm.sh/chart: {{ include "kiali-server.chart" . }} +app: kiali +{{ include "kiali-server.selectorLabels" . }} +version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: "kiali" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kiali-server.selectorLabels" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullName := include "kiali-server.fullname" . -}} +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} +app.kubernetes.io/name: kiali +{{- if (and .Release.IsUpgrade $deployment)}} +app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} +{{- else }} +app.kubernetes.io/instance: {{ $fullName }} +{{- end }} +{{- end }} + +{{/* +Determine the default login token signing key. +*/}} +{{- define "kiali-server.login_token.signing_key" -}} +{{- if .Values.login_token.signing_key }} + {{- .Values.login_token.signing_key }} +{{- else }} + {{- randAlphaNum 16 }} +{{- end }} +{{- end }} + +{{/* +Determine the default web root. +*/}} +{{- define "kiali-server.server.web_root" -}} +{{- if .Values.server.web_root }} + {{- if (eq .Values.server.web_root "/") }} + {{- .Values.server.web_root }} + {{- else }} + {{- .Values.server.web_root | trimSuffix "/" }} + {{- end }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/" }} + {{- else }} + {{- "/kiali" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity cert file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.cert_file" -}} +{{- if hasKey .Values.identity "cert_file" }} + {{- .Values.identity.cert_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.crt" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity private key file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.private_key_file" -}} +{{- if hasKey .Values.identity "private_key_file" }} + {{- .Values.identity.private_key_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.key" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default deployment.ingress.enabled. Disable it on k8s; enable it on OpenShift. +*/}} +{{- define "kiali-server.deployment.ingress.enabled" -}} +{{- if hasKey .Values.deployment.ingress "enabled" }} + {{- .Values.deployment.ingress.enabled }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- true }} + {{- else }} + {{- false }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the istio namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.istio_namespace" -}} +{{- if .Values.istio_namespace }} + {{- .Values.istio_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift. +*/}} +{{- define "kiali-server.auth.strategy" -}} +{{- if .Values.auth.strategy }} + {{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- .Values.auth.strategy }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if not .Values.kiali_route_url }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }} + {{- end }} + {{- "openshift" }} + {{- else }} + {{- "token" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the root namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.external_services.istio.root_namespace" -}} +{{- if .Values.external_services.istio.root_namespace }} + {{- .Values.external_services.istio.root_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. +Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. +*/}} +{{- define "kiali-server.remote-cluster-secrets" -}} +{{- $theDict := dict }} +{{- if .Values.clustering.autodetect_secrets.enabled }} + {{- $secretLabelToLookFor := (regexSplit "=" .Values.clustering.autodetect_secrets.label 2) }} + {{- $secretLabelNameToLookFor := first $secretLabelToLookFor }} + {{- $secretLabelValueToLookFor := last $secretLabelToLookFor }} + {{- range $i, $secret := (lookup "v1" "Secret" .Release.Namespace "").items }} + {{- if (and (and (hasKey $secret.metadata "labels") (hasKey $secret.metadata.labels $secretLabelNameToLookFor)) (eq (get $secret.metadata.labels $secretLabelNameToLookFor) ($secretLabelValueToLookFor))) }} + {{- $clusterName := $secret.metadata.name }} + {{- if (and (hasKey $secret.metadata "annotations") (hasKey $secret.metadata.annotations "kiali.io/cluster")) }} + {{- $clusterName = get $secret.metadata.annotations "kiali.io/cluster" }} + {{- end }} + {{- $theDict = set $theDict $clusterName $secret.metadata.name }} + {{- end }} + {{- end }} +{{- end }} +{{- $theDict | toJson }} +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/cabundle.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/cabundle.yaml new file mode 100644 index 0000000000..7462b95a7f --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/cabundle.yaml @@ -0,0 +1,13 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }}-cabundle + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + service.beta.openshift.io/inject-cabundle: "true" +... +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/configmap.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/configmap.yaml new file mode 100644 index 0000000000..f7b68294d7 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/configmap.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.configmap_annotations }} + annotations: + {{- toYaml .Values.deployment.configmap_annotations | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}} + {{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }} + {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}} + {{- $_ := set $cm.deployment "namespace" .Release.Namespace }} + {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}} + {{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }} + {{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }} + {{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }} + {{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }} + {{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }} + {{- $_ := set $cm.external_services.istio "root_namespace" (include "kiali-server.external_services.istio.root_namespace" .) }} + {{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }} + {{- toYaml $cm | nindent 4 }} +... diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/deployment.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/deployment.yaml new file mode 100644 index 0000000000..dfb5d24081 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/deployment.yaml @@ -0,0 +1,238 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-weight": "-4" +spec: + replicas: {{ .Values.deployment.replicas }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + volumeMounts: + {{- if .Values.web_root_override }} + - name: kiali-console + subPath: env.js + mountPath: /opt/kiali/console/env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + {{- if .Values.web_root_override }} + - name: kiali-console + configMap: + name: kiali-console + items: + - key: env.js + path: env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.deployment.tolerations }} +{{ toYaml .Values.deployment.tolerations | indent 8 }} +{{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.deployment.node_selector }} +{{ toYaml .Values.deployment.node_selector | indent 8 }} +{{- end }} +... diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/hpa.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/hpa.yaml new file mode 100644 index 0000000000..934c4c1e9d --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/hpa.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.hpa.spec }} +--- +apiVersion: {{ .Values.deployment.hpa.api_version }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kiali-server.fullname" . }} + {{- toYaml .Values.deployment.hpa.spec | nindent 2 }} +... +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/ingress.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/ingress.yaml new file mode 100644 index 0000000000..27807fc3de --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/ingress.yaml @@ -0,0 +1,62 @@ +{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +--- +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- else }} + # For ingress-nginx versions older than 0.20.0 use secure-backends. + # (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948) + # For ingress-nginx versions 0.20.0 and later use backend-protocol. + {{- if (include "kiali-server.identity.cert_file" .) }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + {{- else }} + nginx.ingress.kubernetes.io/secure-backends: "false" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + {{- end }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + {{- if .Values.deployment.ingress.class_name }} + ingressClassName: {{ .Values.deployment.ingress.class_name }} + {{- end }} + rules: + - http: + paths: + - path: {{ include "kiali-server.server.web_root" . }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ include "kiali-server.fullname" . }} + port: + number: {{ .Values.server.port }} + {{- else }} + backend: + serviceName: {{ include "kiali-server.fullname" . }} + servicePort: {{ .Values.server.port }} + {{- end }} + {{- if not (empty .Values.server.web_fqdn) }} + host: {{ .Values.server.web_fqdn }} + {{- end }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/oauth.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/oauth.yaml new file mode 100644 index 0000000000..44c8d7cbb1 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/oauth.yaml @@ -0,0 +1,25 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if .Values.kiali_route_url }} +--- +apiVersion: oauth.openshift.io/v1 +kind: OAuthClient +metadata: + name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +redirectURIs: +- {{ .Values.kiali_route_url }} +{{- if .Values.server.web_port }} +- {{ .Values.kiali_route_url }}:{{ .Values.server.web_port }} +{{- end }} +grantMethod: auto +{{- if .Values.auth.openshift.token_inactivity_timeout }} +accessTokenInactivityTimeoutSeconds: {{ .Values.auth.openshift.token_inactivity_timeout }} +{{- end }} +{{- if .Values.auth.openshift.token_max_age }} +accessTokenMaxAgeSeconds: {{ .Values.auth.openshift.token_max_age }} +{{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/psp.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/psp.yaml new file mode 100644 index 0000000000..e31d706d4b --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/psp.yaml @@ -0,0 +1,67 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "kiali-server.fullname" . }}-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role-controlplane.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role-controlplane.yaml new file mode 100644 index 0000000000..707501c677 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role-controlplane.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +{{- if .Values.kiali_feature_flags.certificates_information_indicators.enabled }} +- apiGroups: [""] + resourceNames: + {{- range .Values.kiali_feature_flags.certificates_information_indicators.secrets }} + - {{ . }} + {{- end }} + resources: + - secrets + verbs: + - get + - list + - watch +{{- end }} +... diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role-viewer.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role-viewer.yaml new file mode 100644 index 0000000000..0811b20118 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role-viewer.yaml @@ -0,0 +1,96 @@ +{{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }}-viewer + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +... +{{- end -}} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role.yaml new file mode 100644 index 0000000000..de23cc5c83 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/role.yaml @@ -0,0 +1,103 @@ +{{- if not (or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous")) -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +... +{{- end -}} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/rolebinding-controlplane.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/rolebinding-controlplane.yaml new file mode 100644 index 0000000000..5a00158360 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/rolebinding-controlplane.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-controlplane +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/rolebinding.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/rolebinding.yaml new file mode 100644 index 0000000000..63f1922ac1 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/route.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/route.yaml new file mode 100644 index 0000000000..8325c14a74 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/route.yaml @@ -0,0 +1,34 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + annotations: + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ include "kiali-server.fullname" . }} + port: + targetPort: {{ .Values.server.port }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/service.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/service.yaml new file mode 100644 index 0000000000..111be7f879 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/service.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret + {{- end }} + {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }} + {{- if empty .Values.server.web_port }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ include "kiali-server.server.web_root" . }} + {{- else }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{ include "kiali-server.server.web_root" . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.service_annotations }} + {{- toYaml .Values.deployment.service_annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.deployment.service_type }} + type: {{ .Values.deployment.service_type }} + {{- end }} + ports: + {{- if (include "kiali-server.identity.cert_file" .) }} + - name: tcp + appProtocol: https + {{- else }} + - name: http + appProtocol: http + {{- end }} + protocol: TCP + port: {{ .Values.server.port }} + {{- if and (not (empty .Values.server.node_port)) (eq .Values.deployment.service_type "NodePort") }} + nodePort: {{ .Values.server.node_port }} + {{- end }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + appProtocol: http + protocol: TCP + port: {{ .Values.server.observability.metrics.port }} + {{- end }} + selector: + {{- include "kiali-server.selectorLabels" . | nindent 4 }} + {{- if .Values.deployment.additional_service_yaml }} + {{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }} + {{- end }} +... diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/serviceaccount.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9151b6f6a1 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +... diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/validate-psp-install.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/web-root-configmap.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/web-root-configmap.yaml new file mode 100644 index 0000000000..970d4e4f5d --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/templates/web-root-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.web_root_override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + env.js: | + window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/values.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/values.yaml new file mode 100644 index 0000000000..4e9c57da3d --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/kiali/values.yaml @@ -0,0 +1,136 @@ +# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead. +# This is only supported for backward compatibility and will be removed in a future version. +# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali", +# then 'deployment.instance_name' will take the value of 'fullnameOverride' value. +# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used. +fullnameOverride: "kiali" + +# This is required for "openshift" auth strategy. +# You have to know ahead of time what your Route URL will be because +# right now the helm chart can't figure this out at runtime (it would +# need to wait for the Kiali Route to be deployed and for OpenShift +# to start it up). If someone knows how to update this helm chart to +# do this, a PR would be welcome. +kiali_route_url: "" + +# rancher specific override that allows proxy access to kiali url +web_root_override: true +# +# Settings that mimic the Kiali CR which are placed in the ConfigMap. +# Note that only those values used by the Helm Chart will be here. +# + +additional_display_details: +- annotation: kiali.io/api-spec + icon_annotation: kiali.io/api-type + title: API Documentation + +istio_namespace: "" # default is where Kiali is installed + +auth: + openid: {} + openshift: {} + strategy: "" + +clustering: + autodetect_secrets: + enabled: true + label: "kiali.io/multiCluster=true" + clusters: [] + +deployment: + # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything. + # For more control over what the Kial Service Account can see, use the Kiali Operator + accessible_namespaces: + - "**" + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + configmap_annotations: {} + custom_secrets: [] + dns: + config: {} + policy: "" + host_aliases: [] + hpa: + api_version: "autoscaling/v2" + spec: {} + image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") + repository: rancher/mirrored-kiali-kiali + image_pull_policy: "Always" + image_pull_secrets: [] + tag: v1.86.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + ingress: + additional_labels: {} + class_name: "nginx" + #enabled: + override_yaml: + metadata: {} + instance_name: "kiali" + logger: + log_format: "text" + log_level: "info" + time_field_format: "2006-01-02T15:04:05Z07:00" + sampler_rate: "1" + node_selector: {} + pod_annotations: {} + pod_labels: {} + priority_class_name: "" + replicas: 1 + resources: + requests: + cpu: "10m" + memory: "64Mi" + limits: + memory: "1Gi" + secret_name: "kiali" + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v1.86.0 # v1.39 # v1.39.0 # see: https://quay.io/repository/kiali/kiali?tab=tags + view_only_mode: false + +external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: "" + +identity: {} + #cert_file: + #private_key_file: + +kiali_feature_flags: + certificates_information_indicators: + enabled: true + secrets: + - cacerts + - istio-ca-secret + disabled_features: [] + validations: + ignore: ["KIA1301"] + +login_token: + signing_key: "" + +server: + port: 20001 + #node_port: + observability: + metrics: + enabled: true + port: 9090 + web_root: "" + +# Common settings used among istio subcharts. +global: + # Specify rancher clusterId of external tracing config + # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 + cattle: + systemDefaultRegistry: "" + clusterId: + psp: + enabled: false \ No newline at end of file diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/.helmignore b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/Chart.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/Chart.yaml new file mode 100644 index 0000000000..87c13ce47e --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/Chart.yaml @@ -0,0 +1,12 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.rancher.io/certified: rancher + catalog.rancher.io/namespace: istio-system + catalog.rancher.io/release-name: rancher-tracing +apiVersion: v1 +appVersion: 1.57.0 +description: A quick start Jaeger Tracing installation using the all-in-one demo. + This is not production qualified. Refer to https://www.jaegertracing.io/ for details. +name: tracing +version: 1.57.0 diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/README.md b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/README.md new file mode 100644 index 0000000000..25534c6288 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/README.md @@ -0,0 +1,5 @@ +# Jaeger + +A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. + +> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/_affinity.tpl b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/_affinity.tpl new file mode 100644 index 0000000000..bf6a9aee5c --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/_affinity.tpl @@ -0,0 +1,92 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} +{{- define "nodeAffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/_helpers.tpl b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/_helpers.tpl new file mode 100644 index 0000000000..09c6b05467 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/_helpers.tpl @@ -0,0 +1,47 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/deployment.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/deployment.yaml new file mode 100644 index 0000000000..f8a6828085 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ .Values.provider }} + template: + metadata: + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jaeger + image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + {{- if eq .Values.jaeger.spanStorageType "badger" }} + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + {{- end }} + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumeMounts: + - name: data + mountPath: /badger +{{- end }} + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeAffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.global.cattle.psp.enabled }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + {{- end }} + serviceAccountName: {{ include "tracing.fullname" . }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumes: + - name: data +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: istio-jaeger-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/psp.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/psp.yaml new file mode 100644 index 0000000000..4d5c271e1b --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/psp.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/pvc.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/pvc.yaml new file mode 100644 index 0000000000..9b4c55e4fb --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-jaeger-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} +spec: + storageClassName: {{ .Values.jaeger.storageClassName }} + accessModes: + - {{ .Values.jaeger.accessMode }} + resources: + requests: + storage: {{.Values.jaeger.persistentVolumeClaim.storage }} +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/service.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/service.yaml new file mode 100644 index 0000000000..3ee5a54247 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/service.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: 16686 + selector: + app: {{ .Values.provider }} +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + name: zipkin + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} + selector: + app: {{ .Values.provider }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: {{ .Values.provider }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/serviceaccount.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1bff77ff66 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/validate-psp-install.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/values.yaml b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/values.yaml new file mode 100644 index 0000000000..0070dee9d4 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/charts/tracing/values.yaml @@ -0,0 +1,53 @@ +provider: jaeger +contextPath: "" +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] +nameOverride: "" +fullnameOverride: "" + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + defaultResources: {} + imagePullPolicy: IfNotPresent + imagePullSecrets: [] + arch: + arm64: 2 + amd64: 2 + s390x: 2 + ppc64le: 2 + defaultNodeSelector: + kubernetes.io/os: linux + rbac: + pspEnabled: false + +jaeger: + repository: rancher/mirrored-jaegertracing-all-in-one + tag: 1.57.0 + # spanStorageType value can be "memory" and "badger" for all-in-one image + spanStorageType: badger + resources: + requests: + cpu: 10m + persistentVolumeClaim: + enabled: false + storage: 5Gi + storageClassName: "" + accessMode: ReadWriteMany + memory: + max_traces: 50000 +zipkin: + queryPort: 9411 +service: + annotations: {} + name: http-query + type: ClusterIP + externalPort: 16686 diff --git a/charts/rancher-istio/106.0.0+up1.22.1/configs/istio-base.yaml b/charts/rancher-istio/106.0.0+up1.22.1/configs/istio-base.yaml new file mode 100644 index 0000000000..17fb5ff8c3 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/configs/istio-base.yaml @@ -0,0 +1,140 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: {{ .Values.base.enabled }} + cni: + enabled: {{ .Values.cni.enabled }} + k8s: + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + egressGateways: + - enabled: {{ .Values.egressGateways.enabled }} + name: istio-egressgateway + k8s: + {{- if .Values.egressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.egressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + ingressGateways: + - enabled: {{ .Values.ingressGateways.enabled }} + name: istio-ingressgateway + k8s: + {{- if .Values.ingressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.ingressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31380 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31390 + - name: tcp + port: 31400 + targetPort: 31400 + nodePort: 31400 + - name: tls + port: 15443 + targetPort: 15443 + istiodRemote: + enabled: {{ .Values.istiodRemote.enabled }} + pilot: + enabled: {{ .Values.pilot.enabled }} + k8s: + {{- if .Values.pilot.hpaSpec }} + hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.pilot.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} + profile: default + tag: {{ .Values.tag }} + revision: {{ .Values.revision }} + meshConfig: + defaultConfig: + {{- if .Values.tracing.enabled }} + tracing: + zipkin: + address: {{ .Values.tracing.zipkinAddress }} + {{- end }} + proxyMetadata: + {{- if .Values.dns.enabled }} + ISTIO_META_DNS_CAPTURE: "true" + {{- end }} + values: + gateways: + istio-egressgateway: + name: istio-egressgateway + type: {{ .Values.egressGateways.type }} + istio-ingressgateway: + name: istio-ingressgateway + type: {{ .Values.ingressGateways.type }} + global: + istioNamespace: {{ template "istio.namespace" . }} + proxy: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} + proxy_init: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} + {{- if .Values.global.defaultPodDisruptionBudget.enabled }} + defaultPodDisruptionBudget: + enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} + {{- end }} + {{- if .Values.pilot.enabled }} + pilot: + image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} + {{- end }} + telemetry: + enabled: {{ .Values.telemetry.enabled }} + v2: + enabled: {{ .Values.telemetry.v2.enabled }} + {{- if .Values.cni.enabled }} + cni: + image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} + excludeNamespaces: + {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} + logLevel: {{ .Values.cni.logLevel }} + {{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/requirements.yaml b/charts/rancher-istio/106.0.0+up1.22.1/requirements.yaml new file mode 100644 index 0000000000..9e21bd425d --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/requirements.yaml @@ -0,0 +1,9 @@ +dependencies: +- condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.86.0 +- condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.57.0 diff --git a/charts/rancher-istio/106.0.0+up1.22.1/samples/overlay-example.yaml b/charts/rancher-istio/106.0.0+up1.22.1/samples/overlay-example.yaml new file mode 100644 index 0000000000..5cf3cf3b0b --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/samples/overlay-example.yaml @@ -0,0 +1,37 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - enabled: true + name: ilb-gateway + namespace: user-ingressgateway-ns + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal + - enabled: true + name: other-gateway + namespace: cattle-istio-system + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/_helpers.tpl b/charts/rancher-istio/106.0.0+up1.22.1/templates/_helpers.tpl new file mode 100644 index 0000000000..30b429a800 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "istio.namespace" -}} + {{- .Release.Namespace | default "istio-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/admin-role.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/admin-role.yaml new file mode 100644 index 0000000000..ad1313c4f1 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/admin-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: istio-admin + namespace: {{ template "istio.namespace" . }} +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/base-config-map.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/base-config-map.yaml new file mode 100644 index 0000000000..5323917bc3 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/base-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-base + namespace: {{ template "istio.namespace" . }} +data: +{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/clusterrole.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..31163f9325 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-installer +rules: +# istio groups +- apiGroups: + - extensions.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - telemetry.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - ingresses + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/exec + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + verbs: + - 'get' + - 'list' + - 'watch' +{{- if and .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/clusterrolebinding.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..9d74a04345 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-installer +subjects: +- kind: ServiceAccount + name: istio-installer + namespace: {{ template "istio.namespace" . }} +roleRef: + kind: ClusterRole + name: istio-installer + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/edit-role.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/edit-role.yaml new file mode 100644 index 0000000000..d1059d58d7 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/edit-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-edit +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-cni-psp.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-cni-psp.yaml new file mode 100644 index 0000000000..a71561e676 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-cni-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-install-job.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-install-job.yaml new file mode 100644 index 0000000000..c2e362e684 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-install-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-installer + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + spec: + {{- if .Values.installer.releaseMirror.enabled }} + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "github.com" + {{- end }} + containers: + - name: istioctl-installer + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + - name: FORCE_INSTALL + value: {{ .Values.forceInstall | default "false" | quote }} + - name: RELEASE_MIRROR_ENABLED + value: {{ .Values.installer.releaseMirror.enabled | quote }} + - name: SECONDS_SLEEP + value: {{ .Values.installer.debug.secondsSleep | quote}} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/run.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{- end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{- end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 499 + runAsGroup: 487 + restartPolicy: Never diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-install-psp.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-install-psp.yaml new file mode 100644 index 0000000000..9da3391d40 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-install-psp.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-psp.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-psp.yaml new file mode 100644 index 0000000000..cfada1bf7f --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-psp.yaml @@ -0,0 +1,81 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-uninstall-job.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-uninstall-job.yaml new file mode 100644 index 0000000000..0091d0c176 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/istio-uninstall-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-uninstaller + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + containers: + - name: istioctl-uninstaller + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{ end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{ end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 101 + runAsGroup: 101 + restartPolicy: OnFailure diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/overlay-config-map.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/overlay-config-map.yaml new file mode 100644 index 0000000000..287d26b2c3 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/overlay-config-map.yaml @@ -0,0 +1,9 @@ +{{- if .Values.overlayFile }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-overlay + namespace: {{ template "istio.namespace" . }} +data: + overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} +{{- end }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/service-monitors.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/service-monitors.yaml new file mode 100644 index 0000000000..c3d60c4fce --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/service-monitors.yaml @@ -0,0 +1,51 @@ +{{- if .Values.kiali.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-stats-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-proxies +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + endpoints: + - path: /stats/prometheus + targetPort: 15090 + interval: 15s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-components +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s +{{- end -}} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/serviceaccount.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..82b6cbb7e6 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/validate-psp-install.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..4b0e5cfb65 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.0.0+up1.22.1/templates/view-role.yaml b/charts/rancher-istio/106.0.0+up1.22.1/templates/view-role.yaml new file mode 100644 index 0000000000..5947d3eba9 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/templates/view-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-view +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: ["get", "watch", "list"] + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-istio/106.0.0+up1.22.1/values.yaml b/charts/rancher-istio/106.0.0+up1.22.1/values.yaml new file mode 100644 index 0000000000..8c7bfa8d89 --- /dev/null +++ b/charts/rancher-istio/106.0.0+up1.22.1/values.yaml @@ -0,0 +1,120 @@ +overlayFile: "" +tag: 1.22.1 +##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install +forceInstall: false + +installer: + repository: rancher/istio-installer + tag: 1.22.1-rancher1 + ##releaseMirror are configurations for istio upgrades. + ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal + ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. + releaseMirror: + enabled: false + + ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging + debug: + secondsSleep: 0 + +##Native support for dns added in 1.8 +dns: + enabled: false + +base: + enabled: true + +cni: + enabled: false + repository: rancher/mirrored-istio-install-cni +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.22.1 + tag: 1.22.1-distroless + logLevel: info + excludeNamespaces: + - istio-system + - kube-system + +egressGateways: + enabled: false + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +ingressGateways: + enabled: true + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +istiodRemote: + enabled: false + +pilot: + enabled: true + repository: rancher/mirrored-istio-pilot +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.22.1 + tag: 1.22.1-distroless + hpaSpec: {} + podDisruptionBudget: {} + +telemetry: + enabled: true + v2: + enabled: true + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + proxy: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.22.1 + tag: 1.22.1-distroless + proxy_init: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.22.1 + tag: 1.22.1-distroless + defaultPodDisruptionBudget: + enabled: true + +# Kiali subchart from rancher-kiali-server +kiali: + enabled: true + # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ + auth: + strategy: token + server: + web_root: / + deployment: + ingress_enabled: false + external_services: + prometheus: + custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + tracing: + in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" + use_grpc: false + grafana: + in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + +tracing: + enabled: false + contextPath: "/jaeger" + zipkinAddress: zipkin.istio-system.svc:9411 + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/index.yaml b/index.yaml index bb89e16970..0fa3b54a5f 100755 --- a/index.yaml +++ b/index.yaml @@ -14172,6 +14172,43 @@ entries: - assets/rancher-gke-operator-crd/rancher-gke-operator-crd-101.0.0+up1.1.5.tgz version: 101.0.0+up1.1.5 rancher-istio: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.22.1 + apiVersion: v1 + appVersion: 1.22.1 + created: "2025-02-24T20:29:32.121726-03:00" + dependencies: + - condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.86.0 + - condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.57.0 + description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. + digest: 491cb9920850597521e14c078bb66e408fab4171d2e0c4835a938119ca9e4192 + icon: https://charts.rancher.io/assets/logos/istio.svg + keywords: + - networking + - infrastructure + name: rancher-istio + urls: + - assets/rancher-istio/rancher-istio-106.0.0+up1.22.1.tgz + version: 106.0.0+up1.22.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: Istio From 57a5161ff5919fd1262cad1034521788d0a5c320 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:30:45 -0300 Subject: [PATCH 03/10] update istio 1.23 --- packages/rancher-istio/1.23/rancher-istio/charts/Chart.yaml | 2 +- packages/rancher-istio/1.23/rancher-istio/package.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/rancher-istio/1.23/rancher-istio/charts/Chart.yaml b/packages/rancher-istio/1.23/rancher-istio/charts/Chart.yaml index c7337bd268..9e3ad4b78a 100644 --- a/packages/rancher-istio/1.23/rancher-istio/charts/Chart.yaml +++ b/packages/rancher-istio/1.23/rancher-istio/charts/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/namespace: istio-system catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' catalog.cattle.io/release-name: rancher-istio catalog.cattle.io/requests-cpu: 710m catalog.cattle.io/requests-memory: 2314Mi diff --git a/packages/rancher-istio/1.23/rancher-istio/package.yaml b/packages/rancher-istio/1.23/rancher-istio/package.yaml index 8f552eac43..b7494a3eb0 100644 --- a/packages/rancher-istio/1.23/rancher-istio/package.yaml +++ b/packages/rancher-istio/1.23/rancher-istio/package.yaml @@ -1,2 +1,2 @@ url: local -version: 105.4.0+up1.23.2 +version: 106.1.0+up1.23.2 From 6fdb4015fd74367b82bcc59136fde36d4e74ad0e Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:31:08 -0300 Subject: [PATCH 04/10] make charts --- .../rancher-istio-106.1.0+up1.23.2.tgz | Bin 0 -> 21128 bytes .../rancher-istio/106.1.0+up1.23.2/Chart.yaml | 24 ++ .../rancher-istio/106.1.0+up1.23.2/README.md | 79 ++++++ .../106.1.0+up1.23.2/app-readme.md | 65 +++++ .../106.1.0+up1.23.2/charts/kiali/Chart.yaml | 28 ++ .../charts/kiali/templates/NOTES.txt | 5 + .../charts/kiali/templates/_helpers.tpl | 222 ++++++++++++++++ .../charts/kiali/templates/cabundle.yaml | 13 + .../charts/kiali/templates/configmap.yaml | 30 +++ .../charts/kiali/templates/deployment.yaml | 240 ++++++++++++++++++ .../kiali/templates/deployment.yaml.orig | 224 ++++++++++++++++ .../charts/kiali/templates/hpa.yaml | 17 ++ .../charts/kiali/templates/ingress.yaml | 62 +++++ .../charts/kiali/templates/oauth.yaml | 25 ++ .../charts/kiali/templates/psp.yaml | 67 +++++ .../kiali/templates/role-controlplane.yaml | 23 ++ .../charts/kiali/templates/role-viewer.yaml | 96 +++++++ .../charts/kiali/templates/role.yaml | 103 ++++++++ .../templates/rolebinding-controlplane.yaml | 17 ++ .../charts/kiali/templates/rolebinding.yaml | 24 ++ .../charts/kiali/templates/route.yaml | 34 +++ .../charts/kiali/templates/service.yaml | 51 ++++ .../kiali/templates/serviceaccount.yaml | 9 + .../kiali/templates/validate-psp-install.yaml | 7 + .../kiali/templates/web-root-configmap.yaml | 12 + .../106.1.0+up1.23.2/charts/kiali/values.yaml | 137 ++++++++++ .../charts/tracing/.helmignore | 23 ++ .../charts/tracing/Chart.yaml | 12 + .../106.1.0+up1.23.2/charts/tracing/README.md | 5 + .../charts/tracing/templates/_affinity.tpl | 92 +++++++ .../charts/tracing/templates/_helpers.tpl | 47 ++++ .../charts/tracing/templates/deployment.yaml | 94 +++++++ .../charts/tracing/templates/psp.yaml | 76 ++++++ .../charts/tracing/templates/pvc.yaml | 16 ++ .../charts/tracing/templates/service.yaml | 70 +++++ .../tracing/templates/serviceaccount.yaml | 9 + .../templates/validate-psp-install.yaml | 7 + .../charts/tracing/values.yaml | 53 ++++ .../106.1.0+up1.23.2/configs/istio-base.yaml | 140 ++++++++++ .../106.1.0+up1.23.2/requirements.yaml | 9 + .../samples/overlay-example.yaml | 37 +++ .../106.1.0+up1.23.2/templates/_helpers.tpl | 27 ++ .../templates/admin-role.yaml | 43 ++++ .../templates/base-config-map.yaml | 7 + .../templates/clusterrole.yaml | 143 +++++++++++ .../templates/clusterrolebinding.yaml | 12 + .../106.1.0+up1.23.2/templates/edit-role.yaml | 43 ++++ .../templates/istio-cni-psp.yaml | 51 ++++ .../templates/istio-install-job.yaml | 66 +++++ .../templates/istio-install-psp.yaml | 30 +++ .../106.1.0+up1.23.2/templates/istio-psp.yaml | 81 ++++++ .../templates/istio-uninstall-job.yaml | 53 ++++ .../templates/overlay-config-map.yaml | 9 + .../templates/service-monitors.yaml | 51 ++++ .../templates/serviceaccount.yaml | 5 + .../templates/validate-psp-install.yaml | 7 + .../106.1.0+up1.23.2/templates/view-role.yaml | 41 +++ .../106.1.0+up1.23.2/values.yaml | 121 +++++++++ index.yaml | 37 +++ 59 files changed, 3131 insertions(+) create mode 100644 assets/rancher-istio/rancher-istio-106.1.0+up1.23.2.tgz create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/Chart.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/README.md create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/app-readme.md create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/Chart.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/NOTES.txt create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/cabundle.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/configmap.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/deployment.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/deployment.yaml.orig create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/hpa.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/ingress.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/oauth.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/psp.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role-controlplane.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role-viewer.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/rolebinding-controlplane.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/rolebinding.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/route.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/service.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/web-root-configmap.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/values.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/.helmignore create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/Chart.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/README.md create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/_affinity.tpl create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/deployment.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/psp.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/pvc.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/service.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/values.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/configs/istio-base.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/requirements.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/samples/overlay-example.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/admin-role.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/base-config-map.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/clusterrole.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/edit-role.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/istio-cni-psp.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/istio-install-job.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/istio-install-psp.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/istio-psp.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/istio-uninstall-job.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/overlay-config-map.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/service-monitors.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/templates/view-role.yaml create mode 100644 charts/rancher-istio/106.1.0+up1.23.2/values.yaml diff --git a/assets/rancher-istio/rancher-istio-106.1.0+up1.23.2.tgz b/assets/rancher-istio/rancher-istio-106.1.0+up1.23.2.tgz new file mode 100644 index 0000000000000000000000000000000000000000..da122380bf02c3f1654ed50e46d6f60fc4dd892e GIT binary patch literal 21128 zcmV)`Kz_d;iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHcjGp)D2mVD{1iC!?9**;lal=G*4dfg@pOAK-qR2N?9SxQ z&dO3lBqSlG2nGOcE1kZd{Vo&$5`0PWquohHTr+8l#G_Cs6bglUaGXXn!UHNKWxZE3 z%w@R1^W;yD`1Jez{?Wk!{M+yM>;Dc850CydI5<8$-s|@d4v+rSAM76=4gQ4sj|oKA zlM9LYpZX8(t3J5j$%E6BNh~Q##n3}2!V)KJ8b(;kgoKp!BElt|P!bQ3p_SHRF%?;Y z7eR{WWQfibHMN$z%Eu(QCR|XK4$-r}e1itz-f`Fu`slyVAlx6QKcBT$RZWWwM`VbA zS_82VlFVDnGBHF6P4nB15GJr8H}pZ3-Dz{6Sg&svF?h=|in!n+eR#)3wg zSdbtx&ybv9iD)V$P7;A`sGK1=BN~`UCLy{Y6T*>XXeMPQhP@tqQeY)m5+QpYLKDVO zOeCg>2t699zHI48F*p&LX;9U$5JZYz!lq1^#>Dm1yCRDl#$z$`0+bSY!}t|Vr(S?) zI^kGIo<}n0#A}<@5-+$KC)|@c*Nuy+MutAM6bd zH~jx89(GN5f){_I2^k{a_avSct95JZl1NF@sajDHIn&E>h$PPmx}iyeIGM9+0!uWS zk?0DR9*`0;ivYO#QFx1R8tXbKlL)6cS^PrKg5}&Ucgvtq#wmj(Za#R`-X}N_#PiHY z!qv9LNyY?~zz7XR>$Myd#XN+Zu?42oz(Z(j%kb#8lyk-r<^)A7ozQ8{_0H%FE6=7J z$3%os(c-7lKuA(NPSl23A}YeUFl@k~1oh`d>_N0x&69G38U7X`U)Vv=mI$GT;==2~LFp(mmswfXLnvX>H{_ZmL$!%2*@E0g zNgk7TR*Vao$3JZM3z8{y}j=lX_!TisV?5>0*c^yCSKlwnsH0{q=^7N1QP^L_I)Xmav8DTYoitbktZx zR+bp4wy0tFKyPy*XCxPP`9-;qY(7$poIK`{_X&IBLxqLt`)<)6V&3O)L8blGXRFYeHj^%8Kd}sW>(Cmt)CvmKZ zX=r{n(f0CSpu~73uEEBP5hlQZiR8glYaX}`fIzR~)JSCEdVuj>_@L-zL znDkN>lR%J!M0$B_ZF%a|CA?u=?@e1<=nWMTu?bQik;F8W0yrN_h+0GFxe<^B`bW_p z0?pUawr5I#0uKG~<5Q~$s^@=6<{9WwdZQUhGQveDvj?jJR_TBD2X+1L(f+~F=KTK@ z&!tV<2Q z)6&;oO~1dVi~r+zPSZdM$Pd>Buj2nlP5ys;u(#p=Pw@mnP`S6^V;qI*6u>zB1vo%> z^#T^$^}xHLX*@))H0Qct3GwDc;uuSiMYY&vPK=$+;OUf;DVB=K1VCj&$mbHsP)o_ly82{nZ&IP z6kp0$Fyi7@v4Y{vHQ{3=R{B#S{axhWU>VKS9|;xG|FH{A<%QQuRK-L{n!*fM0U_x% zTTEzD!Q<3u)`}PA97s~hsZ&|dm_*pAcul#?)pS!_E2sNuEcN z{aSg06~?yAo$?g6U$3?m2cQ*B6$rxJh%4K$-NuVOQ@?05Ro!PF++0&$yjL>@BM)w; zT`s#rNR1>ap;+Co<^L?>aXBZN?dWfVp(O*cE3=MqbrPH)I~#@JQW z1O!T4urEO|LZOGSqyCaAYXOys+Cpr?6k{@HsUT7pEw6kU zzk3s!;)MR91^>X_1`+*>lPsYTE*cUNOESq5^J0w!&P0S0ZM;!~5f~RsB~CIH+mafL zRqd8{7h%LWVIqv!yxD^}fSA&?hNnd8x!?p#((D5c4vS`^8H?lM+Hnlmj_ZKj$*x-n zs@%<;BW2~inVrgCPT5t!zzur6S6Cf$Y^f`aGe#}Jkn4hW3h7W-bd-Pe$SsM=Um4?a z!uSp5v3{xcE+I)OuUV4MNt9qZ7nV8kg2>8qWAOt=5zEuHFx?y+fDLNY$~i7T&!$8^ zvwy2ocJTww-p{PI8mDoG!Z{OJVVVV+*Hu&m%5~Rr#*e=bO&P~8aH zfBa_+`QLDX`yT^Vo&OIG`&IdWuYc4(*vS7+@ifHxzv|guUn#u$7$EZTPb89HORxL8 z)GYW!v*6B(cUJzggj|q`f~0v|>F&fb*d+t~!!p9I^-p3dAL;sMjr*U2`u)%0@y7oD zNuIBJ|D&j^cKx&dYOgM6)zs$pXLI|rx&67*)5ZVwqKZ-)sPo9f_JCFV|9HP&*Z&^$ zH~QZvd6pVa)sCX>KA}&cz3ai4NNjh8a~5BkMRl%EsZHT96IoCY*PVI3Vt%SE@c23B z^qMAQN=`+D6Rf>Tjd}G%Xpzn=FvXpQ=ps)~#7U|S&od_EJI&}yR}1y|J7H~{TWSgN zhNk&#_xC)@5&}lpNtN9+ifVmDsYvBkc~soJ0Uw=ba`BpSquvr=CF|W|({@Gs$DR~N z>|RHdw!(QuDz8FNo*2})JI)N%{a;nPCte;OAzBQ%lj^44;}a=vmh*q>arP4%KVT17 zb^o`&Kd7Jo_YODr|4;I`%Vn(O!*Xf-Hyd{y?jxBz;Fyk3E$Re9{){B^P|SKW#;$y| zy$ET0*o7a)<+WKlxFK{pll~C-!J*&s9o&RSpckJ%L}M~xoCNRZ%$7xPe<=g-kv(23u9!}xNCS`ZPd1McKPA# zJ+yIoe)6iTq1B{ZZ})HSFJ7IF&fZ;qIC=A?3p_J+*RkETj0evcAN>jkz7F^;7T%s+ zT)e*+oxVHy>zmWpD>__7lS_NNJbm^4-RsNI<(t#f^R+ty|LU;f;B9)TbYi@`)oHai zrfE;i{9QkY;FM|~%%^ai?d5{^5*Fd4hqJ7wLyCwV&(l!MDmAo_^%m}V+DOS5xane* zA2f4Xi9B_m9ioq>yq7tYP`XTy3memQ(zs)Y*C}#=!R~2!3M){1l0AA zR!FYHO8-mE#_ochmAJVR0HzhMbNr$rZ@%l$9YY6Ir?5|mrr_7!;mZ)BUr}nT*D*k01uvOeWR)Oa_p0q;e7FYqC6=`2-7r=7f%A*)M zc=@vW+8i(rUL4!A6;U#r)JM)CdPlAa|HCTmANg5N{(qPbXqEnFP}l$O_4kgCH}d~e zJWsCwdFUOVmAEsj{Bb;qD@q;r<=OeG>WlNU*G}k_s@_MdYM#B#g#>-gJCYNHU2)2S=-gD=dWV0LqSJ48o^hx>Ig3_VJ=++I{Jx*%{Qu#)|39tf|NDE5_@76r_=f*K!E;~!|6rAK zL114+-CXv54^^{{KxJ+-19MIYa8Y{AW{h3zgWH+YTf*;O-MVH63VRU7XYIQ2{d+Zc zya7#rf@93RTZ$MbaVqXp-{@N&@!H@4M17Ad1Gl&PTo=^G{Xm)SKEqyppJyeK3FBiL z$0WU6h)5Y_dlWOR|%%` zjfD9npXKsjo<7D6;41lVzwZCH*FW0Z-2XkvbN~Clf;PU;4In4x=I#-${5o#;y6^JV zx-F|>z&@M%vbFBZ9^t~L!2bw38`+p}n>(O;-vRxbUjc1yfPRZNK!g6E^#-VXU%LT% zpZ*QgB4+1rxttt{&#N^|L;kj+WObg!aH>StuYeH z^P8l*n_&@&jHd zDtagvQAxr!E1WZAg*lvMKi+4txl8LT-PMW&)gYua`Ekt^R$oc5PG(YOPDJ{a72`%A z{@QH#t350Be{-AmFe89f^8es?ukQbMytldkf0CzF!mr(!y1b~{jO(s^=xdLB^ZaSa z`ZuA@NC19mCVt&LxxlLRe|X%G|Bnwh@gJV#*)j)!sYK5clA`AcV^?{G{AETEKJuL) z5I*wN|F*YLANJC%yVw-j!YPyJdFbA=hbQM}hBb-s?^qzeYM;<+SSI+}MT-+m6XbuG z5hJM-=@w!}1avmTCUIq>8FX@fR@hU7=p1fFP)vma8l7LBo4iX@Af5e5JCvb}vxpD~ zmE@O*Fv^FHzrXhMcdvg+Zk{au%R$rrZ*Qajdy?nt#(z;%_DJzxR8yPyFPr!;_Z;+Z zAs9?I&|hx-SNZ?N>B;N2r{O$))IOH;|3UxgpdSBwe}Aw!|2@gGg)R&Q=rsJVltkls z?{kiRfHyxrZ)DovMrBIn8;&zk$Vvs;#log+5S5^`%|9NYcG^Dc==mziY&CpexHNSk$)vYQl9A#x&2p3saFv)n?+ z*k^pMb*9VTU#0n=rzem8j}=Ocz~J-5RLrDIAU@}I65!XwiZLsgK5-s z>U}6Oo9pb^?g}(5-cUIMWbHz#@M`)~YdPb6{P@uWjN0a^P5oEGOkz(q>B$-CRo6Q7 z^cNK97ziXNv%dvtH3hTkM-SmUYjL9nL3Gx*YNv%wjzAIPoJ2BN=!CEHT*&fsty+=u zy(mzkH+H50Jr{(uz1R8DbRI_c!*+;1m=x(_qO-88-kkv1C?z^Y+L$1GjcEd6K1~th zvB|s6Sw?uWK;xVyam%DJ?Lq)RKuUa^gr2vvV=}y&Ecq5JiC$g2)?*Omz@ZQ%X?L48 zsKX0HQc%Vyh$_@TAjA63j`#5t{wgu3sar1|Nn%Y@16|>{*j6QBsA}jiuu}0|8Id-o zbBl8lv1v+wA;|ZKC}mpJYi2HS7OBp082&_Zh9zX^H&!fWSk?K!oD4lL(0Osa0R1G4EJh)az^Gh}wh)NKdss{`TyN zk`z#dYL%I6zA$vp(?5U@3ZMnakP>wP#yL*$l&II-u{(>cT!rRD%#fUMmQQDj%MvUg ziN9I}v7MCAtZmb8h3RdZ^;_nsl6{55R=zlBSW(Z>*MZ zuEcG~ybsf^_pHikd>2u@>S9(o=L=GuQoDu4yBdGCDQD?GYQ_nsNoaF5n>MpVZCNSG zMFHwAB+UF+xj+2|d>1~Vn;A*nvFWbVfH4B2R58huO4r4lIEa1a<{E(7n!Nvlc6Qz| zNrpQ+=tFIzaBJ9{(O8Il4n(7IQy@Yo(Kd5sd8(NQqXaQ5zo@Igv(v88X!R^jornj^ z*hm|w%|Rqmy#E{PQv+QK)ZX-_`GeM2TV=&Cr}+HNYfsLdxq|gmjo3XCy}B zg^Shk!ny&OjY1Dm6iK&Xu}O|66B_LzlaLx#-<0EQW|_V@Czw14nnd;5C_zyuU?`z; zDm65a%$$MYF`dxJDQd{+9tcrq>5l*(j$_19qISf(0O4k>&>X3lS4cF@Qc2UC6wGGT z_+jdcp%>T)k>?FU#mW%2mkM^~74tY}aq-inGB2eNSm3hI;OQB;!Knn4!DNO->#4)c zFX5ZX93`0su7!u$lXux3kdEz6iLDh%sxit_lgr!=OlShPDb9JGVlL^)4vMqh(vXM-|gq|Wi}*qN(w zzrQA&)0m*opWSrmwNii`rzj-l{`ASo>K+=f!i;f=K7WQT75EA=&2fa{r%NDvZDdXZ|D!Xd0;f&Gc9m-9R3o`l{#W94B-_jrg8%7Uy8cQwr=qm^KWll{$}` zo15?__-5ybvR=$0(Hn$&gWi-#Nz-Wn*5@SdZKIe)Ie1)J6-G=X;d7c23zG{bY-vh9 zfiq~ala?UD2N8Zb1z=StP-;>hQwO+0|2H^3Jgn*e4)%{X{(n#M6#74XD*0V#{?M63 zI1$Y10L0MSK|4D?fH+k`T__c{cXozqsp}O6Vk@u_E!3ik>dBmvSuSBn>g22&)tq4k zM}Qtq(9b!It`IPTU6(^u)_iUOvE0;Ug~o-g&{@H0v*ZQ^C)-7tK9O-U(Ml=}(>?gl z94|EcQC|p-L(lsgQ#&#!Stg9n&G|7!GleKtsw4@PIVZa%5Q=&Ipx9%HFT-HK*bx|~ zdC|Mx3vYWQ)x@QK9rm{MhVmVRdNqfmf0Rn8>p{48_@AD4sSvF9p~mN3^n*H8*c*Lx zZfqc8-ORne zptFkMgb6~b#FRzR2AWU;T2?I44F-J$izqHMn5yjg<+*d_ZcYnL(F9*BTuu;1N@z$3 z(xcPO50?$L3ANV#SkzS%9c?6PwI78}7mP-(DMlE51Wst0`iP#BYm!=()f}fePLc(R z5`t5dXXPNb6%kRXrG#ipbc$@ z3;F;pkT9tgoX-uwR;#Rz0+k``A|j)3J5-n|aK){DdrBk{GLNnbEge8s@UMuaYKZ`d zb|+G6(qT6RGN9ech)s^a(DS~_SgL3b_`)(mmQ05f+0|Gv)So0)OW!1~La(7@P^l<> zhLcIT^bKZ9rtJ#o79_1Wwv=D;2UwJfVM7T;Cv^^XVw0FYgoPEEPVXsVsacEoYj^WI-Qi$@iISHrXE*gYK;jMye5WWm=w?SQ(5+o$a z?7qvCbUPR5!muZ~~(Ysi#U1nP)vyp|{<@uO8q( z;1=@?ZZVDG>4fqr&N33C)AX8hmg+0Zot+af{9s%OUlV#;@?{*ydM9w0ZXsM52w-+h zYy@B-DZ)iZr0mEHS85^`IVp!(h956>cl)othVAY5UmWaho9iS!%AFnbJ%KGtNVWcO zd=2-NX0gDM7m^b^hcVIA=*=al&gU>MYLOt~lSMSbH;mU!m#U)G8#otfgpcml*x;zC3@Zy{0W9|httu|Q*aAWJ}<2>Y1)qQlqwu^Y4wqJv*7U2fX zHmaJl8?X-VuQ)?Fx{vd#m~s?ksCSKdkLPKb>15Gy^m@u5KaXh#l$F50A4BxI(OS&XXO88q znn9K#h!8*3GBHa8O6V0qAIDhCR9{if6C-0-IqZgtnbs*=~ye^M$io^|- z(M(@fPxAzG3&VJU@=Pc3Mjstj-$yusYIMGK3`Wc%vlr8ap%^M`zfOb_GY8?(u33Lp z3Ke+rD=ZQx_Gg+kUqniYXepn1&6`I(W;jn(tVssUQjMu?W~IdDQFX+(OOL6u@c zr8#@l@jQcS#l51ObCOEMZu2y4m?)tC`UVZc69xGRLN81R+R*VFTsL3 zHLMt=V<+Msq_jkFE312bO_OLxB-LIi%Qi^asD@cJs?~7X9K4VOjWGtD&Xin7v?YZ= zg3hTTFv+yK*w|rASf0k{2#h`01m&qA2NHJ?(*mli|D#G9gY_ySs0sgh#ZtBO(0PJW zQbZ9%8H>xXf%;Wou{A`u;ca+Z8pwl9hjRf}7;Zp0rz5y2EF?RFLnVz%k|{Yv$r{Ch zNb-f<2ut*{h=}5P?QJm$7p3*(+ghvUI!)upo-BUQ^f*q~6cWgE%VDZWZ?C^M=ovB% z0H>Dxjm2@ z@|{Ng?W!Kf92V_D(>tQZJ>$eC@xN|NMXMIMW)lX?LDVB1Jy6HEQvZ8U&;NIH(BJ5P zpX70E|E-%>v05yvF^2!JyIB#sa1Jj0g|(5iq8e*1ZN#@qY8arZS`wrvrOT>BDQ%`r zx_aRRrg}gCrorA?5txD%A()!YRpJ~yFbq>Gkc~J@4H&C|n3jU5gBpKpO!TdlOL@Z0N9e68qmlCOsKUP<%yw(mytUA6B=_4U>shwRsBbwl@0 zM)#|LFIidSWV@tZBt3fdo8WK=yx{tqF?){ z@TfoS5B4kH++IXWF9!$v-QCnbR=RoF){Ts^mQMBu2mS8RG{3t2RKFGdByEEk94;G9 z`Bew(zaVoamx^a@xjLf*&CasQP++O3R--=tvN|!^_UMOZ~ld5S2T5bHI8Go#a7`p?dj4dy2KJH1pV&YN~o6x zjB(l`{2&t>`t9k5lhNyUm!nrF=O4biICUJm8y%WJPw;74k-$*f$-z13tvFmDBo`T3 zc3x56OW@mNw)Wmy<+_&c>f(;upT3u_4D{U{ecp?yDxrKx#Bp;|4lQ;E9j}zC#2trM zBbrkA`0zlp>j9;URv>GSLSg_oZ*uDcEe*mKFT?$6 z^EG*==)k;R(M4Ix>Ex&%_BV0m?(|gGzrgb>aiYJITX^w6Rvr4aOg0?#1butdBQneEYDi?}4tCh#90y~Z;4~sU&<7R>g`47JB6{5c?d~{T#qvAt5z}XEF22T5FJ<`k&gq% zX{QJ-6BlYVL{n?Q|4iszJM?C(xDu(FC+WqmMRppgF_x}dH=!=5c44rFO=Z1~!n3gu z>|r5@6g}07=p}5*LUBFyuE^qs@feO5I(~d$P7!XbLG>}6a4aOxBbjsJ%`q*L@CAs> zF-^?*BLIJ=|Et;P6hiqaxQa8xKg})JU*UeIFs6#V&q#WyhNotbX?JTxCCamHa1jt} zPFPA{c%txG&SESLOb)=3d0Qyf{!zOKqw@<5p6d99BoUjF&;xvrxPoZ}JBkm;H>|S^ z-^6SX5FMmWN5FvV3527F2rzMn#?;2--H`E!GbTr@m|8e}ZFyVhQo9YB;6Zabr;&r6 zR~N>a8*_q;w}5f;ERwUS$$rPA0R|SNoH1bo&}cXG@uKu1eO0k|X10 zs?TxFqjI8iu=Xo=GNa}PB~Xwjyd>P<-G1O%adeOjQS+G!3*J6 zzg95^W)bFSgtiK&5OCV^uLt4&OCN%?mU8#cIbP_~n1#(1oBw|jkH3+4Dz*^>MATS< zQG10l(crwK920BaPFs{UWOm3xLyiW85olnyV({I(jH-ex8Wu3i#|0w7Wg8trz!QrrfFzg@x zPycw>?;Fwqtveqn<}^h90Ak~_n2bbeBLr3}unOt~UnEp3UU14dm5WgYO+Ih|Izf&Q zGRv?Q{w6df@vf#bPO^kXSQNhOc8@Tkj3zrMGDHKfq3o-x`9Q(v5BhVzn1VSFtbcUy zmKsz76CBnH48Dc$nj#xhWF4YL#&Od!dBbIzn6h8A)(tRHF>?ZfHxxcHT;3slMeO$9 zu#dLTeaK$*K*`NW@&3^q_#MP2@VrKlvth~2is-E!n-XlC2K`FJsBEF0M`Myo#bq@f zwj#nMxV6G&lyQ2EB^h0jg?VX2AQSLqG)b_|FsSM&(FaQ+MozGp5lv(DmhsL_v$CfK zD8i~OVSX8JSsdt6iec+uxv_r#`s8q9Rq8y?h{C}LC4EFm2|3}YD*p#Lt$*u^P zO$jw#XXS9@SGKnydod#LwV?x#zR}^5@gOrA%hy>;tVAD!ZF=O7}A>@RBX{q z=%ase>0{i}4h9EDRqwQem-~kY`~Cert!$Ht(a5(N+nMErO2~BKOk@pY0lk0igYduU zvqb+>CIfo+{=?~IC~xKc`dDTEad2=@&;Qlm-}wJM$@9HF%Ixv; z{|$}~4;uOZk2mZ8X`WA?dOPTv&W8}LMM--~82)Ci&=Sqa5bg9nfA&08%zFiiLYycs zlRQZlPI%QKqPAMlq4zyea!?vUC5evqLFrZ|;t-1QIKk6YEghashq8l1fD^yyxlvcW zes`(LLfG1jMB5OtM$mblXcZqpH&~anS27TNN@%r3m(CS&tb^P_;3!o&iBVnq8bWMD ztIHNuWj3T9sMoLxYOVJh=dv3BDs-t`Pr+GlXjhwJ+)zQ5jwAG7%07Jx%sI}Skj#x| zXxr5}3XKKrbDYNLIr+J?^zQ=F9JjX7^OO{&8-uo`wzWyB>ZP;nubN5}eOSMaM3831 zPLNs}(8jOMpA`z$x?iZP#%*;NxT+P^rQq1N3a3!CL}K&fBMKD`R-uUpLBkiPbTyh`GMa$q%%0mO(1~EjFdWvRUliN;S%Z=JZq&#STtIc ztzuOlVzka-Rku(`cRC}r|bJ+OP`_5ID>1)oo{at0j43`htpuvd*!cc1Bt` z160Mqc%eJ8B8^qowpPk8mjRoU3X{e>7Vcnc&14+rg58%{_$UG(JhP z8Ge_~(ctKQqrV|z(59^#uKCC6dRm8BD}zc<6~Q?halN45^S50;kFIh>dnF>4SE%kb zJ>O};!BPdQYCOwRHp8W9SX{f=^wADD)t+jw`aN^4-wMl}CeNxoL1(FBy`c|qdk6wr zS#F{ZyjL&8|IycREG;jbS53U_BP{f(mARi`@ei^n9R)2!zEiwG=FK+01SVoLrvkSWB#2I8`%@ z)(x#zre$q33$&c|+H`++7=Fdx$>u7k;J^oo!3V8osd`Wno@+OC7eZBihPKaE+*C?b zcl!FdyIRx%NgcSEEXvhvlD4<2L_`zh|BK})rZH$A4B!>(4%%Yl^*jg!G0KXv^>4y3 z+z!$ARGI`CI(^cv)v;(0YsjyJkq^-+1?>t11qO>G4s(N1OeYYVv|j(3VrXAORKbga z$K(nLoBXUwb`9KrnN>|EXvy?c9ld`i(?f2vgho^*3uLZy3Bsw)1XXRT$jo=QIcs%$ zcUNKeE@l?-{rMz_ypPN#n_0>9rE2vCzLi6)SG7sq>(_fQuPq1N=``OmuxciT_P8uf zwOP-+6F|?ixs;9 zlrVNBj315pto88%&nx*sJ6GuikvUHV!sx#*-@ijKjU>7Oj9-z3zFKfIqCk^c5v)yP z>jg9%2oyCdSb!d2U}_rk6<0YXXXLelXZVeVtGQxIE7Y)Qf?5r40WIn;poROu-Y|Cc zH^xCX#>tf2US%qVQb+F{$oxNru9NEhkT>2-tH`7RCnEI+TI2M57d8m zuZ*5|V{f~Z`V6AY+*-YAqr22-{>mx^8agrHn9VIigHz10gf;;AE~G86euG-Ev%JmD z=sBhXyVSk`siyc@>3AuI8Zu?Olu@+&E0XNLg^mICY5fo^U-en*{y)Mx@%lY|!B*M- z93IsCzxD?GgH8OGCwU%v{t1Gh>O*UTMHG%G-rR{Pr*Bs}Z|>YHpUC z_hSGn*8l$ge%=0Ou(yf-^fb?xT)$7ZY-=L4qt9#F4lAX^ zHCI9*o6|y1g?!f%$47qMIL9}0P%4`$x|`k(q+4?wD)p&IIOntpX!^9nT84!{RN9<9 zC7?7#5jH+$db)MyYgM>9h>;ot2z1fhnI1h78!EGd&I+I}*}QOsY#>dcbV^cnL?*F@ zdu|+FCAhu7B~OHtU7Z8c;<6h~6V21r0X=W0@kY6@qS&pD9+Yr?sd?^bv!WTwxESuZ9SNM;pD45 z46%%6ZyeMtLr&B3wM5d9Y2AiAFwUWnHS{}(j#0SV;@iudPl@*CHE+I4@inFi9w)_n z?KXSiHsPTnxN_kjSqUhASJElsD>zZ~?nWFh>YB&)gF@*wT`%8#Byj31>93-hY|tq9 zNX|%fCGvT%h(=K2=Q-Spp+AQo3|_;(VnNQa68&libAKBKuHy!Xe7>xH!6tDBTzS)Y(7)iHXmAkew}T>=c4&Mb$<_q%5Xm9a@2 z?`kw~3OdV695j(F=(PNkU! zufHQqaVpj<7Mkp_WvYZ!oZBEG?ekx$)tVDzb+4M;ReEivROv>R(?shETRope4)9`n z0-ILAzgJ#?sytAp7f@?=3E7(CgiOh)h;U+}Z0QIhWy#DIiksg!!SVYvSzItC z|3(v{Nw*Th0*dA7iFn7-3y5A(`xrU5N7ZP~F=tuzO@L0`yjivl*J3+c-itF@PeNBL z$MX(Z!$=jDC?TxJBT7YXqPf77y9;iutv6Rl zwMMf-6^#hdluC+|*CfGK$rPp;M!4oN~j;hU_-_xAzxsPd>D_y4;0VhiB?+_`})T)6w6~PT#z~XCIA7XPsSL zp1eJOb9ynlIQh_+kX607!Oj0)AHrx`j?0W5_GA*hPQ7#tGO$wvWHd z95viVzry9EHCJl^`Ok&d?GjwIchFPS6=Z9Vro}kb#!GFJ*PH-=_e1zf@M~SH97fBl z_QOIE9I-0EHPWLjKRJ}GEIl%~Kxy{am56r^8(6E7Wz`Vw-)5-DQk z@QvKC{tPb_8I}qR%fyA%)70AJ+E)UMqvtI&YQvvHdiHJfd{wcG#oH@OK%{in1EU&b z9W9ktDiBq)xhy6ptqpaHE!D=>7G2hYFJm<=VtjAtR8x-*9Lz!;!c@|SK&jhY8`Q>& z2PO4?ftt>1?xjLKz5kLiRTKT!+pmDEV7e^Bptr+Zx+>lQ;7Ww`l^|D3cLM!eH$=OS z{a461o!+6374~2KgQMe`{ny^X;9z6_^%Tz^$Np<$p|!El+E{39EVMQjS{nMyh8{4L*vu)Z~1Z^yWHWon}i=d4~(8eNYV-d8m2-45SBIrT)AvJp*UEDPw^45X1 zYU#7CihoUmostYMD>wA3fU4W_EC=hiZqjq7XD$1mS%&W!`WK#6@qdr^oB6*F`WyS7 zr+Aj!e>%1@bt|EE5mnW|8FenSj2Y428K=LnRN~~E#V5IBBEkvbzZaV#gaF>NNcgl8ZN^tiqXZm!v(8Fu3f14ZYo;+a1`ad{0Zsz|!INGfL zr+6OcRAyQsKO2Liu2aLZoNoFwt~kwl3XYV>8^*7clz;U?C*K|P&UCAw=WrKjTj5&X z)a8Z8MB;(Fxb!kN{e2Bi)^4U?u!`fD>N8=@WNtZQ>8{=gw%3rdQ&QA`8bT&yjN!2=~epaQ6X|7diw{1qb>M5Vskab;9&p7-of$9 zgBRPYVKji@G)9W)>+Ea>wjkq7vWO+2J4g4@v_Y>0?yE_JY6z)VFD|QBhjNH~xEu9b zXXIhrCAnQhl=KV^0!>;-j zbn!gVdi?;Fggwt?Sk4@E|J^V1TMp|F+-{0PJeIQ$V0V2EF|&&ghDNFyBv5l#@44@1 zq=l^ELFElXX+9ql-f5b%!o;Z?=KEN%I@Ooj3w3KOTycfWGr6eOS93i1IZg|PGh?E) zBU`X_H>;iYKegum`P!n}qdaTL{|w^7-&+H)LjE5dHqZYD{o{@N{}j(dFB5CqLrdP% zy6%8glMEPHT#M81PjWeX1xW`UkTz(E6#XPx15RSfNhH6!I1@uJaG6gNKRuk$o4WqGBbwq!(rYRg zBT46kXChmZZ*!Iqqn*VW{g$&lTLPzNHMJM4NHBLds6;;giA2(zPIP0J z6)!JG^{YM9>U-guSbQ4v>62DaAkPd;JC=B*As5ur-|hxQ#S%<499#Db=z|jBA#_dn z*c8YGX<$r4Qz+y#j?Tdv8Cuf*GEagqdw5^%1TtZKOyiiOmkSZe#0>A*&NKB*Xi7CF z9*Ex$QzpGx77xrv6EC0o5-^)A#;*SoRrk~co=dl z27}Vr34X!3@-^j}NI6rBoW$^}u;U6)%x=;f%;S^uGhI+osE{O;|AeMrC78~C`_jN# z`@iC>LBvwYS&}6@la=bWZ@yw)S^ zgkYI-GMXfKDnOM@Cp1#4VMJ5yTS1vRoW$xa;}!2TcMnBB`2LS=yJypG?Y=!%>=y&a z1-hz9t?s_2Qgz3j8s?Tzq5rtSGMfFK;@NDTyFKgk|7%Ka2*1xca0UP0-|HXM^S>SL z9d7vlQ#{L!Pt}}{Seh(Gb8UT^lB$Zt#;QR+PFcE`vt0PwC}>gpt+BDZ(#EFe*4My~Qh6VByHWh)yV}B{n0S6NJ?T@K|t;D_-+m^Mf zBU3M7(`q=P)eL-%K@_{ID0+fFOb{eBVP@w}2p47x(HTG=3j`Ql#<-j?u0-or7ZOV{$rG{ePFVwLtX{T~ z3}@+2Y^-}Rf84EgJ!$2or1q}?y+%-kP^i8wQB-{|i8^UXUMoJulHA}$*tq$u3l?97yF>7&+Q^FE}lIViQdF~t;hMrnsDwzUUZ zXigM^6Rm5b)^PKtrL9#cr4v1ihiQ41+^Ezr;OfkS-|X4=-{DzX{(Ha$z$*D~e{fjW z|L^T>?th=;aYd9z6#~Dm6u1%peq-XFvC{gt5d=HO`^X|;dq2NJ;jlKdF-eG>*(-<3{}NgT3R8|KF25_q_jkxLwC@=o;t=?M5o2 zE)7UJ%}2h3FHz+R=dSDj3+Vp`2mSi`9~>TS?7yDmdDsE1jSYN}8-;?n?{N=M^=r6~ zCvI`n`Z}D(JrVzr@%vlghyQNRn*3j#Q@)h{$KKw4L;rWMvHy9R=aKwB9>Mc_3!MnW zCg^=e(o59~ItUMUQA$XRBm;NUATYYIK!JiY8eHRq#=tbu&5Wdorb1%Kc7m=cMt>*C zys3k18%!bF=JH``$A4#U?#FZ9uK9(3IZy82mou)kG$RS0)6|$5b3)RHFEVX!PE+m0 zd>T*5hq9PWByeGzlT>SL=tL|rd+oi#m6VRB5`v_x_U`<{IMDpgpSAXXqv`)b@n80j z26g+d{_+0i{P!eJeRC{!Ldy<*^D&y11QB^igj`GWV20)S2%eUg^XcT`BY2C9~f0g_x77 znp(f)=aqQ$-?12?W|VP|Q}d<`prZNC_!jrdy3?6&rwyBTLEw@^JWUF!=HKkzGnOUW zTzO=1PEB?qK+a!7!0)Q+O82c|@YC=Acai^0F!no(fvfKSn)Y9N`~A)R-;+G6SdyTp{(xF3Iyu~jmd;@qJ*7@ z5V$1wOGKF6z3cCZa>) zUrH;0B4$EUG$@j@iPA>qiwgi21d?8dKZzmw6&kvsY0PfI?@#|ax_JNo!#B@*S1&}* zrUh}80aZ3-N}Rqq=lAiW5&TbcaX+8TtzZore>-v`* zM>L)GUa6lCiTtFWRqOw_zW)!7jyCK6X`Y(yG{O=mY-(2lWxW{$u5n`VHj6MZL|nYZob94-OW80b96?S;8sd`9tVsn`&1onzrFD}D~bqkh=;Vj?0= zGkt+}f_~0vbcGZtNc7*BObJIHbX)dHSzj{eLcLOA15T2FrU6R{ipiXX9zq|KNIFX2IFhUg?|gG}6aEDK8PL_((1dXm6NzaeLeFTr%*d{5<9O)& zFJ1rFnlnC>0jya6dxLuX&%yCvZ-2A?pW?|lyQVSWL!`;jGl|emE=k|p+CuMGOw8^K zq?xf8VIk-=h5Qy_Cd8FM|0udcfB8l&i*3)%N`!v+(W~WE0(D^7VY9#o z!spFGY9YQiViBOmDmp4JJuOEVW-1dC+*$Lo*E&1f1({MI`2s3{R#X(BwanS53?3HS zI)zisCy25=$5V2iCyBk-KbyQ`@|+W)bB+|>FLj_77y?3=M>CVZgwKx-hGI_K_&pw5v)JIK@O;5z*$<*cuUK#^Wfo_-RR)x=*7`jKih7e)z8xXztjMXiX3w?yR$5? zV*fup?$_hL4i5G=`~QGW)xvf}mWEs1iF*_&Ddx5(+zZMYC|QYxWP8DjAo~|87D%x=@`|wE3z0OFl4Dts}csB zkeMt~Qj?N)&fL8F`V=s%q-1Ez6kAiIsK%?Q9~@OP)cFVr;lkY<>N|L%MQJ#*lm(X5Uc91Sa*A5h}sk}p7%g!ZT zg&JoQV^hT@mmY487LTDxTiG=GLT&l?>lmf;5fE z?JoK=m1OR&!gVG!(1-VWPTVz?mRb#}$8ZVDD$3YbtxR7R(JQW6pt%Zxd0*p1sDX+s zp%VGK{*oqKJSj#6j2Ied*;%gF-d9>)N|v#NO&9;DV8?m8oG_MA!zzA!A984{m69Z! zY}l$)iT@5-Sw<~u(90btW(}HYqndlr&DxZ+f_6Hnr}g#P6oiV+a?tNDp{a+-|LdOr zW+cf77xy{-tY9O&7o50^d-=Wtyq1wwAZMGJaU-fxG z--EtW4HX9iNAHV%MUv-fgpT&%PddNMClh*${GbV|hVKLO!diKIX8_Ap68wkoYpv;i??PwG*T?r@79k3= zD40_m#|3ua$^}&8pvVW!gV^;{kugcwjd|_dv?v0*Vf-p#I2I^kd7_FUq2(A$fJ_j# z#U{PLN6;h%PUCufM#}Krt7qRc!obkfRWHb7LLxat{yS#mD7d;VMG*f~Ej7Q6nN~2Y z6}g6?>!!nL>1*@!yF6>||Bi9{-EV_e>VFR!_TT-D{pZs>uB8OdGEut1zb>YHh4FWj z!{6KP8)sR?ImF&hTbX!9IF)ck<~C?d)k_@)yl!^t`Z`rzNZ@Gm#sOp%D0XF->JEO2 zBb0MESv9P+hqiKfroXyFqoD=5rtE)ju4?fzE-w7j*h`3{=z5>L_R&wjmE_u9T`fmkb2JyVkOx~?kG z;WuhM*YClL+wPi1L?h>~C$GOfy%?RI|NZps>BY&L=25#zCS~o*^OJX@%Mb4_PQE=I zefZb;X=`-@KzHx2&n`}1eRzNIuhBnG-h9{INKd!YQ>$&Qrv7pIucZxLk%hlX3uGIA z_5RHpXm<2JXXpPodpG*~`^yib^Y<4YTDy38Fc`GK`1bUzg6!?d|1zA(nwma^SSrxZ?$cKVlvJbPH;>gyZHyME1g~LEz46` z(^1(;QUqMXzemQsCNr^aA$1qa;1c?;Upl?)lEu2JD z9O|0s^E<^TRJ-`CR%<<|xW@4>Q1iT9zocwVbEU-64H%({xm^crm9yL`@Z3{nD|Bvw zPT(G}hMnw?jYZob-LzSHHR)@qNtk{j^+J<}HiOnZ1le`u)q^0Y$EK?UYppx0h}S&- zJtzb8iu2$8;J6Y0Wn=&IM9*DVmMBr8uH&p|Nk`4Jx?=c zdumuI(=VuS@A>p;Ep(gm zk81AIc-CD14~hV~^89z$$p5g(|MEo79bes(rb;Ir;53bcdj9QJ@8&NG_!Wlt6zgI!;(6$ zY+2uUIyb_l08^s>0mnjga()(~4-8~a1&z4DSw_<-V!4EJhI-H#M^_|`chL=45g}|T z4zLlM_QJacrq%w9_u5Tr4Ll}6Jj!fq$il*J(^0;*2i$J2aJT8cBl^vT9C0QMR=jllcnd-zt_ql1n9|4E*Q z$Nv01=^Vc{wtsuin(O~T5kOb!f12?>j}ABM|4E)r{LfAN&(8H9&PXz+;6D41K31*& z!+QR=!Eyh1qyK%9XA7NUDGAs98+xvFDz$M=6GhA@!_gI<5)pb^I>enh-wPyWBuS83 z-`awjrqf-u|6)n630T=V?{OM?TPP({9ZBzb#>s@V)Hpm(LY~ZqL^~wg;Oef@LvtS7mk17J@~JEF`M?(f9y|j zo%YIx#yCDCg>L#_81C`G37F^iRww%LO`neJZ@rH5DoJ$e21G@Qo|>tp5qKN!^Gf9`GWf1c*CDm~9T zK^K}9?5>6di4jX-lQeoiCrp}-m{|#q$sn9&sF{RrMEjK`3A;fHmV*lzSE4^oV>D+e zm5i&MRdPDcC5h3TMx5Cgx}oR&1?}v-W0DMac97c5$5_zF1;Z*NT{v!LG@98!oTW=8 zgf1+?a)#(Tp#^{+ssTTLe7-C==QfI2l*7F`^d%XJiO$AHY{xDvYSe%P$YZHMSg_oM f13rjN?t;y;c{b0JKmT6<00960#LA&w02~4UuYj&J literal 0 HcmV?d00001 diff --git a/charts/rancher-istio/106.1.0+up1.23.2/Chart.yaml b/charts/rancher-istio/106.1.0+up1.23.2/Chart.yaml new file mode 100644 index 0000000000..da70840695 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 +apiVersion: v1 +appVersion: 1.23.2 +description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. +icon: https://charts.rancher.io/assets/logos/istio.svg +keywords: +- networking +- infrastructure +name: rancher-istio +version: 106.1.0+up1.23.2 diff --git a/charts/rancher-istio/106.1.0+up1.23.2/README.md b/charts/rancher-istio/106.1.0+up1.23.2/README.md new file mode 100644 index 0000000000..2230c61859 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/README.md @@ -0,0 +1,79 @@ +# Rancher-Istio Chart + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. + +See the app-readme for known issues and deprecations. + +## Installation Requirements + +#### Chart Dependencies +- rancher-monitoring chart or other Prometheus installation + +#### Install +To install the rancher-istio chart with helm, use the following command: +``` +helm install rancher-istio --create-namespace -n istio-system +``` + +#### Uninstall +To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. + +**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** +`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` + +## Addons +The addons that are included with rancher-istio are: + +- Kiali +- Jaeger + +Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. +### Kiali Addon + +Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. + +#### Kiali Dependencies +##### rancher-monitoring chart or other Prometheus installation + +This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. + +#### Prometheus Configuration for Kiali +> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. + +The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. + +To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. + +1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. +1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. + +#### Kiali External Services + +The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. + +##### Prometheus +The `kiali.external_services.prometheus` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Grafana +The `kiali.external_services.grafana` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Tracing +The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: +``` +http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} +``` +The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. + +## Jaeger Addon + +Jaeger allows you to trace and monitor distributed microservices. + +> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/106.1.0+up1.23.2/app-readme.md b/charts/rancher-istio/106.1.0+up1.23.2/app-readme.md new file mode 100644 index 0000000000..8be230ff00 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/app-readme.md @@ -0,0 +1,65 @@ +# Rancher Istio + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: +* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh +* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Warnings +- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. + +## Known Issues + +#### Airgapped Environments +**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) + +#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. +To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. +`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` +See [this issue](https://github.com/rancher/rancher/issues/33291) for details. + +## Installing istio with distroless-images. +Istio `104.5.0+up1.23.2` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. + +## Deprecations + +#### v1alpha1 security policies +As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ + +If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. + +> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: +``` +Error: found 6 CRD of unsupported v1alpha1 security policy +``` +``` + Error: found 1 unsupported v1alpha1 security policy + ``` + ``` + Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x + ``` + Continue with the migration steps below before retrying the upgrade process. + +#### Migrating Resources: +Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). + +You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/Chart.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/Chart.yaml new file mode 100644 index 0000000000..e282a06c7b --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 + catalog.rancher.io/namespace: cattle-istio-system + catalog.rancher.io/release-name: rancher-kiali-server +apiVersion: v2 +appVersion: v1.89.3 +description: Kiali is an open source project for service mesh observability, refer + to https://www.kiali.io for details. This is installed as sub-chart with customized + values in Rancher's Istio. +home: https://github.com/kiali/kiali +icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg +keywords: +- istio +- kiali +- networking +- infrastructure +maintainers: +- email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +name: kiali +sources: +- https://github.com/kiali/kiali +- https://github.com/kiali/kiali-operator +- https://github.com/kiali/helm-charts +version: 1.89.3 diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/NOTES.txt b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/NOTES.txt new file mode 100644 index 0000000000..751019401b --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/NOTES.txt @@ -0,0 +1,5 @@ +Welcome to Kiali! For more details on Kiali, see: https://kiali.io + +The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon. + +(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}]) diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/_helpers.tpl b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000000..91c9ff0ca5 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,222 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified instance name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride. +For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali, +use fullnameOverride, otherwise use deployment.instance_name. +*/}} +{{- define "kiali-server.fullname" -}} +{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }} + {{- .Values.fullnameOverride | trunc 63 }} +{{- else }} + {{- .Values.deployment.instance_name | trunc 63 }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Identifies the log_level. +*/}} +{{- define "kiali-server.logLevel" -}} +{{- .Values.deployment.logger.log_level -}} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kiali-server.labels" -}} +helm.sh/chart: {{ include "kiali-server.chart" . }} +app: kiali +{{ include "kiali-server.selectorLabels" . }} +version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: "kiali" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kiali-server.selectorLabels" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullName := include "kiali-server.fullname" . -}} +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} +app.kubernetes.io/name: kiali +{{- if (and .Release.IsUpgrade $deployment)}} +app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} +{{- else }} +app.kubernetes.io/instance: {{ $fullName }} +{{- end }} +{{- end }} + +{{/* +Determine the default login token signing key. +*/}} +{{- define "kiali-server.login_token.signing_key" -}} +{{- if .Values.login_token.signing_key }} + {{- .Values.login_token.signing_key }} +{{- else }} + {{- randAlphaNum 16 }} +{{- end }} +{{- end }} + +{{/* +Determine the default web root. +*/}} +{{- define "kiali-server.server.web_root" -}} +{{- if .Values.server.web_root }} + {{- if (eq .Values.server.web_root "/") }} + {{- .Values.server.web_root }} + {{- else }} + {{- .Values.server.web_root | trimSuffix "/" }} + {{- end }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/" }} + {{- else }} + {{- "/kiali" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity cert file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.cert_file" -}} +{{- if hasKey .Values.identity "cert_file" }} + {{- .Values.identity.cert_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.crt" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity private key file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.private_key_file" -}} +{{- if hasKey .Values.identity "private_key_file" }} + {{- .Values.identity.private_key_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.key" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default deployment.ingress.enabled. Disable it on k8s; enable it on OpenShift. +*/}} +{{- define "kiali-server.deployment.ingress.enabled" -}} +{{- if hasKey .Values.deployment.ingress "enabled" }} + {{- .Values.deployment.ingress.enabled }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- true }} + {{- else }} + {{- false }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the istio namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.istio_namespace" -}} +{{- if .Values.istio_namespace }} + {{- .Values.istio_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift. +*/}} +{{- define "kiali-server.auth.strategy" -}} +{{- if .Values.auth.strategy }} + {{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- .Values.auth.strategy }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if not .Values.kiali_route_url }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }} + {{- end }} + {{- "openshift" }} + {{- else }} + {{- "token" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the root namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.external_services.istio.root_namespace" -}} +{{- if .Values.external_services.istio.root_namespace }} + {{- .Values.external_services.istio.root_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. +Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. +*/}} +{{- define "kiali-server.remote-cluster-secrets" -}} +{{- $theDict := dict }} +{{- if .Values.clustering.autodetect_secrets.enabled }} + {{- $secretLabelToLookFor := (regexSplit "=" .Values.clustering.autodetect_secrets.label 2) }} + {{- $secretLabelNameToLookFor := first $secretLabelToLookFor }} + {{- $secretLabelValueToLookFor := last $secretLabelToLookFor }} + {{- range $i, $secret := (lookup "v1" "Secret" .Release.Namespace "").items }} + {{- if (and (and (hasKey $secret.metadata "labels") (hasKey $secret.metadata.labels $secretLabelNameToLookFor)) (eq (get $secret.metadata.labels $secretLabelNameToLookFor) ($secretLabelValueToLookFor))) }} + {{- $clusterName := $secret.metadata.name }} + {{- if (and (hasKey $secret.metadata "annotations") (hasKey $secret.metadata.annotations "kiali.io/cluster")) }} + {{- $clusterName = get $secret.metadata.annotations "kiali.io/cluster" }} + {{- end }} + {{- $theDict = set $theDict $clusterName $secret.metadata.name }} + {{- end }} + {{- end }} +{{- end }} +{{- $theDict | toJson }} +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/cabundle.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/cabundle.yaml new file mode 100644 index 0000000000..7462b95a7f --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/cabundle.yaml @@ -0,0 +1,13 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }}-cabundle + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + service.beta.openshift.io/inject-cabundle: "true" +... +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/configmap.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/configmap.yaml new file mode 100644 index 0000000000..f7b68294d7 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/configmap.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.configmap_annotations }} + annotations: + {{- toYaml .Values.deployment.configmap_annotations | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}} + {{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }} + {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}} + {{- $_ := set $cm.deployment "namespace" .Release.Namespace }} + {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}} + {{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }} + {{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }} + {{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }} + {{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }} + {{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }} + {{- $_ := set $cm.external_services.istio "root_namespace" (include "kiali-server.external_services.istio.root_namespace" .) }} + {{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }} + {{- toYaml $cm | nindent 4 }} +... diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/deployment.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/deployment.yaml new file mode 100644 index 0000000000..6173579ab4 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/deployment.yaml @@ -0,0 +1,240 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-weight": "-4" +spec: +{{- if not .Values.deployment.hpa.spec }} + replicas: {{ .Values.deployment.replicas }} +{{- end }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + volumeMounts: + {{- if .Values.web_root_override }} + - name: kiali-console + subPath: env.js + mountPath: /opt/kiali/console/env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + {{- if .Values.web_root_override }} + - name: kiali-console + configMap: + name: kiali-console + items: + - key: env.js + path: env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.deployment.tolerations }} +{{ toYaml .Values.deployment.tolerations | indent 8 }} +{{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.deployment.node_selector }} +{{ toYaml .Values.deployment.node_selector | indent 8 }} +{{- end }} +... diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/deployment.yaml.orig b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/deployment.yaml.orig new file mode 100644 index 0000000000..34560fceaf --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/deployment.yaml.orig @@ -0,0 +1,224 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: +{{- if not .Values.deployment.hpa.spec }} + replicas: {{ .Values.deployment.replicas }} +{{- end }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ .Values.deployment.image_name }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.image_version }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + volumeMounts: + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + {{- if .Values.deployment.tolerations }} + tolerations: + {{- toYaml .Values.deployment.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.deployment.node_selector }} + nodeSelector: + {{- toYaml .Values.deployment.node_selector | nindent 8 }} + {{- end }} +... diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/hpa.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/hpa.yaml new file mode 100644 index 0000000000..934c4c1e9d --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/hpa.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.hpa.spec }} +--- +apiVersion: {{ .Values.deployment.hpa.api_version }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kiali-server.fullname" . }} + {{- toYaml .Values.deployment.hpa.spec | nindent 2 }} +... +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/ingress.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/ingress.yaml new file mode 100644 index 0000000000..27807fc3de --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/ingress.yaml @@ -0,0 +1,62 @@ +{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +--- +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- else }} + # For ingress-nginx versions older than 0.20.0 use secure-backends. + # (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948) + # For ingress-nginx versions 0.20.0 and later use backend-protocol. + {{- if (include "kiali-server.identity.cert_file" .) }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + {{- else }} + nginx.ingress.kubernetes.io/secure-backends: "false" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + {{- end }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + {{- if .Values.deployment.ingress.class_name }} + ingressClassName: {{ .Values.deployment.ingress.class_name }} + {{- end }} + rules: + - http: + paths: + - path: {{ include "kiali-server.server.web_root" . }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ include "kiali-server.fullname" . }} + port: + number: {{ .Values.server.port }} + {{- else }} + backend: + serviceName: {{ include "kiali-server.fullname" . }} + servicePort: {{ .Values.server.port }} + {{- end }} + {{- if not (empty .Values.server.web_fqdn) }} + host: {{ .Values.server.web_fqdn }} + {{- end }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/oauth.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/oauth.yaml new file mode 100644 index 0000000000..8658c7f947 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/oauth.yaml @@ -0,0 +1,25 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if .Values.kiali_route_url }} +--- +apiVersion: oauth.openshift.io/v1 +kind: OAuthClient +metadata: + name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +redirectURIs: +- {{ .Values.kiali_route_url }}/api/auth/callback +{{- if .Values.server.web_port }} +- {{ .Values.kiali_route_url }}:{{ .Values.server.web_port }}/api/auth/callback +{{- end }} +grantMethod: auto +{{- if .Values.auth.openshift.token_inactivity_timeout }} +accessTokenInactivityTimeoutSeconds: {{ .Values.auth.openshift.token_inactivity_timeout }} +{{- end }} +{{- if .Values.auth.openshift.token_max_age }} +accessTokenMaxAgeSeconds: {{ .Values.auth.openshift.token_max_age }} +{{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/psp.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/psp.yaml new file mode 100644 index 0000000000..e31d706d4b --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/psp.yaml @@ -0,0 +1,67 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "kiali-server.fullname" . }}-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role-controlplane.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role-controlplane.yaml new file mode 100644 index 0000000000..707501c677 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role-controlplane.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +{{- if .Values.kiali_feature_flags.certificates_information_indicators.enabled }} +- apiGroups: [""] + resourceNames: + {{- range .Values.kiali_feature_flags.certificates_information_indicators.secrets }} + - {{ . }} + {{- end }} + resources: + - secrets + verbs: + - get + - list + - watch +{{- end }} +... diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role-viewer.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role-viewer.yaml new file mode 100644 index 0000000000..0811b20118 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role-viewer.yaml @@ -0,0 +1,96 @@ +{{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }}-viewer + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +... +{{- end -}} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role.yaml new file mode 100644 index 0000000000..de23cc5c83 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/role.yaml @@ -0,0 +1,103 @@ +{{- if not (or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous")) -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +... +{{- end -}} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/rolebinding-controlplane.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/rolebinding-controlplane.yaml new file mode 100644 index 0000000000..5a00158360 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/rolebinding-controlplane.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-controlplane +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/rolebinding.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/rolebinding.yaml new file mode 100644 index 0000000000..63f1922ac1 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/route.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/route.yaml new file mode 100644 index 0000000000..8325c14a74 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/route.yaml @@ -0,0 +1,34 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + annotations: + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ include "kiali-server.fullname" . }} + port: + targetPort: {{ .Values.server.port }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/service.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/service.yaml new file mode 100644 index 0000000000..111be7f879 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/service.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret + {{- end }} + {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }} + {{- if empty .Values.server.web_port }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ include "kiali-server.server.web_root" . }} + {{- else }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{ include "kiali-server.server.web_root" . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.service_annotations }} + {{- toYaml .Values.deployment.service_annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.deployment.service_type }} + type: {{ .Values.deployment.service_type }} + {{- end }} + ports: + {{- if (include "kiali-server.identity.cert_file" .) }} + - name: tcp + appProtocol: https + {{- else }} + - name: http + appProtocol: http + {{- end }} + protocol: TCP + port: {{ .Values.server.port }} + {{- if and (not (empty .Values.server.node_port)) (eq .Values.deployment.service_type "NodePort") }} + nodePort: {{ .Values.server.node_port }} + {{- end }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + appProtocol: http + protocol: TCP + port: {{ .Values.server.observability.metrics.port }} + {{- end }} + selector: + {{- include "kiali-server.selectorLabels" . | nindent 4 }} + {{- if .Values.deployment.additional_service_yaml }} + {{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }} + {{- end }} +... diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/serviceaccount.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9151b6f6a1 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +... diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/validate-psp-install.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/web-root-configmap.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/web-root-configmap.yaml new file mode 100644 index 0000000000..970d4e4f5d --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/templates/web-root-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.web_root_override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + env.js: | + window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/values.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/values.yaml new file mode 100644 index 0000000000..984432789a --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/kiali/values.yaml @@ -0,0 +1,137 @@ +# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead. +# This is only supported for backward compatibility and will be removed in a future version. +# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali", +# then 'deployment.instance_name' will take the value of 'fullnameOverride' value. +# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used. +fullnameOverride: "kiali" + +# This is required for "openshift" auth strategy. +# You have to know ahead of time what your Route URL will be because +# right now the helm chart can't figure this out at runtime (it would +# need to wait for the Kiali Route to be deployed and for OpenShift +# to start it up). If someone knows how to update this helm chart to +# do this, a PR would be welcome. +kiali_route_url: "" + +# rancher specific override that allows proxy access to kiali url +web_root_override: true +# +# Settings that mimic the Kiali CR which are placed in the ConfigMap. +# Note that only those values used by the Helm Chart will be here. +# + +additional_display_details: +- annotation: kiali.io/api-spec + icon_annotation: kiali.io/api-type + title: API Documentation + +istio_namespace: "" # default is where Kiali is installed + +auth: + openid: {} + openshift: {} + strategy: "" + +clustering: + autodetect_secrets: + enabled: true + label: "kiali.io/multiCluster=true" + clusters: [] + +deployment: + # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything. + # For more control over what the Kial Service Account can see, use the Kiali Operator + accessible_namespaces: + - "**" + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + configmap_annotations: {} + custom_secrets: [] + dns: + config: {} + policy: "" + host_aliases: [] + hpa: + api_version: "autoscaling/v2" + spec: {} + image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") + repository: rancher/mirrored-kiali-kiali + image_pull_policy: "Always" + image_pull_secrets: [] + tag: v1.89.3 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + ingress: + additional_labels: {} + class_name: "nginx" + #enabled: + override_yaml: + metadata: {} + instance_name: "kiali" + logger: + log_format: "text" + log_level: "info" + time_field_format: "2006-01-02T15:04:05Z07:00" + sampler_rate: "1" + node_selector: {} + pod_annotations: {} + pod_labels: {} + priority_class_name: "" + # if deployment.hpa is defined, this replicas setting will be ignored + replicas: 1 + resources: + requests: + cpu: "10m" + memory: "64Mi" + limits: + memory: "1Gi" + secret_name: "kiali" + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v1.89.3 # v1.39 # v1.39.0 # see: https://quay.io/repository/kiali/kiali?tab=tags + view_only_mode: false + +external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: "" + +identity: {} + #cert_file: + #private_key_file: + +kiali_feature_flags: + certificates_information_indicators: + enabled: true + secrets: + - cacerts + - istio-ca-secret + disabled_features: [] + validations: + ignore: ["KIA1301"] + +login_token: + signing_key: "" + +server: + port: 20001 + #node_port: + observability: + metrics: + enabled: true + port: 9090 + web_root: "" + +# Common settings used among istio subcharts. +global: + # Specify rancher clusterId of external tracing config + # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 + cattle: + systemDefaultRegistry: "" + clusterId: + psp: + enabled: false \ No newline at end of file diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/.helmignore b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/Chart.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/Chart.yaml new file mode 100644 index 0000000000..b27e4ed2ce --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/Chart.yaml @@ -0,0 +1,12 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.rancher.io/certified: rancher + catalog.rancher.io/namespace: istio-system + catalog.rancher.io/release-name: rancher-tracing +apiVersion: v1 +appVersion: 1.60.0 +description: A quick start Jaeger Tracing installation using the all-in-one demo. + This is not production qualified. Refer to https://www.jaegertracing.io/ for details. +name: tracing +version: 1.60.0 diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/README.md b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/README.md new file mode 100644 index 0000000000..25534c6288 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/README.md @@ -0,0 +1,5 @@ +# Jaeger + +A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. + +> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/_affinity.tpl b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/_affinity.tpl new file mode 100644 index 0000000000..bf6a9aee5c --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/_affinity.tpl @@ -0,0 +1,92 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} +{{- define "nodeAffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/_helpers.tpl b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/_helpers.tpl new file mode 100644 index 0000000000..09c6b05467 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/_helpers.tpl @@ -0,0 +1,47 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/deployment.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/deployment.yaml new file mode 100644 index 0000000000..f8a6828085 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ .Values.provider }} + template: + metadata: + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jaeger + image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + {{- if eq .Values.jaeger.spanStorageType "badger" }} + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + {{- end }} + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumeMounts: + - name: data + mountPath: /badger +{{- end }} + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeAffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.global.cattle.psp.enabled }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + {{- end }} + serviceAccountName: {{ include "tracing.fullname" . }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumes: + - name: data +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: istio-jaeger-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/psp.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/psp.yaml new file mode 100644 index 0000000000..4d5c271e1b --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/psp.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/pvc.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/pvc.yaml new file mode 100644 index 0000000000..9b4c55e4fb --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-jaeger-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} +spec: + storageClassName: {{ .Values.jaeger.storageClassName }} + accessModes: + - {{ .Values.jaeger.accessMode }} + resources: + requests: + storage: {{.Values.jaeger.persistentVolumeClaim.storage }} +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/service.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/service.yaml new file mode 100644 index 0000000000..3ee5a54247 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/service.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: 16686 + selector: + app: {{ .Values.provider }} +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + name: zipkin + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} + selector: + app: {{ .Values.provider }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: {{ .Values.provider }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/serviceaccount.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1bff77ff66 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/validate-psp-install.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/values.yaml b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/values.yaml new file mode 100644 index 0000000000..cb58f51fdb --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/charts/tracing/values.yaml @@ -0,0 +1,53 @@ +provider: jaeger +contextPath: "" +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] +nameOverride: "" +fullnameOverride: "" + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + defaultResources: {} + imagePullPolicy: IfNotPresent + imagePullSecrets: [] + arch: + arm64: 2 + amd64: 2 + s390x: 2 + ppc64le: 2 + defaultNodeSelector: + kubernetes.io/os: linux + rbac: + pspEnabled: false + +jaeger: + repository: rancher/mirrored-jaegertracing-all-in-one + tag: 1.60.0 + # spanStorageType value can be "memory" and "badger" for all-in-one image + spanStorageType: badger + resources: + requests: + cpu: 10m + persistentVolumeClaim: + enabled: false + storage: 5Gi + storageClassName: "" + accessMode: ReadWriteMany + memory: + max_traces: 50000 +zipkin: + queryPort: 9411 +service: + annotations: {} + name: http-query + type: ClusterIP + externalPort: 16686 diff --git a/charts/rancher-istio/106.1.0+up1.23.2/configs/istio-base.yaml b/charts/rancher-istio/106.1.0+up1.23.2/configs/istio-base.yaml new file mode 100644 index 0000000000..17fb5ff8c3 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/configs/istio-base.yaml @@ -0,0 +1,140 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: {{ .Values.base.enabled }} + cni: + enabled: {{ .Values.cni.enabled }} + k8s: + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + egressGateways: + - enabled: {{ .Values.egressGateways.enabled }} + name: istio-egressgateway + k8s: + {{- if .Values.egressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.egressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + ingressGateways: + - enabled: {{ .Values.ingressGateways.enabled }} + name: istio-ingressgateway + k8s: + {{- if .Values.ingressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.ingressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31380 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31390 + - name: tcp + port: 31400 + targetPort: 31400 + nodePort: 31400 + - name: tls + port: 15443 + targetPort: 15443 + istiodRemote: + enabled: {{ .Values.istiodRemote.enabled }} + pilot: + enabled: {{ .Values.pilot.enabled }} + k8s: + {{- if .Values.pilot.hpaSpec }} + hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.pilot.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} + profile: default + tag: {{ .Values.tag }} + revision: {{ .Values.revision }} + meshConfig: + defaultConfig: + {{- if .Values.tracing.enabled }} + tracing: + zipkin: + address: {{ .Values.tracing.zipkinAddress }} + {{- end }} + proxyMetadata: + {{- if .Values.dns.enabled }} + ISTIO_META_DNS_CAPTURE: "true" + {{- end }} + values: + gateways: + istio-egressgateway: + name: istio-egressgateway + type: {{ .Values.egressGateways.type }} + istio-ingressgateway: + name: istio-ingressgateway + type: {{ .Values.ingressGateways.type }} + global: + istioNamespace: {{ template "istio.namespace" . }} + proxy: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} + proxy_init: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} + {{- if .Values.global.defaultPodDisruptionBudget.enabled }} + defaultPodDisruptionBudget: + enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} + {{- end }} + {{- if .Values.pilot.enabled }} + pilot: + image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} + {{- end }} + telemetry: + enabled: {{ .Values.telemetry.enabled }} + v2: + enabled: {{ .Values.telemetry.v2.enabled }} + {{- if .Values.cni.enabled }} + cni: + image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} + excludeNamespaces: + {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} + logLevel: {{ .Values.cni.logLevel }} + {{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/requirements.yaml b/charts/rancher-istio/106.1.0+up1.23.2/requirements.yaml new file mode 100644 index 0000000000..cb4c3fe75c --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/requirements.yaml @@ -0,0 +1,9 @@ +dependencies: +- condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.89.3 +- condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.60.0 diff --git a/charts/rancher-istio/106.1.0+up1.23.2/samples/overlay-example.yaml b/charts/rancher-istio/106.1.0+up1.23.2/samples/overlay-example.yaml new file mode 100644 index 0000000000..5cf3cf3b0b --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/samples/overlay-example.yaml @@ -0,0 +1,37 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - enabled: true + name: ilb-gateway + namespace: user-ingressgateway-ns + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal + - enabled: true + name: other-gateway + namespace: cattle-istio-system + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/_helpers.tpl b/charts/rancher-istio/106.1.0+up1.23.2/templates/_helpers.tpl new file mode 100644 index 0000000000..30b429a800 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "istio.namespace" -}} + {{- .Release.Namespace | default "istio-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/admin-role.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/admin-role.yaml new file mode 100644 index 0000000000..ad1313c4f1 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/admin-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: istio-admin + namespace: {{ template "istio.namespace" . }} +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/base-config-map.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/base-config-map.yaml new file mode 100644 index 0000000000..5323917bc3 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/base-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-base + namespace: {{ template "istio.namespace" . }} +data: +{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/clusterrole.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/clusterrole.yaml new file mode 100644 index 0000000000..31163f9325 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-installer +rules: +# istio groups +- apiGroups: + - extensions.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - telemetry.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - ingresses + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/exec + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + verbs: + - 'get' + - 'list' + - 'watch' +{{- if and .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/clusterrolebinding.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..9d74a04345 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-installer +subjects: +- kind: ServiceAccount + name: istio-installer + namespace: {{ template "istio.namespace" . }} +roleRef: + kind: ClusterRole + name: istio-installer + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/edit-role.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/edit-role.yaml new file mode 100644 index 0000000000..d1059d58d7 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/edit-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-edit +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-cni-psp.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-cni-psp.yaml new file mode 100644 index 0000000000..a71561e676 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-cni-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-install-job.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-install-job.yaml new file mode 100644 index 0000000000..c2e362e684 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-install-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-installer + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + spec: + {{- if .Values.installer.releaseMirror.enabled }} + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "github.com" + {{- end }} + containers: + - name: istioctl-installer + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + - name: FORCE_INSTALL + value: {{ .Values.forceInstall | default "false" | quote }} + - name: RELEASE_MIRROR_ENABLED + value: {{ .Values.installer.releaseMirror.enabled | quote }} + - name: SECONDS_SLEEP + value: {{ .Values.installer.debug.secondsSleep | quote}} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/run.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{- end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{- end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 499 + runAsGroup: 487 + restartPolicy: Never diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-install-psp.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-install-psp.yaml new file mode 100644 index 0000000000..9da3391d40 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-install-psp.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-psp.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-psp.yaml new file mode 100644 index 0000000000..cfada1bf7f --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-psp.yaml @@ -0,0 +1,81 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-uninstall-job.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-uninstall-job.yaml new file mode 100644 index 0000000000..0091d0c176 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/istio-uninstall-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-uninstaller + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + containers: + - name: istioctl-uninstaller + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{ end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{ end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 101 + runAsGroup: 101 + restartPolicy: OnFailure diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/overlay-config-map.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/overlay-config-map.yaml new file mode 100644 index 0000000000..287d26b2c3 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/overlay-config-map.yaml @@ -0,0 +1,9 @@ +{{- if .Values.overlayFile }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-overlay + namespace: {{ template "istio.namespace" . }} +data: + overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} +{{- end }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/service-monitors.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/service-monitors.yaml new file mode 100644 index 0000000000..c3d60c4fce --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/service-monitors.yaml @@ -0,0 +1,51 @@ +{{- if .Values.kiali.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-stats-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-proxies +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + endpoints: + - path: /stats/prometheus + targetPort: 15090 + interval: 15s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-components +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s +{{- end -}} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/serviceaccount.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/serviceaccount.yaml new file mode 100644 index 0000000000..82b6cbb7e6 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/validate-psp-install.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..4b0e5cfb65 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.1.0+up1.23.2/templates/view-role.yaml b/charts/rancher-istio/106.1.0+up1.23.2/templates/view-role.yaml new file mode 100644 index 0000000000..5947d3eba9 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/templates/view-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-view +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: ["get", "watch", "list"] + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-istio/106.1.0+up1.23.2/values.yaml b/charts/rancher-istio/106.1.0+up1.23.2/values.yaml new file mode 100644 index 0000000000..ad46defdb6 --- /dev/null +++ b/charts/rancher-istio/106.1.0+up1.23.2/values.yaml @@ -0,0 +1,121 @@ +overlayFile: "" +tag: 1.23.2 +##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install +forceInstall: false + +installer: + repository: rancher/istio-installer + tag: 1.23.2-rancher1 + ##releaseMirror are configurations for istio upgrades. + ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal + ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. + releaseMirror: + enabled: false + + ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging + debug: + secondsSleep: 0 + +##Native support for dns added in 1.8 +dns: + enabled: false + +base: + enabled: true + +cni: + enabled: false + repository: rancher/mirrored-istio-install-cni +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + logLevel: info + excludeNamespaces: + - istio-system + - kube-system + +egressGateways: + enabled: false + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +ingressGateways: + enabled: true + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +istiodRemote: + enabled: false + +pilot: + enabled: true + repository: rancher/mirrored-istio-pilot +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + hpaSpec: {} + podDisruptionBudget: {} + +telemetry: + enabled: true + v2: + enabled: true + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + proxy: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + proxy_init: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.23.2 + tag: 1.23.2-distroless + defaultPodDisruptionBudget: + enabled: true + +# Kiali subchart from rancher-kiali-server +kiali: + enabled: true + # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ + auth: + strategy: token + server: + web_root: / + deployment: + ingress_enabled: false + external_services: + prometheus: + custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + tracing: + in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" + use_grpc: false + grafana: + in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + +tracing: + enabled: false + contextPath: "/jaeger" + zipkinAddress: zipkin.istio-system.svc:9411 + + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/index.yaml b/index.yaml index 0fa3b54a5f..5177da7b4d 100755 --- a/index.yaml +++ b/index.yaml @@ -14172,6 +14172,43 @@ entries: - assets/rancher-gke-operator-crd/rancher-gke-operator-crd-101.0.0+up1.1.5.tgz version: 101.0.0+up1.1.5 rancher-istio: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 + apiVersion: v1 + appVersion: 1.23.2 + created: "2025-02-24T20:30:54.662061-03:00" + dependencies: + - condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 1.89.3 + - condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.60.0 + description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. + digest: 820d2137d9e5850da82bb7b7d7a2ad81fd2d4fcee62144cffba1a1bdd59e2b7e + icon: https://charts.rancher.io/assets/logos/istio.svg + keywords: + - networking + - infrastructure + name: rancher-istio + urls: + - assets/rancher-istio/rancher-istio-106.1.0+up1.23.2.tgz + version: 106.1.0+up1.23.2 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: Istio From 989fabe269cd66c99bb5f1134cb6309a6c944573 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:32:46 -0300 Subject: [PATCH 05/10] update istio 1.24 --- .../1.24/rancher-istio/charts/Chart.yaml | 24 +++ .../1.24/rancher-istio/charts/README.md | 79 ++++++++++ .../1.24/rancher-istio/charts/app-readme.md | 65 ++++++++ .../charts/configs/istio-base.yaml | 145 ++++++++++++++++++ .../rancher-istio/charts/requirements.yaml | 9 ++ .../charts/samples/overlay-example.yaml | 37 +++++ .../charts/templates/_helpers.tpl | 27 ++++ .../charts/templates/admin-role.yaml | 43 ++++++ .../charts/templates/base-config-map.yaml | 7 + .../charts/templates/clusterrole.yaml | 143 +++++++++++++++++ .../charts/templates/clusterrolebinding.yaml | 12 ++ .../charts/templates/edit-role.yaml | 43 ++++++ .../charts/templates/istio-cni-psp.yaml | 51 ++++++ .../charts/templates/istio-install-job.yaml | 66 ++++++++ .../charts/templates/istio-install-psp.yaml | 30 ++++ .../charts/templates/istio-psp.yaml | 81 ++++++++++ .../charts/templates/istio-uninstall-job.yaml | 53 +++++++ .../charts/templates/overlay-config-map.yaml | 9 ++ .../charts/templates/service-monitors.yaml | 51 ++++++ .../charts/templates/serviceaccount.yaml | 5 + .../templates/validate-psp-install.yaml | 7 + .../charts/templates/view-role.yaml | 41 +++++ .../1.24/rancher-istio/charts/values.yaml | 128 ++++++++++++++++ .../dependencies/kiali/dependency.yaml | 2 + .../dependencies/tracing/dependency.yaml | 2 + .../1.24/rancher-istio/package.yaml | 2 + .../overlay/templates/psp.yaml | 67 ++++++++ .../templates/validate-psp-install.yaml | 7 + .../overlay/templates/web-root-configmap.yaml | 12 ++ .../generated-changes/patch/Chart.yaml.patch | 31 ++++ .../patch/templates/_helpers.tpl.patch | 48 ++++++ .../patch/templates/deployment.yaml.patch | 61 ++++++++ .../generated-changes/patch/values.yaml.patch | 39 +++++ .../1.24/rancher-kiali-server/package.yaml | 2 + .../1.24/rancher-tracing/charts/.helmignore | 23 +++ .../1.24/rancher-tracing/charts/Chart.yaml | 12 ++ .../1.24/rancher-tracing/charts/README.md | 5 + .../charts/templates/_affinity.tpl | 92 +++++++++++ .../charts/templates/_helpers.tpl | 47 ++++++ .../charts/templates/deployment.yaml | 94 ++++++++++++ .../rancher-tracing/charts/templates/psp.yaml | 76 +++++++++ .../rancher-tracing/charts/templates/pvc.yaml | 16 ++ .../charts/templates/service.yaml | 70 +++++++++ .../charts/templates/serviceaccount.yaml | 9 ++ .../templates/validate-psp-install.yaml | 7 + .../1.24/rancher-tracing/charts/values.yaml | 53 +++++++ .../1.24/rancher-tracing/package.yaml | 2 + 47 files changed, 1935 insertions(+) create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/Chart.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/README.md create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/configs/istio-base.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/samples/overlay-example.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/_helpers.tpl create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/admin-role.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/base-config-map.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrole.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrolebinding.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/edit-role.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-cni-psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-job.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-uninstall-job.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/overlay-config-map.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/service-monitors.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/serviceaccount.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/validate-psp-install.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/templates/view-role.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/charts/values.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml create mode 100644 packages/rancher-istio/1.24/rancher-istio/package.yaml create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch create mode 100644 packages/rancher-istio/1.24/rancher-kiali-server/package.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/.helmignore create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/README.md create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/_affinity.tpl create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/_helpers.tpl create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/deployment.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/psp.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/pvc.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/service.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/serviceaccount.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/templates/validate-psp-install.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml create mode 100644 packages/rancher-istio/1.24/rancher-tracing/package.yaml diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/Chart.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/Chart.yaml new file mode 100644 index 0000000000..d1b828d9d0 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 +apiVersion: v1 +appVersion: 1.23.2 +description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. +icon: https://charts.rancher.io/assets/logos/istio.svg +keywords: +- networking +- infrastructure +name: rancher-istio +version: 1.23.2 diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/README.md b/packages/rancher-istio/1.24/rancher-istio/charts/README.md new file mode 100644 index 0000000000..2230c61859 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/README.md @@ -0,0 +1,79 @@ +# Rancher-Istio Chart + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. + +See the app-readme for known issues and deprecations. + +## Installation Requirements + +#### Chart Dependencies +- rancher-monitoring chart or other Prometheus installation + +#### Install +To install the rancher-istio chart with helm, use the following command: +``` +helm install rancher-istio --create-namespace -n istio-system +``` + +#### Uninstall +To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. + +**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** +`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` + +## Addons +The addons that are included with rancher-istio are: + +- Kiali +- Jaeger + +Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. +### Kiali Addon + +Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. + +#### Kiali Dependencies +##### rancher-monitoring chart or other Prometheus installation + +This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. + +#### Prometheus Configuration for Kiali +> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. + +The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. + +To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. + +1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. +1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. + +#### Kiali External Services + +The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. + +##### Prometheus +The `kiali.external_services.prometheus` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Grafana +The `kiali.external_services.grafana` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Tracing +The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: +``` +http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} +``` +The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. + +## Jaeger Addon + +Jaeger allows you to trace and monitor distributed microservices. + +> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md b/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md new file mode 100644 index 0000000000..5e2629648c --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/app-readme.md @@ -0,0 +1,65 @@ +# Rancher Istio + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: +* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh +* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Warnings +- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. + +## Known Issues + +#### Airgapped Environments +**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) + +#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. +To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. +`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` +See [this issue](https://github.com/rancher/rancher/issues/33291) for details. + +## Installing istio with distroless-images. +Istio `104.5.0+up1.24.1` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. + +## Deprecations + +#### v1alpha1 security policies +As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ + +If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. + +> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: +``` +Error: found 6 CRD of unsupported v1alpha1 security policy +``` +``` + Error: found 1 unsupported v1alpha1 security policy + ``` + ``` + Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x + ``` + Continue with the migration steps below before retrying the upgrade process. + +#### Migrating Resources: +Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). + +You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/configs/istio-base.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/configs/istio-base.yaml new file mode 100644 index 0000000000..a5067f8e74 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/configs/istio-base.yaml @@ -0,0 +1,145 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: {{ .Values.base.enabled }} + cni: + enabled: {{ .Values.cni.enabled }} + k8s: + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + egressGateways: + - enabled: {{ .Values.egressGateways.enabled }} + name: istio-egressgateway + k8s: + {{- if .Values.egressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.egressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + ingressGateways: + - enabled: {{ .Values.ingressGateways.enabled }} + name: istio-ingressgateway + k8s: + {{- if .Values.ingressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.ingressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31380 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31390 + - name: tcp + port: 31400 + targetPort: 31400 + nodePort: 31400 + - name: tls + port: 15443 + targetPort: 15443 + istiodRemote: + enabled: {{ .Values.istiodRemote.enabled }} + pilot: + enabled: {{ .Values.pilot.enabled }} + k8s: + {{- if .Values.pilot.hpaSpec }} + hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.pilot.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} + profile: default + tag: {{ .Values.tag }} +{{- if .Values.tolerations }} + revision: {{ .Values.revision }} +{{- end }} + meshConfig: + defaultConfig: + {{- if .Values.tracing.enabled }} + tracing: + zipkin: + address: {{ .Values.tracing.zipkinAddress }} + {{- end }} + proxyMetadata: + {{- if .Values.dns.enabled }} + ISTIO_META_DNS_CAPTURE: "true" + {{- end }} + values: + gateways: + istio-egressgateway: + name: istio-egressgateway + type: {{ .Values.egressGateways.type }} + istio-ingressgateway: + name: istio-ingressgateway + type: {{ .Values.ingressGateways.type }} + global: + istioNamespace: {{ template "istio.namespace" . }} + proxy: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} + proxy_init: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} + {{- if .Values.global.defaultPodDisruptionBudget.enabled }} + defaultPodDisruptionBudget: + enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} + {{- end }} + logAsJson: {{ .Values.global.logAsJson }} + logging: + level: {{ .Values.global.logging.level }} + {{- if .Values.pilot.enabled }} + pilot: + image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} + {{- end }} + telemetry: + enabled: {{ .Values.telemetry.enabled }} + v2: + enabled: {{ .Values.telemetry.v2.enabled }} + {{- if .Values.cni.enabled }} + cni: + image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} + excludeNamespaces: + {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} + logLevel: {{ .Values.cni.logLevel }} + {{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml new file mode 100644 index 0000000000..a73e982184 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/requirements.yaml @@ -0,0 +1,9 @@ +dependencies: +- condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 2.1.0 +- condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.63.0 diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/samples/overlay-example.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/samples/overlay-example.yaml new file mode 100644 index 0000000000..5cf3cf3b0b --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/samples/overlay-example.yaml @@ -0,0 +1,37 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - enabled: true + name: ilb-gateway + namespace: user-ingressgateway-ns + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal + - enabled: true + name: other-gateway + namespace: cattle-istio-system + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/_helpers.tpl b/packages/rancher-istio/1.24/rancher-istio/charts/templates/_helpers.tpl new file mode 100644 index 0000000000..30b429a800 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "istio.namespace" -}} + {{- .Release.Namespace | default "istio-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/admin-role.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/admin-role.yaml new file mode 100644 index 0000000000..ad1313c4f1 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/admin-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: istio-admin + namespace: {{ template "istio.namespace" . }} +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/base-config-map.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/base-config-map.yaml new file mode 100644 index 0000000000..5323917bc3 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/base-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-base + namespace: {{ template "istio.namespace" . }} +data: +{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrole.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrole.yaml new file mode 100644 index 0000000000..31163f9325 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-installer +rules: +# istio groups +- apiGroups: + - extensions.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - telemetry.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - ingresses + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/exec + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + verbs: + - 'get' + - 'list' + - 'watch' +{{- if and .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrolebinding.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..9d74a04345 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-installer +subjects: +- kind: ServiceAccount + name: istio-installer + namespace: {{ template "istio.namespace" . }} +roleRef: + kind: ClusterRole + name: istio-installer + apiGroup: rbac.authorization.k8s.io diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/edit-role.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/edit-role.yaml new file mode 100644 index 0000000000..d1059d58d7 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/edit-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-edit +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-cni-psp.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-cni-psp.yaml new file mode 100644 index 0000000000..a71561e676 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-cni-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-job.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-job.yaml new file mode 100644 index 0000000000..c2e362e684 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-installer + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + spec: + {{- if .Values.installer.releaseMirror.enabled }} + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "github.com" + {{- end }} + containers: + - name: istioctl-installer + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + - name: FORCE_INSTALL + value: {{ .Values.forceInstall | default "false" | quote }} + - name: RELEASE_MIRROR_ENABLED + value: {{ .Values.installer.releaseMirror.enabled | quote }} + - name: SECONDS_SLEEP + value: {{ .Values.installer.debug.secondsSleep | quote}} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/run.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{- end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{- end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 499 + runAsGroup: 487 + restartPolicy: Never diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-psp.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-psp.yaml new file mode 100644 index 0000000000..9da3391d40 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-install-psp.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-psp.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-psp.yaml new file mode 100644 index 0000000000..cfada1bf7f --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-psp.yaml @@ -0,0 +1,81 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-uninstall-job.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-uninstall-job.yaml new file mode 100644 index 0000000000..0091d0c176 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/istio-uninstall-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-uninstaller + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + containers: + - name: istioctl-uninstaller + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{ end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{ end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 101 + runAsGroup: 101 + restartPolicy: OnFailure diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/overlay-config-map.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/overlay-config-map.yaml new file mode 100644 index 0000000000..287d26b2c3 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/overlay-config-map.yaml @@ -0,0 +1,9 @@ +{{- if .Values.overlayFile }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-overlay + namespace: {{ template "istio.namespace" . }} +data: + overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/service-monitors.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/service-monitors.yaml new file mode 100644 index 0000000000..c3d60c4fce --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/service-monitors.yaml @@ -0,0 +1,51 @@ +{{- if .Values.kiali.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-stats-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-proxies +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + endpoints: + - path: /stats/prometheus + targetPort: 15090 + interval: 15s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-components +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s +{{- end -}} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/serviceaccount.yaml new file mode 100644 index 0000000000..82b6cbb7e6 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..4b0e5cfb65 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/templates/view-role.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/templates/view-role.yaml new file mode 100644 index 0000000000..5947d3eba9 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/templates/view-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-view +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: ["get", "watch", "list"] + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: ["get", "watch", "list"] diff --git a/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml b/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml new file mode 100644 index 0000000000..997cb20bb2 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/charts/values.yaml @@ -0,0 +1,128 @@ +overlayFile: "" +tag: 1.24.1 +##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install +forceInstall: false + +installer: + repository: rancher/istio-installer + tag: 1.24.1-rancher1 + ##releaseMirror are configurations for istio upgrades. + ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal + ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. + releaseMirror: + enabled: false + + ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging + debug: + secondsSleep: 0 + +##Native support for dns added in 1.8 +dns: + enabled: false + +base: + enabled: true + +cni: + enabled: false + repository: rancher/mirrored-istio-install-cni +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.1 + tag: 1.24.1-distroless + logLevel: info + excludeNamespaces: + - istio-system + - kube-system + +egressGateways: + enabled: false + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +ingressGateways: + enabled: true + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +istiodRemote: + enabled: false + +pilot: + enabled: true + repository: rancher/mirrored-istio-pilot +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.1 + tag: 1.24.1-distroless + hpaSpec: {} + podDisruptionBudget: {} + +telemetry: + enabled: true + v2: + enabled: true + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + proxy: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.1 + tag: 1.24.1-distroless + proxy_init: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.1 + tag: 1.24.1-distroless + defaultPodDisruptionBudget: + enabled: true +# To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false +# Comma-separated minimum per-scope logging level of messages to output, in the form of :,: +# The control plane has different scopes depending on component, but can configure default log level across all components +# If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + +# Kiali subchart from rancher-kiali-server +kiali: + enabled: true + # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ + auth: + strategy: token + server: + web_root: / + deployment: + ingress_enabled: false + external_services: + prometheus: + custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + tracing: + in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" + use_grpc: false + grafana: + in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + +tracing: + enabled: false + contextPath: "/jaeger" + zipkinAddress: zipkin.istio-system.svc:9411 + + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml new file mode 100644 index 0000000000..4f796a73a1 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml @@ -0,0 +1,2 @@ +workingDir: "" +url: packages/rancher-istio/1.24/rancher-kiali-server diff --git a/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml new file mode 100644 index 0000000000..f59bcaa7b2 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml @@ -0,0 +1,2 @@ +workingDir: "" +url: packages/rancher-istio/1.24/rancher-tracing diff --git a/packages/rancher-istio/1.24/rancher-istio/package.yaml b/packages/rancher-istio/1.24/rancher-istio/package.yaml new file mode 100644 index 0000000000..c60790ebd0 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-istio/package.yaml @@ -0,0 +1,2 @@ +url: local +version: 106.2.0+up1.24.1 diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml new file mode 100644 index 0000000000..e31d706d4b --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml @@ -0,0 +1,67 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "kiali-server.fullname" . }}-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml new file mode 100644 index 0000000000..970d4e4f5d --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.web_root_override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + env.js: | + window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch new file mode 100644 index 0000000000..2052836ad7 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch @@ -0,0 +1,31 @@ +--- charts-original/Chart.yaml ++++ charts/Chart.yaml +@@ -1,17 +1,26 @@ ++annotations: ++ catalog.cattle.io/hidden: "true" ++ catalog.cattle.io/os: linux ++ catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 ++ catalog.rancher.io/namespace: cattle-istio-system ++ catalog.rancher.io/release-name: rancher-kiali-server + apiVersion: v2 + appVersion: v2.1.0 + description: Kiali is an open source project for service mesh observability, refer +- to https://www.kiali.io for details. ++ to https://www.kiali.io for details. This is installed as sub-chart with customized ++ values in Rancher's Istio. + home: https://github.com/kiali/kiali + icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg + keywords: + - istio + - kiali ++- networking ++- infrastructure + maintainers: + - email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +-name: kiali-server ++name: rancher-kiali-server + sources: + - https://github.com/kiali/kiali + - https://github.com/kiali/kiali-operator diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch new file mode 100644 index 0000000000..b4fe577065 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch @@ -0,0 +1,48 @@ +--- charts-original/templates/_helpers.tpl ++++ charts/templates/_helpers.tpl +@@ -46,8 +46,15 @@ + Selector labels + */}} + {{- define "kiali-server.selectorLabels" -}} ++{{- $releaseName := .Release.Name -}} ++{{- $fullName := include "kiali-server.fullname" . -}} ++{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} + app.kubernetes.io/name: kiali +-app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }} ++{{- if (and .Release.IsUpgrade $deployment)}} ++app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} ++{{- else }} ++app.kubernetes.io/instance: {{ $fullName }} ++{{- end }} + {{- end }} + + {{/* +@@ -167,6 +174,28 @@ + {{- .Release.Namespace }} + {{- end }} + {{- end }} ++{{- define "system_default_registry" -}} ++{{- if .Values.global.cattle.systemDefaultRegistry -}} ++{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} ++{{- else -}} ++{{- "" -}} ++{{- end -}} ++{{- end -}} ++ ++{{/* ++Windows cluster will add default taint for linux nodes, ++add below linux tolerations to workloads could be scheduled to those linux nodes ++*/}} ++{{- define "linux-node-tolerations" -}} ++- key: "cattle.io/os" ++ value: "linux" ++ effect: "NoSchedule" ++ operator: "Equal" ++{{- end -}} ++ ++{{- define "linux-node-selector" -}} ++kubernetes.io/os: linux ++{{- end -}} + + {{/* + Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch new file mode 100644 index 0000000000..bc58c3d723 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch @@ -0,0 +1,61 @@ +--- charts-original/templates/deployment.yaml ++++ charts/templates/deployment.yaml +@@ -65,7 +65,7 @@ + {{- end }} + {{- end }} + containers: +- - image: "{{ .Values.deployment.image_name }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.image_version }}" ++ - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: +@@ -131,6 +131,11 @@ + value: {{ .value | quote }} + {{- end }} + volumeMounts: ++ {{- if .Values.web_root_override }} ++ - name: kiali-console ++ subPath: env.js ++ mountPath: /opt/kiali/console/env.js ++ {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert +@@ -158,6 +163,14 @@ + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: ++ {{- if .Values.web_root_override }} ++ - name: kiali-console ++ configMap: ++ name: kiali-console ++ items: ++ - key: env.js ++ path: env.js ++ {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} +@@ -218,13 +231,13 @@ + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} +- {{- if .Values.deployment.tolerations }} +- tolerations: +- {{- toYaml .Values.deployment.tolerations | nindent 8 }} +- {{- end }} +- {{- if .Values.deployment.node_selector }} +- nodeSelector: +- {{- toYaml .Values.deployment.node_selector | nindent 8 }} +- {{- end }} ++ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} ++{{- if .Values.deployment.tolerations }} ++{{ toYaml .Values.deployment.tolerations | indent 8 }} ++{{- end }} ++ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} ++{{- if .Values.deployment.node_selector }} ++{{ toYaml .Values.deployment.node_selector | indent 8 }} ++{{- end }} + ... + {{- end }} +\ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch new file mode 100644 index 0000000000..961de338d1 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/generated-changes/patch/values.yaml.patch @@ -0,0 +1,39 @@ +--- charts-original/values.yaml ++++ charts/values.yaml +@@ -6,6 +6,8 @@ + # do this, a PR would be welcome. + kiali_route_url: "" + ++# rancher specific override that allows proxy access to kiali url ++web_root_override: true + # + # Settings that mimic the Kiali CR which are placed in the ConfigMap. + # Note that only those values used by the Helm Chart will be here. +@@ -49,10 +51,10 @@ + api_version: "autoscaling/v2" + spec: {} + image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") +- image_name: quay.io/kiali/kiali ++ repository: rancher/mirrored-kiali-kiali + image_pull_policy: "Always" + image_pull_secrets: [] +- image_version: v2.1.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash ++ tag: v2.1.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + ingress: + additional_labels: {} + class_name: "nginx" +@@ -112,3 +114,13 @@ + enabled: true + port: 9090 + web_root: "" ++ ++# Common settings used among istio subcharts. ++global: ++ # Specify rancher clusterId of external tracing config ++ # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 ++ cattle: ++ systemDefaultRegistry: "" ++ clusterId: ++ psp: ++ enabled: false +\ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml b/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml new file mode 100644 index 0000000000..88936168db --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-kiali-server/package.yaml @@ -0,0 +1,2 @@ +url: https://kiali.org/helm-charts/kiali-server-2.1.0.tgz +doNotRelease: true \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/.helmignore b/packages/rancher-istio/1.24/rancher-tracing/charts/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml new file mode 100644 index 0000000000..94b067974d --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/Chart.yaml @@ -0,0 +1,12 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.rancher.io/certified: rancher + catalog.rancher.io/namespace: istio-system + catalog.rancher.io/release-name: rancher-tracing +apiVersion: v1 +appVersion: 1.63.0 +description: A quick start Jaeger Tracing installation using the all-in-one demo. + This is not production qualified. Refer to https://www.jaegertracing.io/ for details. +name: rancher-tracing +version: 1.63.0 diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/README.md b/packages/rancher-istio/1.24/rancher-tracing/charts/README.md new file mode 100644 index 0000000000..25534c6288 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/README.md @@ -0,0 +1,5 @@ +# Jaeger + +A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. + +> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_affinity.tpl b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_affinity.tpl new file mode 100644 index 0000000000..bf6a9aee5c --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_affinity.tpl @@ -0,0 +1,92 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} +{{- define "nodeAffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_helpers.tpl b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_helpers.tpl new file mode 100644 index 0000000000..09c6b05467 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/_helpers.tpl @@ -0,0 +1,47 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/deployment.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/deployment.yaml new file mode 100644 index 0000000000..f8a6828085 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ .Values.provider }} + template: + metadata: + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jaeger + image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + {{- if eq .Values.jaeger.spanStorageType "badger" }} + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + {{- end }} + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumeMounts: + - name: data + mountPath: /badger +{{- end }} + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeAffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.global.cattle.psp.enabled }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + {{- end }} + serviceAccountName: {{ include "tracing.fullname" . }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumes: + - name: data +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: istio-jaeger-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/psp.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/psp.yaml new file mode 100644 index 0000000000..4d5c271e1b --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/psp.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/pvc.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/pvc.yaml new file mode 100644 index 0000000000..9b4c55e4fb --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-jaeger-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} +spec: + storageClassName: {{ .Values.jaeger.storageClassName }} + accessModes: + - {{ .Values.jaeger.accessMode }} + resources: + requests: + storage: {{.Values.jaeger.persistentVolumeClaim.storage }} +{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/service.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/service.yaml new file mode 100644 index 0000000000..3ee5a54247 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/service.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: 16686 + selector: + app: {{ .Values.provider }} +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + name: zipkin + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} + selector: + app: {{ .Values.provider }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: {{ .Values.provider }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1bff77ff66 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml b/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml new file mode 100644 index 0000000000..4929fb82a4 --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/charts/values.yaml @@ -0,0 +1,53 @@ +provider: jaeger +contextPath: "" +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] +nameOverride: "" +fullnameOverride: "" + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + defaultResources: {} + imagePullPolicy: IfNotPresent + imagePullSecrets: [] + arch: + arm64: 2 + amd64: 2 + s390x: 2 + ppc64le: 2 + defaultNodeSelector: + kubernetes.io/os: linux + rbac: + pspEnabled: false + +jaeger: + repository: rancher/mirrored-jaegertracing-all-in-one + tag: 1.63.0 + # spanStorageType value can be "memory" and "badger" for all-in-one image + spanStorageType: badger + resources: + requests: + cpu: 10m + persistentVolumeClaim: + enabled: false + storage: 5Gi + storageClassName: "" + accessMode: ReadWriteMany + memory: + max_traces: 50000 +zipkin: + queryPort: 9411 +service: + annotations: {} + name: http-query + type: ClusterIP + externalPort: 16686 diff --git a/packages/rancher-istio/1.24/rancher-tracing/package.yaml b/packages/rancher-istio/1.24/rancher-tracing/package.yaml new file mode 100644 index 0000000000..27691a8e3f --- /dev/null +++ b/packages/rancher-istio/1.24/rancher-tracing/package.yaml @@ -0,0 +1,2 @@ +url: local +doNotRelease: true \ No newline at end of file From 7f2becc6bf69031a7e24f86491ad36a6345575e5 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:33:31 -0300 Subject: [PATCH 06/10] make charts --- .../rancher-istio-106.2.0+up1.24.1.tgz | Bin 0 -> 21084 bytes .../rancher-istio/106.2.0+up1.24.1/Chart.yaml | 24 ++ .../rancher-istio/106.2.0+up1.24.1/README.md | 79 ++++++ .../106.2.0+up1.24.1/app-readme.md | 65 +++++ .../106.2.0+up1.24.1/charts/kiali/Chart.yaml | 28 ++ .../charts/kiali/templates/NOTES.txt | 20 ++ .../charts/kiali/templates/_helpers.tpl | 221 ++++++++++++++++ .../charts/kiali/templates/cabundle.yaml | 15 ++ .../charts/kiali/templates/configmap.yaml | 30 +++ .../charts/kiali/templates/deployment.yaml | 243 ++++++++++++++++++ .../charts/kiali/templates/hpa.yaml | 19 ++ .../charts/kiali/templates/ingress.yaml | 64 +++++ .../charts/kiali/templates/oauth.yaml | 31 +++ .../charts/kiali/templates/psp.yaml | 67 +++++ .../charts/kiali/templates/role-viewer.yaml | 103 ++++++++ .../charts/kiali/templates/role.yaml | 110 ++++++++ .../charts/kiali/templates/rolebinding.yaml | 24 ++ .../charts/kiali/templates/route.yaml | 36 +++ .../charts/kiali/templates/service.yaml | 53 ++++ .../kiali/templates/serviceaccount.yaml | 9 + .../kiali/templates/validate-psp-install.yaml | 7 + .../kiali/templates/web-root-configmap.yaml | 12 + .../106.2.0+up1.24.1/charts/kiali/values.yaml | 126 +++++++++ .../charts/tracing/.helmignore | 23 ++ .../charts/tracing/Chart.yaml | 12 + .../106.2.0+up1.24.1/charts/tracing/README.md | 5 + .../charts/tracing/templates/_affinity.tpl | 92 +++++++ .../charts/tracing/templates/_helpers.tpl | 47 ++++ .../charts/tracing/templates/deployment.yaml | 94 +++++++ .../charts/tracing/templates/psp.yaml | 76 ++++++ .../charts/tracing/templates/pvc.yaml | 16 ++ .../charts/tracing/templates/service.yaml | 70 +++++ .../tracing/templates/serviceaccount.yaml | 9 + .../templates/validate-psp-install.yaml | 7 + .../charts/tracing/values.yaml | 53 ++++ .../106.2.0+up1.24.1/configs/istio-base.yaml | 145 +++++++++++ .../106.2.0+up1.24.1/requirements.yaml | 9 + .../samples/overlay-example.yaml | 37 +++ .../106.2.0+up1.24.1/templates/_helpers.tpl | 27 ++ .../templates/admin-role.yaml | 43 ++++ .../templates/base-config-map.yaml | 7 + .../templates/clusterrole.yaml | 143 +++++++++++ .../templates/clusterrolebinding.yaml | 12 + .../106.2.0+up1.24.1/templates/edit-role.yaml | 43 ++++ .../templates/istio-cni-psp.yaml | 51 ++++ .../templates/istio-install-job.yaml | 66 +++++ .../templates/istio-install-psp.yaml | 30 +++ .../106.2.0+up1.24.1/templates/istio-psp.yaml | 81 ++++++ .../templates/istio-uninstall-job.yaml | 53 ++++ .../templates/overlay-config-map.yaml | 9 + .../templates/service-monitors.yaml | 51 ++++ .../templates/serviceaccount.yaml | 5 + .../templates/validate-psp-install.yaml | 7 + .../106.2.0+up1.24.1/templates/view-role.yaml | 41 +++ .../106.2.0+up1.24.1/values.yaml | 128 +++++++++ index.yaml | 37 +++ 56 files changed, 2915 insertions(+) create mode 100644 assets/rancher-istio/rancher-istio-106.2.0+up1.24.1.tgz create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/Chart.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/README.md create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/app-readme.md create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/Chart.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/NOTES.txt create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/cabundle.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/configmap.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/deployment.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/hpa.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/ingress.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/oauth.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/psp.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/role-viewer.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/role.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/rolebinding.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/route.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/service.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/web-root-configmap.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/values.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/.helmignore create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/Chart.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/README.md create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/_affinity.tpl create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/deployment.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/psp.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/pvc.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/service.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/values.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/configs/istio-base.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/requirements.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/samples/overlay-example.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/_helpers.tpl create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/admin-role.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/base-config-map.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/clusterrole.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/edit-role.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/istio-cni-psp.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/istio-install-job.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/istio-install-psp.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/istio-psp.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/istio-uninstall-job.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/overlay-config-map.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/service-monitors.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/serviceaccount.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/validate-psp-install.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/templates/view-role.yaml create mode 100644 charts/rancher-istio/106.2.0+up1.24.1/values.yaml diff --git a/assets/rancher-istio/rancher-istio-106.2.0+up1.24.1.tgz b/assets/rancher-istio/rancher-istio-106.2.0+up1.24.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b7465b83fed4e22bd21f72fadc1ab99a891fbe6a GIT binary patch literal 21084 zcmV){Kz+X-iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POwyd*imTIE?pa{uLeKXl++8* zPaZ8qLK0$%U`1E?c-r@c}{M+mGs{i&64i5j&-#lg%o?86u$8 z4qtFV=8a_;AEKBh`Ca4Jlw@-%c*mC7y`@RSZh2#AvqVZz4}yMQLp=!kOQ6n3OfV-J zF{S0!QvTh3UI)=+ zl3^~gJQR6GyryX_@X|XB20`z?^Ryof_Jh9nrB{3XDf9mu9Or~T^#-tl{~sM34l4YA ze=rzq`2TY}?1p49Ui^*5WQcs<6L<=%RZ{EL)+G^wCR4ehLUO8>OG0MoC z-4Ix!;f#dWu=IeGkX{79)enO^gp)|sNti%5!SUi3f)*^#%yKsj3Z)rku*CHTuiX0t z$DDYc{zx*pZDk~7oC;usnxfTO?$}};LeAJax>VmoXlqOJ=yx>BScY&$P{@)Ao#vU^ z8J%I}=`_O;;Q>@M_$f6IkOYroxnUNF3USUg8seZpgZ^;db zhjJ5@vIV&d<2)i~Mz8}scB;}{2Z7M2e|uz_5zfECg52Uo6Xp?80?!$X$T`b|htMp= zmnjK{=;J33Niujtd6t75^4C0?5&>U4nzXkKv-gOm<(Q%iGG~G`QAK<>(M)= zJv(v9=(yY+e&Q^Vd&V3KIV2oK68uglX44VoBlwK7X)cEeI~NXTQuGj*CM2_;6ze?Z z|KRdap$Kvdy_Wl8hm#a%Sda+KX+r1uTuKQY9YkT1d2pyDuNoC9tPtSZtX^HeN$Z5=gGNerqch%I9x1uQ9!6urQ19kPfh zWJYq#8wJRQq7ni&d7 zIn%`u33g2qPf9>?MC$7;8ILl?#1M61g`_cC$iCHAy;Y8CeA0-EBiRs`skr>n@(Y zO_AZyl8(f}NS|8D@atlME6G4h{lmkThuxnrnUc&x$;oJ%rD1_Xgr*su-~_Mgr(sOG z=JEl(TpLAeH|II1sS$ceG`*(DaTG~n8tR{Qw7uHz_dO|(gXD!` zJSMR^l}V8vb55rTaLTPMbU`MCzDG)qSwaNic75cWWSwbFBhpP+L^_kz~#SSg2qzkt+zj&?g{{zP0@!P;DM=d%6^8SkVtZ{>F4b zW&MvJ^Az-G-O-H1Dam*s(nqU;R_Xuu`c?h^;okn?M*s61&&QA59dwd#xe;3hJE9zM zb2P_ug2)ZY7Pm8!5wz3&^vV19u_L!&nh@kGovE$sqs}KO%*!Idg;E0q_JoIiwOhCE zu5wjN)*(p*f0z1Dg+{vSDAR&_QHxGc@K2?@RD!?JS2qg$wpyCeL`;zXU%cx-r~wjl zVt@GcQB+3M-SNIxHw{+X1riI6B8wN`FTmU2Y66%J-}PjXF^So&e(kUo$%}4Tb{#Vu zNs%XyWl_Y#8HsYO;Sn>&iQA%An@ITB0iNhIuEx|s*F>I^+#43jzd>O<)OF@Nk<-# z9)BCKivJ(h`Tx=WM*sgTPp8u<-P>hj90u};z%u#^aDd?YB`mm`zIRQNXoy}b&UL|J z;?0S`5f&h*Dyd9s3|gDP(`iPgSV$(*0V*3JUmlnwn^3oDYGZ(J`klV^{rC|X3T@bT z0`%#Vm*ufhBjS{Pld(LtCytIj4hH7VP%Ae$%QJgWftnFc1<82vLWqoxb3x`fp%cPI z@o9#WD0a(A(G#bXrz9LxH~}|)D_(+HHwj7c=I5LV+}MEqQoMo@+h2AC!YY1Q>|IGFZ3aiBqF0u zWlkd!VyEH_%|tE_6Y5N9-7zD*75u+9IIQyjqr?5Z4gY_Rr((0AIXuk! zJDisIyUU#Iomxi{%DuU?YEl+VWAq~U8;uDMzKPiw`HJRvcgNojj=6#a1?X2q6S>OK zK-T}#So`;R+Sb25o;-;FxMKb9_x6se>wj>tIsZS)^F*>=BX2Om*p|K_nZow#Rkq>| zsEiW{0(Up!(l%_ial2=#7qzC!`|P8etILZIYDQz^(d{(LWe;i!=K8UXG|5j7YRF#j z-nXSKbp4XI5|%tda7kENVdTm8dI(zTFR8K?P${o0#5zn7CUcf>B2>}hKB)G)JD~}V=`Tv~@0hD1qJCv0 zjcJH&LtJ1%CV8x1tg*lu4{@xFcPcOf<6?=xampf7Qh~9m-Qr>+2w6rL4?;Gt_n;3T zx^$)CDG_QeGJ*xE_W=ioMZM9KMUlOB9>cZsIv}^Q>jr`yS zK~e1$R>vG0>Pn)NQA04~#?p?J4!J=`@kf{3k+ArcvP?`^c8jw}y_9a!<;fpWW~AB{=i|#@?&WTm1ZUpUr|7Q*PUvq(n9|KmM|Mw4i zW%+;5JM8UmsQbJgM-ce|Fb;q zav4kcuvi-ZVB@yKeJJ8b9Mci1L>)oMpOJVT@L6}p*tIXW7cNW>yYNH1Jl9KiZV8>v zgg-=n=fH3H4sK$kqZXe(L}M~x8R@_`P}NhG?7}aehan*miR?Zz#^E)aOy1JDJg9&# zqaK`gq0!~!Q`t%_eu8GVYe0m2BwIg@Ddw)sNz)x3VPAP= z2O*pL4ltS(s2A3)tW)VqzD>__7lS_NN zJbC^8?9Juq^6kmV`Pv6>~3Ms?8S)K%ZR;rjLXQW{PUN67TUw9rjm#~&`wyn}I zO73SZu$A0BR)Oa_o-{(|7FYqC5oup5|G;A2ilZ3XfAy;TS|2d>UmlsW6_GNWP)E)o zIwLnE`?potKk>7k{Qo!|&?@~;zpDQq^ae*q8~Oh^o@dwpJob*yNZhGW{y1*NC8du0 z^7Q<5`NjF^8z=NmS?{A%HDA5Uxd4658A~o014E9I{zsQHI-ReU=zpqBDx;7LCsSAE z2Va=JWp;CXH$;aA2YUxqeb(cf%LtC%C-FiK46Ls~pf6BT+Wb4{E4#H?a~7qt`f6h= z^80?4^Z&=|{{OI=|L+ZI@m~*R@eTifhUcOD|IsREOJH9_-CXqk09CV!K&EdqJNlf^ z!M608&1k#WN4GPlcO-jwb>o`dk=TPUPHWeV9^R|IT7+= z6J8rUf~X&GW#IPqkn4i#xF0FgJ!IIc@AHgAGGW=6MiEIa7d#Yk$tj?E*;f*TKooLi zA1e^K@{tm$tV9JERZ%V9WGsD+Q#__I71SVDDfe1#46CA}S30@2_IO_*?h&_LkFHfH025^=9w^#N5 z8}tqboBO|Kc^-cMXKCXz-2i4p-`qXHm0!#4Ui)3%TDN6o447wgU$)kL*%Ms&Sp1Km zvyllHx48p)@Ey>9_!ZFR2I#kV1Jv*J8*hM$_mvx<_sQQdjq{9b1jbcQoBUU16psr5 zvqJvs?H%k@<-h&j=Kkkdp5=V^(a~WF7WiAJf1^$_ zp6-vi23WEF2Xe7j?|(P>f1c;5tbY|syhZ2V7$c!LFKRvOJ5{QIIe=48hYKvYp{oa+ z99=iF0wSw~%-9_z+#d0a(51`E6Yj}fnh^*KV(&LULUdExf({Daq0@wAWY>va`i2pH z#>B}T<>HeI{AH;hoGh$Y!B1@bR)Sm_KLp9v;SjXOR!Q^lwOhad%?X@Mi8yDO7^40` z?^O@p(nOH#2FLQ9Dwh#J4o#+ZWJ)XiR^bf&FdE5e85N;aM=6U&_Ov@nStdquQ04@M zL#2kjCM31O)|A{0(O1DvM~z5AYwm?jc>pBJSf!HR3;>iKy$Jq$+g}%Mi}@;~8A)Rt znnQs?ot^+&=RU}3!p4$5OqH5;{jsY@I|rD22%l{QIT;tsA}UDOWCe7FEHQ`E^v8!R zHg{>ACc8?JARB~~Hb1Vp!m29?*2zqW)CpJLuwvW@#9x{Xf3au9{;zM-9%lrwO8)O3 zRrCKH9St`3|IhL?O8AuvunvP%hKrXOq{U03F z$%-D6FB7d0?gpYhD2!xM(`M>RL)Pucr>pnI`rf|Xp zdJ(wy?7{K*sb)<)_&esvFWV<{YnBQAwrz2OX^i}<8PSr8O}7v+!lAPn)`?4N&7kA+ zQ)^EVpmVqxK@sH=Xmoygu9GrRj#O$W_is3gBYgjPPZ{Qae;zkU5va{FxY zU-s+ve}j$w?^&KN8~;U8*%QTokxgylzii^aJaEvzg(@sWkG>0^%=sIDy38I|mgzG%9X-4#N3m~DN_PJJRG%u8)r;26l zZEbCBDJ-BjkiwKCu);g2o*hxke=I{x%t(gLt=iUL2ztQ22Yo7rAvPj^?KZt<3i z86ayHQpK0k-x|vq@56@=9$?foS8nRhG1FN;*`zCGq+4F=(9>T~N5w!Oog({NCn=}k zmi?$9d}l0fy(C_*|)GbN<@`1$rZA8qf<)NYi_j zFHNOsbU$nd=t`%^9}|^@U-s?<$VLfKDbmIS;Tue25c6q*SQhEL`x#3~7BA2^r*YIU zX-v5g01z3Ovl|=-p0~53)4#$iV!;yV^~D=C23`yt3PF;7w`q+!yg(!YWsHQVL=6No z?C_Za%j6B_voXV2PC{YvnjzZjKu)XQyIGy3X4-|)vqeyO%@*IcZ zPb6koAe<3n#iEB*o)4Unq33l}(p;~D{sH+$J?{jEGu05}EXGj;B!J^GYcWitpe|zz z4g(Z3GB+vr5ax*7rC{A0pzrirRcdTFIYHWA-8eyNs@3tgYfhBJLKVnWrc?dG&^=H6 z06xfp76e05)CCylIKfjQUuTZpS!CoYG$(w9#4Ka^bSAkh!F&OWOrB@Wqy&0x>wZg2 zZwtOWg7LxH)2Iv=$npkQLk6j@FWxB9ah5&+6QE0)geLj1T*A2&w;`7^OuO2%N~iH% zMAfQ`Sm~V4NqI`m78dO){F$blr30xMCz!^8N#v~COk=raB`D_>)LlrJ`Jr@w`Zf42 zd_cD|lDK12UC9As1V*WRlEeeLENfZB?@|AKaQ&X^#>ogK){?QRrq4UUq#g5Y6&!T?w9(>WCi8c1f(!0?z(Xy_Ex zgL zbWC?rY%Nhzg;Ad9MCWE;ToJg*e{ORQs4YvPbxbPx=rwcC$j~9lUG$C0xeZ9Z(wW3P z&5Mh2(3@d6)uihVxqLu*7MqN|8q3ZGrNu~<0Nk-Nm*akaL$ZuU1bzDC=1Q-W0_-?N zA!GN)k50<>K!X*eEEDL{C+JdwFCkMLhf98{7?28rq(B7f`ryLyVORYw_4;8KkoBRZ z%MWNw1$a)1iIp{xB=ADmaa`d3+El@*B+Sv9+lDA!8W2+e7jF*}o9MWUfxi|mwZfeX(3aonLvNA7RB z$Fk@K@&Hv=JwN9-rW2~g_cUWs4t6|+!2W}7Lz7ye^SHge4Ss@eW{xQ9Ml9srelX~F zr$h*vOgmtGPNMEMiddL~$E8tWL`0BmP7`8aa>0ZxP0A;52DLkB0U~_h!RJ!|mURM! zCgmx0fGhNW{iB0}ivDkZ?`Y%y_biXq|EW{S??Us3P6fg-XGRCWhu#j_+4%v)sRC-N zRM_6x8Oo)uRv3t_z($l%izc!seM)AzfFa3~vuadvh7}wEdN@Wu=QO-VzzlX>4pmz7 zxdFs*Q9z&Q1b?#&>$>yktfm;80m-BugQ zcM$4TACA5)lu|eSU~ur?o_8q`toEVW=Uw!JJXM$*eRQsGXdJSzH7qX=SrU>|@UFQ9 z>ZTCeLjBNgq}^?G<{cA~Xq8@sCK;OpE*vlTaRuU9_{K&%^n$q3!IT z7jmzat7eiBZYN7Eq#7p7VS5|2#2E*@n9)Xo;*w-?{^T;FNe4_;H3a%pXiXU4u=SzU zQsV>22ZEsw`n*jihzd}m0Xou*+)$SDcwq~|Ikdc)dw)TvCBq3Fgj9+t3)=>oPy$+3 zEYK|meFY0Cwi--X_WbhPIdj*ig(hf%ZzL`!2qP&p#006)spf~v23v<(X@3mrN{Wsq z5;fWntJ4LeksFE;MjwC^>ZU%R7vzQ{MrAd}Nsi-qfx?*J1m$Tl$ZbhPR48d7CdPQ> z@3JwCMnxs#j9rsNrBwukX&KkR%kyxikUPmUkm{ffWrqv;040zxp%k1iG{8oyERO=E zA?zX|!eBd)n6kLajDCAc1mYqOudS92AhY}{WQklN0HWE6@fUdB zcPUFG?Ezm{M#zGxkRrPZE1LS_*l6kN0;%7LX6iZ)YwqV+>fNnriiep3h z1%H4=DH%4DkaSYzV80?-!&4k+BMtsKdI6`9rTanf6wa&!E>;@4Ln8u~4G3pFw z&h6wlIyj>(w>q7K+@j`DD%Dk*#*1=+OM#OJXOX_a`yOWr*hX}m?E=el1XsX{8BUP6 zWoS+lmYG`zj$V*p8tkHea2VW4xcb4X;BFh#bqPUSkkstEOiBk7)}tU?@*mLjN$G|p zk;L33AzD_lyrI1LS-}a6GK88cPDGw|b%pMB4ZmuD-@+~CDcoXe#nUm(rZ`PWgiewh znz2M(S?=r{gW(6ur0_MNcLiU@QKWVPhv{13N<#p%qhlig3rP^R9g(6VJzSxPoadw% zW)Xhe?(XJabq(9y>%H6`Z0qYJHOieG^gV$siwn8_aC8Irm3pzjlIJ2Lcn)KtiPoD7 zP@T_VUgRQ;ffX8{0?>hHj0vP}`}BHLb>C}m13O(>R7DxVaDfH#AA`FRqsPlg%0Ss~ z&?UNqBW8K9K(uFc6+4#si=fEoQTBia4XxwqdNY?tqqi<<>lWv|ap zk#*%j#^RDC=;H4uZ_&$OA6=e+1GxQW_?UY^P0J1HqPs{gB6Y7}_7%8LvusatP%R1g z8Ikg>lu7(uCES=g>NpR1R8=2su z`Aqf|=2@&|3?ql#Qa)2!C6s7Y#RYuy633 zlA4JE`t#SQ9~=dD3i-yGVos--6hWmtMebxtK==|Y$Wz0LQ95=a?m&uf;*rH9UAoDdsD5Tz_C!Un2W9fPeQx(n`t zyTU*oY&x6^IBU28<(!V-rqD`u8i!IE7bKN(h?F(#fkeVwN8V@?)7D0&>nYzhfv+T}1=q&w&h`dv+?9l)s}e{FGGwB&CGp7$@!T0r%r zbs(IeAB@(Ar2JmIeE;y(t1bAUL`uxsYSk=za)s2V=60bx_4YeKsr_{S5x4!^w) z#aD_hC;4(%@0B!PZTo&i-&Xr!R9|iFX~=$^RyTD2Y;=!`$cAo^M0vVsjE~6$7CG<8 z@1>ZEsR>6j=$GDCg4LA1nl`1BJZNa`Wv{iVm%YkIiAVKmufJFN=JvuHdfDIKYwxD| zvDD40rfx)-HgvMr-|w}LrvBCKr~J+K6E_W}f3R#g#a9)u|ANe!SSp^m<*JMhG&{>G zLxH8DT7|Mzh5PZma-D~9I@QM0@VEB1HeBtQxY{fqm*`NLQM^&g=nEZf+0C#SvGAH? z0cE~wAkEl>#!gNMxs0ZzHg&k=<%2*dBR5nXr<}UxWexB-;WK5atQLsw-hEZ0U1N7r zTW0!0!Nh-|=`~GUrjDaX?#1PS>Go9VV^v}axq>42T`49^4aO*GkdlxNBK_{<>Ui|# z>~i$_`26a-ixbBKyw;(P2nC;}B~cAE9Wk5};fhlTLSm7UWd|Giy#T&RxNGjMQ2=b{ zt|}L~{izG=(m>Dd=^SsTs(|t_p~>}?I<(jxoxD`46rdbljc7u})58PJt_PGVT7s-O zT!{wYyw29^gxy}Y7;DpZ`GBr!t1)KNWBw0bVK};F`>|AhT4EA0xgl{&Wmz(S0;Yk+ zeRP?a@R&JPt+&pr`s~bQ1v!GmWKKl3SSGUALUml<43TQjTWPS6YVTQi6=5zD>p{D=O99Q_K z(EO`sRs65LLBFE^KiJ>vZS?=o@wh&*Ll0u)C_lO(D*3Y7Xgly0~;ec zQ-F6(8GE%j2>L;<+&Z#LLcglw)Ck|N7C2^KBW!jiZr7OT%tS0pm zVlMG=I+!rchiK62%^#!?6=B*5slXA5JJT!;JI#u@m%YPf+RVciRbnSfnp!*9JJ_p2 zdtA+-rAHUDJPM|aO=AKE2rzb0~yDPH?<(cEIzmeSVaQb*B_BW-~cY zH94Pu{Wrt}())K8f*^f<`;T7#uwRw`4)+F!8~*)Ob!%)}2ApRYyfv zFT(f`ffl&&t3Ffk&h#d0iGuG$E9l8WELm4&K>FG&n&lC5cWUU{aidsb?wr4jap#DyZ#3d&+qT35HyULgT7f zvh20~Bt?W4%n{GW9mi+O#ukdKvJ}z8IBJ@*`AccsoM z+^i~K^Jp(CIV160%^vqEhodjF{+IB7$2j_NeXQXBhl9PU|M%g+#{c_yo-NB|N-@rS z$=vviPJ|Dp*ocb^3o=~<-WK|o3I8M*1Y1OSMsNfkrF2fv?FZ*34J z9fQx?LK&D*C)#qga1TczPQDUIyOn`mFUtkO0%dsu?Z2P`-LgE6ye(@4dyA42RG>WF1~&uF=7c2#hR3bna~ffxVR8T#%-ced z^0C@Q7@c1z@MOogBo5h}1RgA@Q6^y;0bBBY&$FS`iV#rD1QJn!?o<>FxVb<$3<(D_ zd1y>>H}95=M;T*cWa?=Ne#_fJm&)}}2Oyf$ISn23yuQ#5;W#5mdmLz2QJdgRPWBlS z8W@(u3nXTYn;F{}gYTm)dlO7Kx|MJiJGe!Js{>q|zuaR*sHgZ)PowF;}U^ zhR9E*G`Uk#uw@o7{4%^(tv7wxw~_JnOzDtGrZIp~HWst#l<1^ZF`JH5zzuocB6q^K zuk|ghPm>8#Z{=P%f?x(k9VtL{di_psaMeE;_V$Opga7Rv4SPLJIiStWMv`F-k>7`y z`z#_OUf3RiH4Jcp>I$%l+U$#rvW$wwsDvgTsAbLs8JV?awLc@tGKOl|!y=~>RB*9i zmSP0)LMJpK(XOJ#jHEFQF}J+LY%eMVVx))@iVRWTtLd7mS|-ph`TgG9w=*>dvi1-6 z-%*WmI;TYqTcH09d{=Z^n@Qu3HPU{gW`EGkxQNsdG0<_E8et-Y4?6J20YVTlwueUc)3K$V+=++vvEuwc=nV$d{9nDn=Kk+lp6}HG6~Y+F zS^r}pcRS%;Y=~>ppilFPGs2}hBmD63BMQ{@!Le1SqEDZGEFzN>I!&55L4Tp(2;|7Kk%&@^&(aS@Y9Erf52OeEQ^lU4Fbj{_&6K`{RqV)3a~TAOHBr z+IP^Blm_V>c)@2{O3}vS-(L=ZZ)0NsoAdvu1Et%5YM7&2636mixPRljQZ9n?R*|9r z!fzB2G0R6C*}BQqAS&|%sHD7zLXr{8nRcRX8RIUxozWN+-8VE+S|TrG$qh*;NkXz~ zPH`%-yA6_4jyE?a;S48~&#U3yYaqI2(%$!#0P1iwS%G5}8QixBS~4_`0yazUO9099p#Ko>05@nGa%f7R)lDtai@pC_0b_yRIxpp;}f>JglV&AE6+ z%6AB*5Y#Uu;6nxZ*Umzdi$$)JU8I-K*R{2zKI`S^)^%3s_QrtbKk8X){~ygroRW+O zB7OS&pZ!Dmt(yOHZ?peD%k%MLcL&|j`4F}wdESzz(XZzcE#Zs|(N0%#U|Gz2tr%bt zjzF34;wh{Fu#|pgfi9GWpAyg9Ra1Zo`MIs(91rH~9qO7IDGpbOQa0++gm%Y%c z<~L`TvMhwHPD!{85vw?z=dt0>w^)@lcXAMYjw`jGvu%`=GJyv}mHUoTK6kTyy!qF>ec<;cs9KP7xBWhzvVTZz$p;j(^Rl>#lmDoCMd0cM)fL`;zX zU%c~Q+%N4H75@LL2|k4U|MrnT^4$^0Kk583pG@c-@;iRxklwgaN?20dv!E9st~jxt z?3haTF>=hE5Ob3P!#DG4OZeL>hEI7>wl-JJN5>y*RpwbkM}bxT>qNNQwu2HHPC>&l zfv83^QYi3N&73ipUrJ+2V;I;*n?cZ81f{TB)h!fKoz6%+5BN-N1!YgaCL#l8Bb=t@ zLcO)TQ8B*NeL+R5=yu!&oROAvU(R&Z&lbNzZcL(q3CaO7pQo1;XQIO3(Qv|StQM%D$K_`iXir}jhlIWT&)?gb(l^HmC%z|bdPo$Qz%0b8F zI7TrA9Q6+$Hu_sK27U3W;p%^k-n4O;l`^ORRT3QexwW9*RcXW# zDx;%X&bC(|VtIw~{@L}N791>2@i*g_mT)*W1SE({w`C!$Yn?3@2Sx}nx8Rp-TMX}2phSi+Elgo@mc0d)@z>{WnJ>{*-^J`PF~z~ ztcF%Dm$ErhHWM(5UP) zFnu=Src|Q5tILjGsQ)?}e7S-H*fx6M-WgOZ^tQJv-=Ur2{Fjl4W+W7&JfnPjyG(a9 zM*hE8jv^X?Qe2O*2ct2=!0AIn?tSDie&d6-^^wT(4?^-+MTMitQiH%$CwEa94ItaWt|yDA(Aes=8%IiKONkkd zI0}s^IS*$f%44GsXPme#)(NXEE|-M8gOr(*>%-+62cn^_D_@YwgoI*<{4;i``}dU% zH0VQz$Upfx$FX0F$+Xe6@gr1A!)L z1qV=3Z@Vg& z{7KKPQ5@I0OSEdUsAAF3iUG&)br~9*VvZYx2FQ0IZGiP_)QFwsZ7zwbRa$CagFs|| zmO5UFp_%~Oye-<6e?@|sXk8zlCsNW{_x~Xt=SlS7I3TOy{~YcgRqp@$y@O5spJ#bK zE;XK8YRB(vJr6l*bvm80_q7Q#V%^WYxf5hk-5a%DFS?gmpFVXA#d@V+6@Hs_Avj_v z*M@?>H}(_T>&qe#+P+%gxEk@nw_R@7N0-c{I9qEjbGHm z7{H44zc)DAtFHgS-u`C&KgaVqSK)ImzKRU&+J-hc^|h?nkM$^sD_d#=MK553HdQlF z{+PeouDUzu9peHq3%ERpa5_)pMcESYIoLX+LF?O^+(^ayBdt|$f*ST#NZn!93ukHFxs!=E^T67M&CFRQx2=954Xz@S>bUFLV{Ea|VL zJFJ~5z~y;H!fT$-yEZOJfu9#}Z-xF8Txq-pf5n`fV=4Vr&ffku3|vL<;Q4&Xz%{-~ z4(fsSO>fH0QN-X2DC_bt!zrm`=BO4@ZtQN}m1TW`XQX37T|%I9J-Y-L<f>wq z&Gx%yE4BGlLB9s0*x zhjL2I)Oh_pVTuyIX0bpgh%Sdcj^J$*{Qmw{pKC63G?5@;nJsDCvvYaLwSJ>+L zv}ykB^mI&q4*x+3I?D1uk*7nh-6dqN;}w1S^gqpQRZ4yQsE09ZF0QhG6ui-{A2X-R zdU0Yoxk#f=akqQ8Kp3xf`lPNjjA&zwrJQG97JgF%Z)xTu~ zNAHt(alx4Q8;yw~-BLsvD3&M3{EQ_R5R9hsF?1Z{$^pBhjHTr_9d!Km?XqpS629B; zUYycuo=LkL&s$^-EmatzgeW~vC>6Q6Bs;p?eZX5P3K^hZ^Q1qjAswqzaF^)7Yy6!hs+cSdk5X1|o1hLJW*RbdbC5Y3!Q8ubcgG$KS3DkzTMkQgs6Nyri@0Uo#uiDZ;T_S0Sw3O=ScWHSX{bP7mv zQ)e5;udh!3c``aXes^+te*F5xX$kHC{+6+Md2YbT{DMr%Z}t0gn7EQb2WS~;{l0zw z&FJmPKTqCPJ5-`Vt5R3H_y(m7*=_W1?=RjRUp2S7+#y&+0&H#g>h#^o=x?VdZ{Iwy zk6O^d)~+s(-<`ibxfop>U)3gLRWELw!cqrIrF$nrXA=jPJvJXn9Jpj575=jApjsy8 z8y4qt@=l(}s@jWU1JZ353qFPz2hzRUBmB1n?l1V6cZ&s_GZzB$5@ZlPN#-T-^& zzBU!EWYr8uqYzf7kF|RwCGOVL5y`~E+gFFc^Igp!O1# zyFJSi@VmCcDsu|H*nHFTquF2VGfR zLbmp38thq3eB~wq(uw-{FodrJztY9ZVKlsIKD}7IeOaQcrQ}(Dlqp(SdWLaU{Aw4myF|nN9ac}Rz-C#2#>Jp zD;iPF-b+sjaMihTv()Lfudb-qXZxT@?O>%!t@czESDhQ7M~KzRaS6w@gY~0ntAelk zbXI1fSxeEx+ghN0^cMJdy05nB&e46zcAbf8)EnM=dv4z=3}*~Eb@gJLs;t18Cx@K2 z@ZP2+vYHT<&A0q+emSZN$EUg#FD;1r9MZ!Q*goM@8)Y#$lgIar03T*E(`8GGj+Wmg}*j?XAD7a)y zZrNW^wfz#v5~j-{F+wxUg-_!>050WRSP62ubSuzh-+^`Qf7Y`9nx*(LX~0(4|Mz<} z|DRrOZ8t*}%qG@scck%JONWN)E*bZ#Uh|Nvoev)5^4I9Sw|r=&Ol{3! z0`4`|HQH+%yrV`@xej%k9Y`~0qJVS6;)rBO%y5Ew!JrrPAb=8>6_L&uhu0*Dc%a)U zC&+Wt58GfX-BLd$v(w&wzna-;@8w|s=+*wq?bR@9z;F^FxnX1gqK2)LW=yb<#eq9V z4^pH;uNL>^_%RiPlnj@b)vH1|L_U~3_>D7lKL{Laf<2&rxC-&W!QKj!ePE-KTija4Hb)#pmV} zdRFcK2M6{1uSc8x|5=`o%cAYdd3Stb+|4-~;}EzF%jhql>TuL!YL9kuVm@MzPI+41 zj$1eFjKxG>uHck@ld(Kq0;gv#S}vFk6L&wTcs~A#ghHP%Rb!VWCtc^}MmZQ)MVvLU z_&n%Sr{#`Co*tO;`*ZT@LoM~~eo&MwPG!T9@s5K&DB&vK{a6>sIjLbxL1Wdb3PwidYZttDUdpH?AmEpISklE4jwa@!b#|9vtks z9x`*96rmgB%ni}IoQsP*Ip%=rpL3d#=uO7b*A>S-Ax4ZNY5BGQb> zMNT64Wlb$RC}OwCEzY9j^HWt&QYaTB5&wjyU&olvfBRC^TKm7`teqQ5Zb|kKIbc=% z$NgR{{_DZsCjRTQJj;y)<($J^-)OF^1QXJhR|O|5SjEYB*s%7 zL@MJ`WL|TvkW^b{H)hkav6{1GPBnLmDOZ2oViC^P8HC;Oxa|r4&@qhUgoP{-8H;0* zam@`?gt(^y0Y)d!{S%f+)>>{?rC-+txu`Zs?gU9d=kD*Se3eaIM3~H3!ii8LC`i3D zSo@s|EXX8}^^1Ftax7mql1#>upV(OSqW`#G>uS=9iv{HZ0dj4}MmQ+HEl^Z`FNoY} zMOG<3#e&@8MNqrFC=Cbw;P1c)?~NQeM@ z=AhK-#w1fz5l0=a*wh|qb21_s9B*73m4@pI)TUOUlnMmOA1CE6QKzoJKs2XZ5~dEK zvI-INTwptrAU? z7t={JC09i;6C?aW+Y`&y*wArS*ZcH?Jk<-w69NA5tGzpZUmg~}?Psn1-y|~qJpSK% zM|J;?qmBOmd7ek^|E=jm4M+GL#OP@EBz|ZB#P-C$@FkhLfet(O58dd7{A+e{gN*EJ zc)D$`Dg}|f@%DD5{nqlX51vi7V{!_1@+@xir&ArFPoIX}?oyAt2Y6~$y%RqVV9Om@ z9tw7&@9%QaPm^C$qN3%(MN>t0v8?t&Uec&oq(%|}57)Lxl-1IuVcWzJ5BDQCvG_!o z>M%U%x%IpT*ZG?0Eg7Wd)L zTI*ly%19^WX-6x{?!g6Ct^dPbHUID4UVn4{_bktr-o&N?y@*MIUc`)D=PB}+T?G2b zckZNo}SyU>YO;YDTnD3F#v&iWuS0 z*$m$hBxa=UJcf?XPpzpyfX;zgA+0|~=a=Uk(FBPZKpw`~|kROVfXI0cXoAtzxs&Dh;SEv>Kq?{CI2uyOs142LwCc3;b%kMaCh&#Lu* zRNepkhliW>|2$7c^%-J;V>UIbfU@ok9G9JVdi5fV4-te!cfM-6lAlA82|A%98Y2C+ zxtzl#fEqh0O=)xCOf5dGJT+9T3Af6zaGKhm{orsf=y?(0VMbGR33iNr&S`j!Bq<2= z4@{;cLszOTb1|&0igPYsNwERPafc=ymJk$?ISV|5uB1pnm3Wb6EXqTu^K*`47=M5+ z$b@7_FdL%r_VzaT3HsBZ%dw#e%TPoFrZEpZt*z1{yQz%hvGc!l{og3g_*e$8V*L;L zdzJg2{!xFhw^{$s@uV5Mp%KZ3NRgqZ^AzixWxltyh0a(+^zIC#nX(9B&gnFP@Z?)t zlCF!eqvhz95es=Y=OpV)a~hGZlQn^|r0Z>Md6h&9pJa<~DHn)MKu?JTritKk-RSfU z1ijE94mkSOc8C7*wOkh4UMbnc4?lX9{1>3oD>|$fxFXrSUPvy)_gX9h)EGra>7}RS z2+d4ItOGPEUiL<1(YesM!l43aHn|P0pwC7{@QBFNu}1YDAyQ^Ff%oa;jEVD%a1}DX zmLOja0U?})GaY_Dn;-5E(Lnu}N5v1m_o{biexzx5xE~YsQ^RuRPMEq;Db2aNA;@#& z&xn{~pfN%IoXlCa@Ik-sk8w05nGYoGaC1PMhpH_Nkt$y`BUiyT2ru$~hG{-T{hr*o z8iPWpaVOEW+8z zU78Vafhq+^f=s7ij8dLfDGWFvlUORHCMoTly7`^eDPUL%tK5{)ucAnijhDkWJE~@= z^DCl>*hal_sg6zN*O;jLQvCP(3s?S zO~f1ADBLYePreShEg@NZy?oDUUNylTbW7-TCWg*1XyU}|R*RA(Zdmi@BkU!#*B0Ts z4bhbYh3^==JJhx8T+&vkb~e#=F%231D!SdJz3Fj2nhRGtS%VQbn>F1R0Z+luD;=%k z>FsN7O{!SQ@SP<{lZf2yqCZhV=I$z7XHq-r@LoQ#t+lk|YLGn!OIVgIV_r2feN{xQ zxN?E|Dg@?zgJUiS%F~z%D1qS*pN)3#}}pmNn?*9u%_%%`{QX1L$UL%2`1>E!5NadTk0q zcC+mFdP`{Paq|DV=f4?=QPE<;i}%8{0bM>>kaLK!nG zHR@>8ZrW;TMiVhX{(teV|DXoI64(6j3wTV}1@~`Ho@l+3yA&r8T+~2vAU1)&fxZK; zc0x6mFUoAKQ+!qD1$7U4CL6K`14r+Renle7lMo&5!Jl+~nNKG44*8urtO~x@5NQM9 zBCmQL$BW{s2;npZ$OG?tqFRUYLiQm?!O@t67*c_;IdPTXFy09zal{eM2#V>P3grn2 zHY+d23&6#jvrAc)CR4;y5^e|H=>+L(HPuMS5`k%A%v|6d73h}6F&Yz;a|tI$7=YK% zwxYJM3T&XJswUl*X)Ul8%3ZSg6M*lY0$0td1E{h>a(`gHaZdrC6GaPXg zvOJbW5m$1IAwb57+hUzw+VX)zG%+P*`0mxS?`dIRsO!oXWHKS47$X0SX*mk6t_u;w zKaoq#uVSVVj3ULiEY)_?;k5LndHQ{xHTQqVK>hx=!7KH@`v+C~uinP~^Ld`8B-FJ8 z)XR;(>m0sr_r0ds7f#cXgNM1DHZt*yWK_TvncJW?RWEcH@Vefq>#tOH1A(K>TL+L; zpqQ1Rt2_9yM=0lTvT9gs4{hb}bbnQUM)`0Wkq~D#j9Zr`KPe{ZeaoruUjBiij>ck zB)O@oN|d8&rRVBBxV`PJXhalp{(Ai8o0E&t$@$+;-kn?=zpWp&>ts^YzC1rZ8(m(# zzc~KpWOVhf^OMHv8i4lR-<)2YyuNyW@vqT8kKcaR+(=io(v_=it){*``Pb5huF1k* zr3EsLzkdJrEi^m&-_!GNPtQhwe}8#3I)8t0)!4$S_5W*18v zaUsX0tBEC7smiolH+EPwuuN6oQs+L7D5?_^8}+p!{9^7hCne5M9>Yla6C~0>{hn6U zHE}#|1S9xOBoZL9ErcvoQVHP&${y8P59a5zuw_tHU4{Vf203@ zp67w58NEFl?t5z+edMcc3ba$PGszsp&F`(`jWZio{ zeq0OPy8M%x`_!H_*Z-p;fUZ3M9n|u_4vseYU!Uc{IZH%nB%&OcFT4U@& zV>&-NV&xEXniAmhp|Jb1htQFeUn5a4bZ}=cfU>Vjz1;X!tEoQ<_W>%LSCv)Pu%2ye3Js zi*CV+2w_8UfQ?AE7u+|ptnzPs&~8#`;3)~>NoHF?7FfScNBP+Pn6FK@M) zed+k|T0%E9_xJioP9X_ThY1pwi@dD1ql>IhR$qF%+dP%$e)8YLB7m+s|Lq-A_5Xvz z{f++rS)Rwo{`@`Z9KSTSe|yiG>;F*^Kv(L2>hV7h4>s%nS)NV&&rST#*7YCENIa+D zKKqzHR;~Yoy@P7}uinu{|NAV@7COg5kWBe+sJT`N(Z)HAB{8EEhu3&Yc;IcR5O?}~ z&k>)II7V`PD+_9xOn2q}iv_(QU}fjL$4TUEp@d9TB)u1DMke%*MCg`^8T#XPfZiwZ z0YN{~=W!2N^-Uhw8}bSYRyye;&a&F3sZ|9pLkBARh8m{QS&|0?jkVEjwgh5wot zvuRiU$Nc0sNw;Wdj6=!sCNw78+X?t>>g@z$eC_Q7VlMw?8J&7N|F5@&{)scna*j^l zoNzDDd7iz1Mg(_N@r?cC1vflo5$S&M#l6O}bp2nP9KU&Y63nB=^|5mQujc>l9}YJ6 zKhN_Rm7eDvqYFg~W>>?UM2ID@Nou{H6DCbX%q#`RWDrg>P)tHKqWsF@nBAfU%fSUK zlcGOPA~a_S6)clGtH|g$7bHS+8fMJI&<#BAFKB1yj0rN_*+FtQA7f5K7Yw72bm6$2 z(Qsx0aTYF>5W3KY= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 +apiVersion: v1 +appVersion: 1.23.2 +description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. +icon: https://charts.rancher.io/assets/logos/istio.svg +keywords: +- networking +- infrastructure +name: rancher-istio +version: 106.2.0+up1.24.1 diff --git a/charts/rancher-istio/106.2.0+up1.24.1/README.md b/charts/rancher-istio/106.2.0+up1.24.1/README.md new file mode 100644 index 0000000000..2230c61859 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/README.md @@ -0,0 +1,79 @@ +# Rancher-Istio Chart + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. + +See the app-readme for known issues and deprecations. + +## Installation Requirements + +#### Chart Dependencies +- rancher-monitoring chart or other Prometheus installation + +#### Install +To install the rancher-istio chart with helm, use the following command: +``` +helm install rancher-istio --create-namespace -n istio-system +``` + +#### Uninstall +To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. + +**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** +`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` + +## Addons +The addons that are included with rancher-istio are: + +- Kiali +- Jaeger + +Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. +### Kiali Addon + +Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. + +#### Kiali Dependencies +##### rancher-monitoring chart or other Prometheus installation + +This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. + +#### Prometheus Configuration for Kiali +> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. + +The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. + +To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. + +1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. +1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. + +#### Kiali External Services + +The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. + +##### Prometheus +The `kiali.external_services.prometheus` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Grafana +The `kiali.external_services.grafana` url is set in the values.yaml: +``` +http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} +``` +The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. + +##### Tracing +The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: +``` +http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} +``` +The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. + +## Jaeger Addon + +Jaeger allows you to trace and monitor distributed microservices. + +> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/106.2.0+up1.24.1/app-readme.md b/charts/rancher-istio/106.2.0+up1.24.1/app-readme.md new file mode 100644 index 0000000000..5e2629648c --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/app-readme.md @@ -0,0 +1,65 @@ +# Rancher Istio + +Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: +* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh +* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Warnings +- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. + +## Known Issues + +#### Airgapped Environments +**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) + +#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. +To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. +`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` +See [this issue](https://github.com/rancher/rancher/issues/33291) for details. + +## Installing istio with distroless-images. +Istio `104.5.0+up1.24.1` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. + +## Deprecations + +#### v1alpha1 security policies +As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ + +If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. + +> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: +``` +Error: found 6 CRD of unsupported v1alpha1 security policy +``` +``` + Error: found 1 unsupported v1alpha1 security policy + ``` + ``` + Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x + ``` + Continue with the migration steps below before retrying the upgrade process. + +#### Migrating Resources: +Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). + +You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/Chart.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/Chart.yaml new file mode 100644 index 0000000000..ea10fb720d --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 + catalog.rancher.io/namespace: cattle-istio-system + catalog.rancher.io/release-name: rancher-kiali-server +apiVersion: v2 +appVersion: v2.1.0 +description: Kiali is an open source project for service mesh observability, refer + to https://www.kiali.io for details. This is installed as sub-chart with customized + values in Rancher's Istio. +home: https://github.com/kiali/kiali +icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg +keywords: +- istio +- kiali +- networking +- infrastructure +maintainers: +- email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +name: kiali +sources: +- https://github.com/kiali/kiali +- https://github.com/kiali/kiali-operator +- https://github.com/kiali/helm-charts +version: 2.1.0 diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/NOTES.txt b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/NOTES.txt new file mode 100644 index 0000000000..fac4e8d6c9 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/NOTES.txt @@ -0,0 +1,20 @@ +Welcome to Kiali! For more details on Kiali, see: https://kiali.io + +The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon. + +{{- if not .Values.deployment.cluster_wide_access }} +=============== +!!! WARNING !!! +=============== +This Kiali Server Helm Chart does NOT support "deployment.cluster_wide_access" set to "false"! + +This feature, as well as others, is only available when using the Kiali Operator to install +the Kiali Server. It is for this reason this Kiali Server Helm Chart, while provided for +convenience, is not the recommended installation mechanism for installing the Kiali Server. +{{- end }} + +When installing with "deployment.cluster_wide_access=false" using this Kiali Server Helm Chart, +it is your responsibility to manually create the proper Roles and RoleBindings for the Kiali Server +to have the correct permissions to access the service mesh namespaces. + +(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}]) diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/_helpers.tpl b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000000..1936d1bc2a --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,221 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified instance name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +To simulate the way the operator works, use deployment.instance_name. +*/}} +{{- define "kiali-server.fullname" -}} +{{- .Values.deployment.instance_name | trunc 63 }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Determine if on OpenShift (when debugging the chart for OpenShift use-cases, set "simulateOpenShift") +*/}} +{{- define "kiali-server.isOpenShift" -}} +{{- .Values.isOpenShift | default (.Capabilities.APIVersions.Has "operator.openshift.io/v1") -}} +{{- end }} + +{{/* +Identifies the log_level. +*/}} +{{- define "kiali-server.logLevel" -}} +{{- .Values.deployment.logger.log_level -}} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kiali-server.labels" -}} +helm.sh/chart: {{ include "kiali-server.chart" . }} +app: kiali +{{ include "kiali-server.selectorLabels" . }} +version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/part-of: "kiali" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kiali-server.selectorLabels" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullName := include "kiali-server.fullname" . -}} +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} +app.kubernetes.io/name: kiali +{{- if (and .Release.IsUpgrade $deployment)}} +app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} +{{- else }} +app.kubernetes.io/instance: {{ $fullName }} +{{- end }} +{{- end }} + +{{/* +Determine the default login token signing key. +*/}} +{{- define "kiali-server.login_token.signing_key" -}} +{{- if .Values.login_token.signing_key }} + {{- .Values.login_token.signing_key }} +{{- else }} + {{- randAlphaNum 16 }} +{{- end }} +{{- end }} + +{{/* +Determine the default web root. +*/}} +{{- define "kiali-server.server.web_root" -}} +{{- if .Values.server.web_root }} + {{- if (eq .Values.server.web_root "/") }} + {{- .Values.server.web_root }} + {{- else }} + {{- .Values.server.web_root | trimSuffix "/" }} + {{- end }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- "/" }} + {{- else }} + {{- "/kiali" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity cert file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.cert_file" -}} +{{- if hasKey .Values.identity "cert_file" }} + {{- .Values.identity.cert_file }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- "/kiali-cert/tls.crt" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity private key file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.private_key_file" -}} +{{- if hasKey .Values.identity "private_key_file" }} + {{- .Values.identity.private_key_file }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- "/kiali-cert/tls.key" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default deployment.ingress.enabled. Disable it on k8s; enable it on OpenShift. +*/}} +{{- define "kiali-server.deployment.ingress.enabled" -}} +{{- if hasKey .Values.deployment.ingress "enabled" }} + {{- .Values.deployment.ingress.enabled }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- true }} + {{- else }} + {{- false }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the istio namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.istio_namespace" -}} +{{- if .Values.istio_namespace }} + {{- .Values.istio_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift. +*/}} +{{- define "kiali-server.auth.strategy" -}} +{{- if .Values.auth.strategy }} + {{- if (and ((and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url))) (not .Values.auth.openshift.redirect_uris)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either (a) set that, (b) explicitly define redirect URIs via --set auth.openshift.redirect_uris, or (c) use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- .Values.auth.strategy }} +{{- else }} + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + {{- if (and (not .Values.kiali_route_url) (not .Values.auth.openshift.redirect_uris)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either (a) set that, (b) explicitly define redirect URIs via --set auth.openshift.redirect_uris, or (c) use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- "openshift" }} + {{- else }} + {{- "token" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the root namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.external_services.istio.root_namespace" -}} +{{- if .Values.external_services.istio.root_namespace }} + {{- .Values.external_services.istio.root_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. +Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. +*/}} +{{- define "kiali-server.remote-cluster-secrets" -}} +{{- $theDict := dict }} +{{- if .Values.clustering.autodetect_secrets.enabled }} + {{- $secretLabelToLookFor := (regexSplit "=" .Values.clustering.autodetect_secrets.label 2) }} + {{- $secretLabelNameToLookFor := first $secretLabelToLookFor }} + {{- $secretLabelValueToLookFor := last $secretLabelToLookFor }} + {{- range $i, $secret := (lookup "v1" "Secret" .Release.Namespace "").items }} + {{- if (and (and (hasKey $secret.metadata "labels") (hasKey $secret.metadata.labels $secretLabelNameToLookFor)) (eq (get $secret.metadata.labels $secretLabelNameToLookFor) ($secretLabelValueToLookFor))) }} + {{- $clusterName := $secret.metadata.name }} + {{- if (and (hasKey $secret.metadata "annotations") (hasKey $secret.metadata.annotations "kiali.io/cluster")) }} + {{- $clusterName = get $secret.metadata.annotations "kiali.io/cluster" }} + {{- end }} + {{- $theDict = set $theDict $clusterName $secret.metadata.name }} + {{- end }} + {{- end }} +{{- end }} +{{- $theDict | toJson }} +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/cabundle.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/cabundle.yaml new file mode 100644 index 0000000000..e0bc1f2c2f --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/cabundle.yaml @@ -0,0 +1,15 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }}-cabundle + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + service.beta.openshift.io/inject-cabundle: "true" +... +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/configmap.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/configmap.yaml new file mode 100644 index 0000000000..45b571ec16 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/configmap.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.configmap_annotations }} + annotations: + {{- toYaml .Values.deployment.configmap_annotations | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}} + {{- $cm := omit .Values "kiali_route_url" }} + {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}} + {{- $_ := set $cm.deployment "namespace" .Release.Namespace }} + {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}} + {{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }} + {{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }} + {{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }} + {{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }} + {{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }} + {{- $_ := set $cm.external_services.istio "root_namespace" (include "kiali-server.external_services.istio.root_namespace" .) }} + {{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }} + {{- toYaml $cm | nindent 4 }} +... diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/deployment.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/deployment.yaml new file mode 100644 index 0000000000..e5d38b1163 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/deployment.yaml @@ -0,0 +1,243 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: +{{- if not .Values.deployment.hpa.spec }} + replicas: {{ .Values.deployment.replicas }} +{{- end }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.server.observability.metrics.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.observability.metrics.port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.host_aliases }} + hostAliases: + {{- toYaml .Values.deployment.host_aliases | nindent 6 }} + {{- end }} + {{- if .Values.deployment.dns }} + {{- if .Values.deployment.dns.policy }} + dnsPolicy: "{{ .Values.deployment.dns.policy }}" + {{- end }} + {{- if .Values.deployment.dns.config }} + dnsConfig: + {{- toYaml .Values.deployment.dns.config | nindent 8 }} + {{- end }} + {{- end }} + containers: + - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- end }} + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + containerPort: {{ .Values.server.observability.metrics.port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + {{- range .Values.deployment.custom_envs }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} + volumeMounts: + {{- if .Values.web_root_override }} + - name: kiali-console + subPath: env.js + mountPath: /opt/kiali/console/env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + mountPath: "{{ .mount }}" + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + mountPath: "/kiali-remote-cluster-secrets/{{ $val }}" + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + mountPath: "/kiali-remote-cluster-secrets/{{ .secret_name }}" + {{- end }} + {{- end }} + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + {{- if .Values.web_root_override }} + - name: kiali-console + configMap: + name: kiali-console + items: + - key: env.js + path: env.js + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }} + optional: true + {{- end }} + {{- range .Values.deployment.custom_secrets }} + - name: {{ .name }} + {{- if .csi}} + csi: {{ toYaml .csi | nindent 10 }} + {{- else }} + secret: + secretName: {{ .name }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + {{- range $key, $val := (include "kiali-server.remote-cluster-secrets" .) | fromJson }} + - name: {{ $key }} + secret: + secretName: {{ $val }} + {{- end }} + {{- range .Values.clustering.clusters }} + {{- if .secret_name }} + - name: {{ .name }} + secret: + secretName: {{ .secret_name }} + {{- end }} + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.deployment.tolerations }} +{{ toYaml .Values.deployment.tolerations | indent 8 }} +{{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.deployment.node_selector }} +{{ toYaml .Values.deployment.node_selector | indent 8 }} +{{- end }} +... +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/hpa.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/hpa.yaml new file mode 100644 index 0000000000..d04cb0cda6 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/hpa.yaml @@ -0,0 +1,19 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if .Values.deployment.hpa.spec }} +--- +apiVersion: {{ .Values.deployment.hpa.api_version }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kiali-server.fullname" . }} + {{- toYaml .Values.deployment.hpa.spec | nindent 2 }} +... +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/ingress.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/ingress.yaml new file mode 100644 index 0000000000..911b63c46c --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/ingress.yaml @@ -0,0 +1,64 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if not (eq "true" (include "kiali-server.isOpenShift" .)) }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +--- +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- else }} + # For ingress-nginx versions older than 0.20.0 use secure-backends. + # (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948) + # For ingress-nginx versions 0.20.0 and later use backend-protocol. + {{- if (include "kiali-server.identity.cert_file" .) }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + {{- else }} + nginx.ingress.kubernetes.io/secure-backends: "false" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + {{- end }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + {{- if .Values.deployment.ingress.class_name }} + ingressClassName: {{ .Values.deployment.ingress.class_name }} + {{- end }} + rules: + - http: + paths: + - path: {{ include "kiali-server.server.web_root" . }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ include "kiali-server.fullname" . }} + port: + number: {{ .Values.server.port }} + {{- else }} + backend: + serviceName: {{ include "kiali-server.fullname" . }} + servicePort: {{ .Values.server.port }} + {{- end }} + {{- if not (empty .Values.server.web_fqdn) }} + host: {{ .Values.server.web_fqdn }} + {{- end }} + {{- end }} +... +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/oauth.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/oauth.yaml new file mode 100644 index 0000000000..223b8cdc3b --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/oauth.yaml @@ -0,0 +1,31 @@ +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} +{{- if (or (.Values.kiali_route_url) (.Values.auth.openshift.redirect_uris)) }} +--- +apiVersion: oauth.openshift.io/v1 +kind: OAuthClient +metadata: + name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +redirectURIs: +{{- if .Values.auth.openshift.redirect_uris }} +{{- range .Values.auth.openshift.redirect_uris }} +- {{ . }} +{{- end }} +{{- else }} +- {{ .Values.kiali_route_url }}/api/auth/callback +{{- if .Values.server.web_port }} +- {{ .Values.kiali_route_url }}:{{ .Values.server.web_port }}/api/auth/callback +{{- end }} +{{- end }} +grantMethod: auto +{{- if .Values.auth.openshift.token_inactivity_timeout }} +accessTokenInactivityTimeoutSeconds: {{ .Values.auth.openshift.token_inactivity_timeout }} +{{- end }} +{{- if .Values.auth.openshift.token_max_age }} +accessTokenMaxAgeSeconds: {{ .Values.auth.openshift.token_max_age }} +{{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/psp.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/psp.yaml new file mode 100644 index 0000000000..e31d706d4b --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/psp.yaml @@ -0,0 +1,67 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "kiali-server.fullname" . }}-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "kiali-server.fullname" . }}-psp + namespace: {{ .Release.Namespace }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/role-viewer.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/role-viewer.yaml new file mode 100644 index 0000000000..cbe6d0d7fa --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/role-viewer.yaml @@ -0,0 +1,103 @@ +{{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }}-viewer + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch +... +{{- end -}} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/role.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/role.yaml new file mode 100644 index 0000000000..74c574d318 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/role.yaml @@ -0,0 +1,110 @@ +{{- if not (or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous")) -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints +{{- if not (has "logs-tab" .Values.kiali_feature_flags.disabled_features) }} + - pods/log +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +- apiGroups: ["oauth.openshift.io"] + resources: + - oauthclients + resourceNames: + - {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + verbs: + - get +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch +... +{{- end -}} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/rolebinding.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/rolebinding.yaml new file mode 100644 index 0000000000..dd0d585fb1 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + {{- if or (.Values.deployment.view_only_mode) (ne .Values.auth.strategy "anonymous") }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" +... diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/route.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/route.yaml new file mode 100644 index 0000000000..77b2906bf2 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/route.yaml @@ -0,0 +1,36 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +{{- if eq "true" (include "kiali-server.isOpenShift" .) }} +{{- if eq "true" (include "kiali-server.deployment.ingress.enabled" .) }} +# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- if .Values.deployment.ingress.additional_labels }} + {{- toYaml .Values.deployment.ingress.additional_labels | nindent 4 }} + {{- end }} + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if .Values.deployment.ingress.override_yaml.metadata.annotations }} + annotations: + {{- toYaml .Values.deployment.ingress.override_yaml.metadata.annotations | nindent 4 }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.ingress.override_yaml "spec" }} + {{- toYaml .Values.deployment.ingress.override_yaml.spec | nindent 2 }} + {{- else }} + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + name: {{ include "kiali-server.fullname" . }} + port: + targetPort: {{ .Values.server.port }} + {{- end }} +... +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/service.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/service.yaml new file mode 100644 index 0000000000..89b6860fbd --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/service.yaml @@ -0,0 +1,53 @@ +{{- if not .Values.deployment.remote_cluster_resources_only }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if eq "true" (include "kiali-server.isOpenShift" .) }} + service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret + {{- end }} + {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }} + {{- if empty .Values.server.web_port }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ include "kiali-server.server.web_root" . }} + {{- else }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{ include "kiali-server.server.web_root" . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.service_annotations }} + {{- toYaml .Values.deployment.service_annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.deployment.service_type }} + type: {{ .Values.deployment.service_type }} + {{- end }} + ports: + {{- if (include "kiali-server.identity.cert_file" .) }} + - name: tcp + appProtocol: https + {{- else }} + - name: http + appProtocol: http + {{- end }} + protocol: TCP + port: {{ .Values.server.port }} + {{- if and (not (empty .Values.server.node_port)) (eq .Values.deployment.service_type "NodePort") }} + nodePort: {{ .Values.server.node_port }} + {{- end }} + {{- if .Values.server.observability.metrics.enabled }} + - name: http-metrics + appProtocol: http + protocol: TCP + port: {{ .Values.server.observability.metrics.port }} + {{- end }} + selector: + {{- include "kiali-server.selectorLabels" . | nindent 4 }} + {{- if .Values.deployment.additional_service_yaml }} + {{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }} + {{- end }} +... +{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/serviceaccount.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/serviceaccount.yaml new file mode 100644 index 0000000000..995d580465 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +... diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/validate-psp-install.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/web-root-configmap.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/web-root-configmap.yaml new file mode 100644 index 0000000000..970d4e4f5d --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/templates/web-root-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.web_root_override }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + env.js: | + window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/values.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/values.yaml new file mode 100644 index 0000000000..067edb6f7d --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/kiali/values.yaml @@ -0,0 +1,126 @@ +# This is required for "openshift" auth strategy. +# You have to know ahead of time what your Route URL will be because +# right now the helm chart can't figure this out at runtime (it would +# need to wait for the Kiali Route to be deployed and for OpenShift +# to start it up). If someone knows how to update this helm chart to +# do this, a PR would be welcome. +kiali_route_url: "" + +# rancher specific override that allows proxy access to kiali url +web_root_override: true +# +# Settings that mimic the Kiali CR which are placed in the ConfigMap. +# Note that only those values used by the Helm Chart will be here. +# + +additional_display_details: +- annotation: kiali.io/api-spec + icon_annotation: kiali.io/api-type + title: API Documentation + +istio_namespace: "" # default is where Kiali is installed + +auth: + openid: {} + openshift: {} + strategy: "" + +clustering: + autodetect_secrets: + enabled: true + label: "kiali.io/multiCluster=true" + clusters: [] + +deployment: + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + # The Kiali server helm chart only supports cluster-wide access; setting cluster_wide_access to false is not supported. + # For more control over what the Kial Service Account can see, use the Kiali Operator. + cluster_wide_access: true + configmap_annotations: {} + custom_envs: [] + custom_secrets: [] + dns: + config: {} + policy: "" + host_aliases: [] + hpa: + api_version: "autoscaling/v2" + spec: {} + image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") + repository: rancher/mirrored-kiali-kiali + image_pull_policy: "Always" + image_pull_secrets: [] + tag: v2.1.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash + ingress: + additional_labels: {} + class_name: "nginx" + #enabled: + override_yaml: + metadata: {} + instance_name: "kiali" + logger: + log_format: "text" + log_level: "info" + time_field_format: "2006-01-02T15:04:05Z07:00" + sampler_rate: "1" + node_selector: {} + pod_annotations: {} + pod_labels: {} + priority_class_name: "" + remote_cluster_resources_only: false + # if deployment.hpa is defined, this replicas setting will be ignored + replicas: 1 + resources: + requests: + cpu: "10m" + memory: "64Mi" + limits: + memory: "1Gi" + secret_name: "kiali" + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v2.1.0 # v1.39 # v1.39.0 # see: https://quay.io/repository/kiali/kiali?tab=tags + view_only_mode: false + +external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: "" + +identity: {} + #cert_file: + #private_key_file: + +kiali_feature_flags: + disabled_features: [] + validations: + ignore: ["KIA1301"] + +login_token: + signing_key: "" + +server: + port: 20001 + #node_port: + observability: + metrics: + enabled: true + port: 9090 + web_root: "" + +# Common settings used among istio subcharts. +global: + # Specify rancher clusterId of external tracing config + # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 + cattle: + systemDefaultRegistry: "" + clusterId: + psp: + enabled: false \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/.helmignore b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/Chart.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/Chart.yaml new file mode 100644 index 0000000000..a96d6e2043 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/Chart.yaml @@ -0,0 +1,12 @@ +annotations: + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.rancher.io/certified: rancher + catalog.rancher.io/namespace: istio-system + catalog.rancher.io/release-name: rancher-tracing +apiVersion: v1 +appVersion: 1.63.0 +description: A quick start Jaeger Tracing installation using the all-in-one demo. + This is not production qualified. Refer to https://www.jaegertracing.io/ for details. +name: tracing +version: 1.63.0 diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/README.md b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/README.md new file mode 100644 index 0000000000..25534c6288 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/README.md @@ -0,0 +1,5 @@ +# Jaeger + +A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. + +> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/_affinity.tpl b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/_affinity.tpl new file mode 100644 index 0000000000..bf6a9aee5c --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/_affinity.tpl @@ -0,0 +1,92 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} +{{- define "nodeAffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/_helpers.tpl b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/_helpers.tpl new file mode 100644 index 0000000000..09c6b05467 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/_helpers.tpl @@ -0,0 +1,47 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/deployment.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/deployment.yaml new file mode 100644 index 0000000000..f8a6828085 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: {{ .Values.provider }} + template: + metadata: + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" +{{- if .Values.jaeger.podAnnotations }} +{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} +{{- end }} + spec: + containers: + - name: jaeger + image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + {{- if eq .Values.jaeger.spanStorageType "badger" }} + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + {{- end }} + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumeMounts: + - name: data + mountPath: /badger +{{- end }} + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeAffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.global.cattle.psp.enabled }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + {{- end }} + serviceAccountName: {{ include "tracing.fullname" . }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if eq .Values.jaeger.spanStorageType "badger" }} + volumes: + - name: data +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: istio-jaeger-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/psp.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/psp.yaml new file mode 100644 index 0000000000..4d5c271e1b --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/psp.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/pvc.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/pvc.yaml new file mode 100644 index 0000000000..9b4c55e4fb --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/pvc.yaml @@ -0,0 +1,16 @@ +{{- if .Values.jaeger.persistentVolumeClaim.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-jaeger-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} +spec: + storageClassName: {{ .Values.jaeger.storageClassName }} + accessModes: + - {{ .Values.jaeger.accessMode }} + resources: + requests: + storage: {{.Values.jaeger.persistentVolumeClaim.storage }} +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/service.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/service.yaml new file mode 100644 index 0000000000..3ee5a54247 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/service.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: 16686 + selector: + app: {{ .Values.provider }} +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + name: zipkin + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: {{ .Values.service.name }} + port: {{ .Values.zipkin.queryPort }} + targetPort: {{ .Values.zipkin.queryPort }} + selector: + app: {{ .Values.provider }} +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: {{ .Values.provider }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/serviceaccount.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1bff77ff66 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/validate-psp-install.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/values.yaml b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/values.yaml new file mode 100644 index 0000000000..4929fb82a4 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/charts/tracing/values.yaml @@ -0,0 +1,53 @@ +provider: jaeger +contextPath: "" +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] +nameOverride: "" +fullnameOverride: "" + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + defaultResources: {} + imagePullPolicy: IfNotPresent + imagePullSecrets: [] + arch: + arm64: 2 + amd64: 2 + s390x: 2 + ppc64le: 2 + defaultNodeSelector: + kubernetes.io/os: linux + rbac: + pspEnabled: false + +jaeger: + repository: rancher/mirrored-jaegertracing-all-in-one + tag: 1.63.0 + # spanStorageType value can be "memory" and "badger" for all-in-one image + spanStorageType: badger + resources: + requests: + cpu: 10m + persistentVolumeClaim: + enabled: false + storage: 5Gi + storageClassName: "" + accessMode: ReadWriteMany + memory: + max_traces: 50000 +zipkin: + queryPort: 9411 +service: + annotations: {} + name: http-query + type: ClusterIP + externalPort: 16686 diff --git a/charts/rancher-istio/106.2.0+up1.24.1/configs/istio-base.yaml b/charts/rancher-istio/106.2.0+up1.24.1/configs/istio-base.yaml new file mode 100644 index 0000000000..a5067f8e74 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/configs/istio-base.yaml @@ -0,0 +1,145 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: {{ .Values.base.enabled }} + cni: + enabled: {{ .Values.cni.enabled }} + k8s: + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + egressGateways: + - enabled: {{ .Values.egressGateways.enabled }} + name: istio-egressgateway + k8s: + {{- if .Values.egressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.egressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + ingressGateways: + - enabled: {{ .Values.ingressGateways.enabled }} + name: istio-ingressgateway + k8s: + {{- if .Values.ingressGateways.hpaSpec }} + hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.ingressGateways.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + service: + ports: + - name: status-port + port: 15021 + targetPort: 15021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31380 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31390 + - name: tcp + port: 31400 + targetPort: 31400 + nodePort: 31400 + - name: tls + port: 15443 + targetPort: 15443 + istiodRemote: + enabled: {{ .Values.istiodRemote.enabled }} + pilot: + enabled: {{ .Values.pilot.enabled }} + k8s: + {{- if .Values.pilot.hpaSpec }} + hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} + {{- end }} + {{- if .Values.pilot.podDisruptionBudget }} + podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} +{{- if .Values.nodeSelector }} +{{- toYaml .Values.nodeSelector | nindent 12 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} +{{- if .Values.tolerations }} +{{- toYaml .Values.tolerations | nindent 12 }} +{{- end }} + hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} + profile: default + tag: {{ .Values.tag }} +{{- if .Values.tolerations }} + revision: {{ .Values.revision }} +{{- end }} + meshConfig: + defaultConfig: + {{- if .Values.tracing.enabled }} + tracing: + zipkin: + address: {{ .Values.tracing.zipkinAddress }} + {{- end }} + proxyMetadata: + {{- if .Values.dns.enabled }} + ISTIO_META_DNS_CAPTURE: "true" + {{- end }} + values: + gateways: + istio-egressgateway: + name: istio-egressgateway + type: {{ .Values.egressGateways.type }} + istio-ingressgateway: + name: istio-ingressgateway + type: {{ .Values.ingressGateways.type }} + global: + istioNamespace: {{ template "istio.namespace" . }} + proxy: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} + proxy_init: + image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} + {{- if .Values.global.defaultPodDisruptionBudget.enabled }} + defaultPodDisruptionBudget: + enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} + {{- end }} + logAsJson: {{ .Values.global.logAsJson }} + logging: + level: {{ .Values.global.logging.level }} + {{- if .Values.pilot.enabled }} + pilot: + image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} + {{- end }} + telemetry: + enabled: {{ .Values.telemetry.enabled }} + v2: + enabled: {{ .Values.telemetry.v2.enabled }} + {{- if .Values.cni.enabled }} + cni: + image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} + excludeNamespaces: + {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} + logLevel: {{ .Values.cni.logLevel }} + {{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/requirements.yaml b/charts/rancher-istio/106.2.0+up1.24.1/requirements.yaml new file mode 100644 index 0000000000..a73e982184 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/requirements.yaml @@ -0,0 +1,9 @@ +dependencies: +- condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 2.1.0 +- condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.63.0 diff --git a/charts/rancher-istio/106.2.0+up1.24.1/samples/overlay-example.yaml b/charts/rancher-istio/106.2.0+up1.24.1/samples/overlay-example.yaml new file mode 100644 index 0000000000..5cf3cf3b0b --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/samples/overlay-example.yaml @@ -0,0 +1,37 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - enabled: true + name: ilb-gateway + namespace: user-ingressgateway-ns + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal + - enabled: true + name: other-gateway + namespace: cattle-istio-system + k8s: + resources: + requests: + cpu: 200m + service: + ports: + - name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - name: tcp-dns + port: 5353 + serviceAnnotations: + cloud.google.com/load-balancer-type: internal diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/_helpers.tpl b/charts/rancher-istio/106.2.0+up1.24.1/templates/_helpers.tpl new file mode 100644 index 0000000000..30b429a800 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "istio.namespace" -}} + {{- .Release.Namespace | default "istio-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/admin-role.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/admin-role.yaml new file mode 100644 index 0000000000..ad1313c4f1 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/admin-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: istio-admin + namespace: {{ template "istio.namespace" . }} +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/base-config-map.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/base-config-map.yaml new file mode 100644 index 0000000000..5323917bc3 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/base-config-map.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-base + namespace: {{ template "istio.namespace" . }} +data: +{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/clusterrole.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..31163f9325 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-installer +rules: +# istio groups +- apiGroups: + - extensions.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - rbac.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - telemetry.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - ingresses + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/exec + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + verbs: + - 'get' + - 'list' + - 'watch' +{{- if and .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/clusterrolebinding.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..9d74a04345 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-installer +subjects: +- kind: ServiceAccount + name: istio-installer + namespace: {{ template "istio.namespace" . }} +roleRef: + kind: ClusterRole + name: istio-installer + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/edit-role.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/edit-role.yaml new file mode 100644 index 0000000000..d1059d58d7 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/edit-role.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-edit +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: + - '*' + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: + - '*' diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-cni-psp.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-cni-psp.yaml new file mode 100644 index 0000000000..a71561e676 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-cni-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-install-job.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-install-job.yaml new file mode 100644 index 0000000000..c2e362e684 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-install-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-installer + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + spec: + {{- if .Values.installer.releaseMirror.enabled }} + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "github.com" + {{- end }} + containers: + - name: istioctl-installer + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + - name: FORCE_INSTALL + value: {{ .Values.forceInstall | default "false" | quote }} + - name: RELEASE_MIRROR_ENABLED + value: {{ .Values.installer.releaseMirror.enabled | quote }} + - name: SECONDS_SLEEP + value: {{ .Values.installer.debug.secondsSleep | quote}} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/run.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{- end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{- end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 499 + runAsGroup: 487 + restartPolicy: Never diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-install-psp.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-install-psp.yaml new file mode 100644 index 0000000000..9da3391d40 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-install-psp.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-psp.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-psp.yaml new file mode 100644 index 0000000000..cfada1bf7f --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-psp.yaml @@ -0,0 +1,81 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: {{ template "istio.namespace" . }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-uninstall-job.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-uninstall-job.yaml new file mode 100644 index 0000000000..0091d0c176 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/istio-uninstall-job.yaml @@ -0,0 +1,53 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: istioctl-uninstaller + namespace: {{ template "istio.namespace" . }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + spec: + containers: + - name: istioctl-uninstaller + image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} + env: + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: ISTIO_NAMESPACE + value: {{ template "istio.namespace" . }} + command: ["/bin/sh","-c"] + args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] + volumeMounts: + - name: config-volume + mountPath: /app/istio-base.yaml + subPath: istio-base.yaml + {{- if .Values.overlayFile }} + - name: overlay-volume + mountPath: /app/overlay-config.yaml + subPath: overlay-config.yaml + {{ end }} + volumes: + - name: config-volume + configMap: + name: istio-installer-base + {{- if .Values.overlayFile }} + - name: overlay-volume + configMap: + name: istio-installer-overlay + {{ end }} + serviceAccountName: istio-installer + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsUser: 101 + runAsGroup: 101 + restartPolicy: OnFailure diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/overlay-config-map.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/overlay-config-map.yaml new file mode 100644 index 0000000000..287d26b2c3 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/overlay-config-map.yaml @@ -0,0 +1,9 @@ +{{- if .Values.overlayFile }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-installer-overlay + namespace: {{ template "istio.namespace" . }} +data: + overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} +{{- end }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/service-monitors.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/service-monitors.yaml new file mode 100644 index 0000000000..c3d60c4fce --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/service-monitors.yaml @@ -0,0 +1,51 @@ +{{- if .Values.kiali.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-stats-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-proxies +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + endpoints: + - path: /stats/prometheus + targetPort: 15090 + interval: 15s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: {{ template "istio.namespace" . }} + labels: + monitoring: istio-components +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s +{{- end -}} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/serviceaccount.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..82b6cbb7e6 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-installer + namespace: {{ template "istio.namespace" . }} diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/validate-psp-install.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..4b0e5cfb65 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/charts/rancher-istio/106.2.0+up1.24.1/templates/view-role.yaml b/charts/rancher-istio/106.2.0+up1.24.1/templates/view-role.yaml new file mode 100644 index 0000000000..5947d3eba9 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/templates/view-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + namespace: {{ template "istio.namespace" . }} + name: istio-view +rules: + - apiGroups: + - config.istio.io + resources: + - adapters + - attributemanifests + - handlers + - httpapispecbindings + - httpapispecs + - instances + - quotaspecbindings + - quotaspecs + - rules + - templates + verbs: ["get", "watch", "list"] + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + - workloadentries + verbs: ["get", "watch", "list"] + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + - peerauthentications + - requestauthentications + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-istio/106.2.0+up1.24.1/values.yaml b/charts/rancher-istio/106.2.0+up1.24.1/values.yaml new file mode 100644 index 0000000000..997cb20bb2 --- /dev/null +++ b/charts/rancher-istio/106.2.0+up1.24.1/values.yaml @@ -0,0 +1,128 @@ +overlayFile: "" +tag: 1.24.1 +##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install +forceInstall: false + +installer: + repository: rancher/istio-installer + tag: 1.24.1-rancher1 + ##releaseMirror are configurations for istio upgrades. + ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal + ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. + releaseMirror: + enabled: false + + ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging + debug: + secondsSleep: 0 + +##Native support for dns added in 1.8 +dns: + enabled: false + +base: + enabled: true + +cni: + enabled: false + repository: rancher/mirrored-istio-install-cni +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.1 + tag: 1.24.1-distroless + logLevel: info + excludeNamespaces: + - istio-system + - kube-system + +egressGateways: + enabled: false + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +ingressGateways: + enabled: true + type: NodePort + hpaSpec: {} + podDisruptionBudget: {} + +istiodRemote: + enabled: false + +pilot: + enabled: true + repository: rancher/mirrored-istio-pilot +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.1 + tag: 1.24.1-distroless + hpaSpec: {} + podDisruptionBudget: {} + +telemetry: + enabled: true + v2: + enabled: true + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + proxy: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.1 + tag: 1.24.1-distroless + proxy_init: + repository: rancher/mirrored-istio-proxyv2 +# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting +# the distroless tag: +# tag: 1.24.1 + tag: 1.24.1-distroless + defaultPodDisruptionBudget: + enabled: true +# To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false +# Comma-separated minimum per-scope logging level of messages to output, in the form of :,: +# The control plane has different scopes depending on component, but can configure default log level across all components +# If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + +# Kiali subchart from rancher-kiali-server +kiali: + enabled: true + # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ + auth: + strategy: token + server: + web_root: / + deployment: + ingress_enabled: false + external_services: + prometheus: + custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" + tracing: + in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" + use_grpc: false + grafana: + in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" + +tracing: + enabled: false + contextPath: "/jaeger" + zipkinAddress: zipkin.istio-system.svc:9411 + + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/index.yaml b/index.yaml index 5177da7b4d..55a86861f1 100755 --- a/index.yaml +++ b/index.yaml @@ -14172,6 +14172,43 @@ entries: - assets/rancher-gke-operator-crd/rancher-gke-operator-crd-101.0.0+up1.1.5.tgz version: 101.0.0+up1.1.5 rancher-istio: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Istio + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: istio-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0' + catalog.cattle.io/release-name: rancher-istio + catalog.cattle.io/requests-cpu: 710m + catalog.cattle.io/requests-memory: 2314Mi + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: istio + catalog.cattle.io/upstream-version: 1.23.2 + apiVersion: v1 + appVersion: 1.23.2 + created: "2025-02-24T20:32:53.154458-03:00" + dependencies: + - condition: kiali.enabled + name: kiali + repository: file://./charts/kiali + version: 2.1.0 + - condition: tracing.enabled + name: tracing + repository: file://./charts/tracing + version: 1.63.0 + description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ + for details. + digest: 2ff328f2c68b0039311544f7d6c69ddee55bbd12632f557f46e10c09d5346bdd + icon: https://charts.rancher.io/assets/logos/istio.svg + keywords: + - networking + - infrastructure + name: rancher-istio + urls: + - assets/rancher-istio/rancher-istio-106.2.0+up1.24.1.tgz + version: 106.2.0+up1.24.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: Istio From 3ecdb3a6bc8ba9c8637c5f045ee0288d22c9d307 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:33:50 -0300 Subject: [PATCH 07/10] remove istio 1.19 package --- .../1.19/rancher-istio/charts/Chart.yaml | 24 ---- .../1.19/rancher-istio/charts/README.md | 79 ---------- .../1.19/rancher-istio/charts/app-readme.md | 65 --------- .../charts/configs/istio-base.yaml | 135 ------------------ .../rancher-istio/charts/requirements.yaml | 9 -- .../charts/samples/overlay-example.yaml | 37 ----- .../charts/templates/_helpers.tpl | 27 ---- .../charts/templates/admin-role.yaml | 43 ------ .../charts/templates/base-config-map.yaml | 7 - .../charts/templates/clusterrole.yaml | 135 ------------------ .../charts/templates/clusterrolebinding.yaml | 12 -- .../charts/templates/edit-role.yaml | 43 ------ .../charts/templates/istio-cni-psp.yaml | 51 ------- .../charts/templates/istio-install-job.yaml | 66 --------- .../charts/templates/istio-install-psp.yaml | 30 ---- .../charts/templates/istio-psp.yaml | 81 ----------- .../charts/templates/istio-uninstall-job.yaml | 53 ------- .../charts/templates/overlay-config-map.yaml | 9 -- .../charts/templates/service-monitors.yaml | 51 ------- .../charts/templates/serviceaccount.yaml | 5 - .../templates/validate-psp-install.yaml | 7 - .../charts/templates/view-role.yaml | 41 ------ .../1.19/rancher-istio/charts/values.yaml | 119 --------------- .../dependencies/kiali/dependency.yaml | 2 - .../dependencies/tracing/dependency.yaml | 2 - .../1.19/rancher-istio/package.yaml | 2 - .../overlay/templates/psp.yaml | 67 --------- .../templates/validate-psp-install.yaml | 7 - .../overlay/templates/web-root-configmap.yaml | 12 -- .../generated-changes/patch/Chart.yaml.patch | 31 ---- .../patch/templates/_helpers.tpl.patch | 49 ------- .../patch/templates/deployment.yaml.patch | 69 --------- .../generated-changes/patch/values.yaml.patch | 39 ----- .../1.19/rancher-kiali-server/package.yaml | 3 - .../1.19/rancher-tracing/charts/.helmignore | 23 --- .../1.19/rancher-tracing/charts/Chart.yaml | 12 -- .../1.19/rancher-tracing/charts/README.md | 5 - .../charts/templates/_affinity.tpl | 92 ------------ .../charts/templates/_helpers.tpl | 47 ------ .../charts/templates/deployment.yaml | 94 ------------ .../rancher-tracing/charts/templates/psp.yaml | 76 ---------- .../rancher-tracing/charts/templates/pvc.yaml | 16 --- .../charts/templates/service.yaml | 63 -------- .../charts/templates/serviceaccount.yaml | 9 -- .../templates/validate-psp-install.yaml | 7 - .../1.19/rancher-tracing/charts/values.yaml | 53 ------- .../1.19/rancher-tracing/package.yaml | 3 - 47 files changed, 1912 deletions(-) delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/Chart.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/README.md delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/app-readme.md delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/configs/istio-base.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/requirements.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/samples/overlay-example.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/_helpers.tpl delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/admin-role.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/base-config-map.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/clusterrole.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/clusterrolebinding.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/edit-role.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-cni-psp.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-install-job.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-install-psp.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-psp.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-uninstall-job.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/overlay-config-map.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/service-monitors.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/serviceaccount.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/templates/view-role.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/charts/values.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-istio/package.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch delete mode 100644 packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch delete mode 100644 packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch delete mode 100644 packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/values.yaml.patch delete mode 100644 packages/rancher-istio/1.19/rancher-kiali-server/package.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/.helmignore delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/Chart.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/README.md delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/templates/_affinity.tpl delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/templates/_helpers.tpl delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/templates/deployment.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/templates/psp.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/templates/pvc.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/templates/service.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/templates/serviceaccount.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/charts/values.yaml delete mode 100644 packages/rancher-istio/1.19/rancher-tracing/package.yaml diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/Chart.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/Chart.yaml deleted file mode 100644 index 932c5e2a93..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: Istio - catalog.cattle.io/kube-version: '>= 1.25.0-0 < 1.29.0-0' - catalog.cattle.io/namespace: istio-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' - catalog.cattle.io/release-name: rancher-istio - catalog.cattle.io/requests-cpu: 710m - catalog.cattle.io/requests-memory: 2314Mi - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: istio - catalog.cattle.io/upstream-version: 1.19.6 -apiVersion: v1 -appVersion: 1.19.6 -description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ - for details. -icon: https://charts.rancher.io/assets/logos/istio.svg -keywords: -- networking -- infrastructure -name: rancher-istio -version: 1.19.6 diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/README.md b/packages/rancher-istio/1.19/rancher-istio/charts/README.md deleted file mode 100644 index 2230c61859..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Rancher-Istio Chart - -Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. - -See the app-readme for known issues and deprecations. - -## Installation Requirements - -#### Chart Dependencies -- rancher-monitoring chart or other Prometheus installation - -#### Install -To install the rancher-istio chart with helm, use the following command: -``` -helm install rancher-istio --create-namespace -n istio-system -``` - -#### Uninstall -To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. - -**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** -`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` - -## Addons -The addons that are included with rancher-istio are: - -- Kiali -- Jaeger - -Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. -### Kiali Addon - -Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. - -#### Kiali Dependencies -##### rancher-monitoring chart or other Prometheus installation - -This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. - -#### Prometheus Configuration for Kiali -> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. - -The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. - -To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. - -1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. -1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. - -#### Kiali External Services - -The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. - -##### Prometheus -The `kiali.external_services.prometheus` url is set in the values.yaml: -``` -http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} -``` -The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. - -##### Grafana -The `kiali.external_services.grafana` url is set in the values.yaml: -``` -http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} -``` -The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. - -##### Tracing -The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: -``` -http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} -``` -The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. - -## Jaeger Addon - -Jaeger allows you to trace and monitor distributed microservices. - -> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/app-readme.md b/packages/rancher-istio/1.19/rancher-istio/charts/app-readme.md deleted file mode 100644 index 92a0952e2f..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/app-readme.md +++ /dev/null @@ -1,65 +0,0 @@ -# Rancher Istio - -Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: -* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh -* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. - -For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). - -## Upgrading to Kubernetes v1.25+ - -Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. - -As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. - -> **Note:** -> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. - -> **Note:** -> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** -> -> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. - -Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. - -As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. - -## Warnings -- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. - -## Known Issues - -#### Airgapped Environments -**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) - -#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. -To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. -`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` -See [this issue](https://github.com/rancher/rancher/issues/33291) for details. - -## Installing istio with distroless-images. -Istio `104.1.0+up1.19.6` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. - -## Deprecations - -#### v1alpha1 security policies -As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ - -If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. - -> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: -``` -Error: found 6 CRD of unsupported v1alpha1 security policy -``` -``` - Error: found 1 unsupported v1alpha1 security policy - ``` - ``` - Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x - ``` - Continue with the migration steps below before retrying the upgrade process. - -#### Migrating Resources: -Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). - -You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/configs/istio-base.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/configs/istio-base.yaml deleted file mode 100644 index 9d99112e36..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/configs/istio-base.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: {{ .Values.base.enabled }} - cni: - enabled: {{ .Values.cni.enabled }} - k8s: - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - egressGateways: - - enabled: {{ .Values.egressGateways.enabled }} - name: istio-egressgateway - k8s: - {{- if .Values.egressGateways.hpaSpec }} - hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.egressGateways.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - ingressGateways: - - enabled: {{ .Values.ingressGateways.enabled }} - name: istio-ingressgateway - k8s: - {{- if .Values.ingressGateways.hpaSpec }} - hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.ingressGateways.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - service: - ports: - - name: status-port - port: 15021 - targetPort: 15021 - - name: http2 - port: 80 - targetPort: 8080 - nodePort: 31380 - - name: https - port: 443 - targetPort: 8443 - nodePort: 31390 - - name: tcp - port: 31400 - targetPort: 31400 - nodePort: 31400 - - name: tls - port: 15443 - targetPort: 15443 - istiodRemote: - enabled: {{ .Values.istiodRemote.enabled }} - pilot: - enabled: {{ .Values.pilot.enabled }} - k8s: - {{- if .Values.pilot.hpaSpec }} - hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.pilot.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} - profile: default - tag: {{ .Values.tag }} - revision: {{ .Values.revision }} - meshConfig: - defaultConfig: - proxyMetadata: - {{- if .Values.dns.enabled }} - ISTIO_META_DNS_CAPTURE: "true" - {{- end }} - values: - gateways: - istio-egressgateway: - name: istio-egressgateway - type: {{ .Values.egressGateways.type }} - istio-ingressgateway: - name: istio-ingressgateway - type: {{ .Values.ingressGateways.type }} - global: - istioNamespace: {{ template "istio.namespace" . }} - proxy: - image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} - proxy_init: - image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} - {{- if .Values.global.defaultPodDisruptionBudget.enabled }} - defaultPodDisruptionBudget: - enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} - {{- end }} - {{- if .Values.pilot.enabled }} - pilot: - image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} - {{- end }} - telemetry: - enabled: {{ .Values.telemetry.enabled }} - v2: - enabled: {{ .Values.telemetry.v2.enabled }} - {{- if .Values.cni.enabled }} - cni: - image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} - excludeNamespaces: - {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} - logLevel: {{ .Values.cni.logLevel }} - {{- end }} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/requirements.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/requirements.yaml deleted file mode 100644 index a2cf512739..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/requirements.yaml +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- condition: kiali.enabled - name: kiali - repository: file://./charts/kiali - version: 1.75.0 -- condition: tracing.enabled - name: tracing - repository: file://./charts/tracing - version: 1.52.0 diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/samples/overlay-example.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/samples/overlay-example.yaml deleted file mode 100644 index 5cf3cf3b0b..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/samples/overlay-example.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - ingressGateways: - - enabled: true - name: ilb-gateway - namespace: user-ingressgateway-ns - k8s: - resources: - requests: - cpu: 200m - service: - ports: - - name: tcp-citadel-grpc-tls - port: 8060 - targetPort: 8060 - - name: tcp-dns - port: 5353 - serviceAnnotations: - cloud.google.com/load-balancer-type: internal - - enabled: true - name: other-gateway - namespace: cattle-istio-system - k8s: - resources: - requests: - cpu: 200m - service: - ports: - - name: tcp-citadel-grpc-tls - port: 8060 - targetPort: 8060 - - name: tcp-dns - port: 5353 - serviceAnnotations: - cloud.google.com/load-balancer-type: internal diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/_helpers.tpl b/packages/rancher-istio/1.19/rancher-istio/charts/templates/_helpers.tpl deleted file mode 100644 index 30b429a800..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/_helpers.tpl +++ /dev/null @@ -1,27 +0,0 @@ -{{/* Ensure namespace is set the same everywhere */}} -{{- define "istio.namespace" -}} - {{- .Release.Namespace | default "istio-system" -}} -{{- end -}} - -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/admin-role.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/admin-role.yaml deleted file mode 100644 index ad1313c4f1..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/admin-role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - name: istio-admin - namespace: {{ template "istio.namespace" . }} -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: - - '*' - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: - - '*' diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/base-config-map.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/base-config-map.yaml deleted file mode 100644 index 5323917bc3..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/base-config-map.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-installer-base - namespace: {{ template "istio.namespace" . }} -data: -{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/clusterrole.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/clusterrole.yaml deleted file mode 100644 index f8f229987d..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/clusterrole.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-installer -rules: -# istio groups -- apiGroups: - - extensions.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - authentication.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - config.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - install.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - rbac.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - security.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - telemetry.istio.io - resources: - - '*' - verbs: - - '*' -# k8s groups -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions.apiextensions.k8s.io - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - apps - - extensions - resources: - - daemonsets - - deployments - - deployments/finalizers - - ingresses - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - roles - - rolebindings - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - pods - - pods/exec - - pods/portforward - - persistentvolumeclaims - - secrets - - services - - serviceaccounts - verbs: - - '*' -{{- if and .Values.global.cattle.psp.enabled }} -- apiGroups: - - policy - resourceNames: - - istio-installer - resources: - - podsecuritypolicies - verbs: - - use -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/clusterrolebinding.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/clusterrolebinding.yaml deleted file mode 100644 index 9d74a04345..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-installer -subjects: -- kind: ServiceAccount - name: istio-installer - namespace: {{ template "istio.namespace" . }} -roleRef: - kind: ClusterRole - name: istio-installer - apiGroup: rbac.authorization.k8s.io diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/edit-role.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/edit-role.yaml deleted file mode 100644 index d1059d58d7..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/edit-role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - namespace: {{ template "istio.namespace" . }} - name: istio-edit -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: - - '*' - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: - - '*' diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-cni-psp.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-cni-psp.yaml deleted file mode 100644 index a71561e676..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-cni-psp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -spec: - allowPrivilegeEscalation: true - fsGroup: - rule: RunAsAny - hostNetwork: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - secret - - configMap - - emptyDir - - hostPath ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: psp-istio-cni -subjects: - - kind: ServiceAccount - name: istio-cni ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -rules: -- apiGroups: - - policy - resourceNames: - - psp-istio-cni - resources: - - podsecuritypolicies - verbs: - - use -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-install-job.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-install-job.yaml deleted file mode 100644 index c2e362e684..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-install-job.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: istioctl-installer - namespace: {{ template "istio.namespace" . }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - backoffLimit: 1 - template: - spec: - {{- if .Values.installer.releaseMirror.enabled }} - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "github.com" - {{- end }} - containers: - - name: istioctl-installer - image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} - env: - - name: RELEASE_NAME - value: {{ .Release.Name }} - - name: ISTIO_NAMESPACE - value: {{ template "istio.namespace" . }} - - name: FORCE_INSTALL - value: {{ .Values.forceInstall | default "false" | quote }} - - name: RELEASE_MIRROR_ENABLED - value: {{ .Values.installer.releaseMirror.enabled | quote }} - - name: SECONDS_SLEEP - value: {{ .Values.installer.debug.secondsSleep | quote}} - command: ["/bin/sh","-c"] - args: ["/usr/local/app/scripts/run.sh"] - volumeMounts: - - name: config-volume - mountPath: /app/istio-base.yaml - subPath: istio-base.yaml - {{- if .Values.overlayFile }} - - name: overlay-volume - mountPath: /app/overlay-config.yaml - subPath: overlay-config.yaml - {{- end }} - volumes: - - name: config-volume - configMap: - name: istio-installer-base - {{- if .Values.overlayFile }} - - name: overlay-volume - configMap: - name: istio-installer-overlay - {{- end }} - serviceAccountName: istio-installer - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - securityContext: - runAsUser: 499 - runAsGroup: 487 - restartPolicy: Never diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-install-psp.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-install-psp.yaml deleted file mode 100644 index 9da3391d40..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-install-psp.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: istio-installer - namespace: {{ template "istio.namespace" . }} -spec: - privileged: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - volumes: - - 'configMap' - - 'secret' -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-psp.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-psp.yaml deleted file mode 100644 index cfada1bf7f..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-psp.yaml +++ /dev/null @@ -1,81 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-psp -subjects: - - kind: ServiceAccount - name: istio-egressgateway-service-account - - kind: ServiceAccount - name: istio-ingressgateway-service-account - - kind: ServiceAccount - name: istio-mixer-service-account - - kind: ServiceAccount - name: istio-operator-authproxy - - kind: ServiceAccount - name: istiod-service-account - - kind: ServiceAccount - name: istio-sidecar-injector-service-account - - kind: ServiceAccount - name: istiocoredns-service-account - - kind: ServiceAccount - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -rules: -- apiGroups: - - policy - resourceNames: - - istio-psp - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-uninstall-job.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-uninstall-job.yaml deleted file mode 100644 index 0091d0c176..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/istio-uninstall-job.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: istioctl-uninstaller - namespace: {{ template "istio.namespace" . }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - template: - spec: - containers: - - name: istioctl-uninstaller - image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} - env: - - name: RELEASE_NAME - value: {{ .Release.Name }} - - name: ISTIO_NAMESPACE - value: {{ template "istio.namespace" . }} - command: ["/bin/sh","-c"] - args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] - volumeMounts: - - name: config-volume - mountPath: /app/istio-base.yaml - subPath: istio-base.yaml - {{- if .Values.overlayFile }} - - name: overlay-volume - mountPath: /app/overlay-config.yaml - subPath: overlay-config.yaml - {{ end }} - volumes: - - name: config-volume - configMap: - name: istio-installer-base - {{- if .Values.overlayFile }} - - name: overlay-volume - configMap: - name: istio-installer-overlay - {{ end }} - serviceAccountName: istio-installer - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - securityContext: - runAsUser: 101 - runAsGroup: 101 - restartPolicy: OnFailure diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/overlay-config-map.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/overlay-config-map.yaml deleted file mode 100644 index 287d26b2c3..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/overlay-config-map.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.overlayFile }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-installer-overlay - namespace: {{ template "istio.namespace" . }} -data: - overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/service-monitors.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/service-monitors.yaml deleted file mode 100644 index c3d60c4fce..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/service-monitors.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.kiali.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: envoy-stats-monitor - namespace: {{ template "istio.namespace" . }} - labels: - monitoring: istio-proxies -spec: - selector: - matchExpressions: - - {key: istio-prometheus-ignore, operator: DoesNotExist} - namespaceSelector: - any: true - jobLabel: envoy-stats - endpoints: - - path: /stats/prometheus - targetPort: 15090 - interval: 15s - relabelings: - - sourceLabels: [__meta_kubernetes_pod_container_port_name] - action: keep - regex: '.*-envoy-prom' - - action: labeldrop - regex: "__meta_kubernetes_pod_label_(.+)" - - sourceLabels: [__meta_kubernetes_namespace] - action: replace - targetLabel: namespace - - sourceLabels: [__meta_kubernetes_pod_name] - action: replace - targetLabel: pod_name ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: istio-component-monitor - namespace: {{ template "istio.namespace" . }} - labels: - monitoring: istio-components -spec: - jobLabel: istio - targetLabels: [app] - selector: - matchExpressions: - - {key: istio, operator: In, values: [pilot]} - namespaceSelector: - any: true - endpoints: - - port: http-monitoring - interval: 15s -{{- end -}} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/serviceaccount.yaml deleted file mode 100644 index 82b6cbb7e6..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-installer - namespace: {{ template "istio.namespace" . }} diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/validate-psp-install.yaml deleted file mode 100644 index 4b0e5cfb65..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} \ No newline at end of file diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/templates/view-role.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/templates/view-role.yaml deleted file mode 100644 index 5947d3eba9..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/templates/view-role.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - namespace: {{ template "istio.namespace" . }} - name: istio-view -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: ["get", "watch", "list"] - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: ["get", "watch", "list"] diff --git a/packages/rancher-istio/1.19/rancher-istio/charts/values.yaml b/packages/rancher-istio/1.19/rancher-istio/charts/values.yaml deleted file mode 100644 index 9694223e4e..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/charts/values.yaml +++ /dev/null @@ -1,119 +0,0 @@ -overlayFile: "" -tag: 1.19.6 -##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install -forceInstall: false - -installer: - repository: rancher/istio-installer - tag: 1.19.6-rancher1 - ##releaseMirror are configurations for istio upgrades. - ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal - ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. - releaseMirror: - enabled: false - - ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging - debug: - secondsSleep: 0 - -##Native support for dns added in 1.8 -dns: - enabled: false - -base: - enabled: true - -cni: - enabled: false - repository: rancher/mirrored-istio-install-cni -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.19.6 - tag: 1.19.6-distroless - logLevel: info - excludeNamespaces: - - istio-system - - kube-system - -egressGateways: - enabled: false - type: NodePort - hpaSpec: {} - podDisruptionBudget: {} - -ingressGateways: - enabled: true - type: NodePort - hpaSpec: {} - podDisruptionBudget: {} - -istiodRemote: - enabled: false - -pilot: - enabled: true - repository: rancher/mirrored-istio-pilot -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.19.6 - tag: 1.19.6-distroless - hpaSpec: {} - podDisruptionBudget: {} - -telemetry: - enabled: true - v2: - enabled: true - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false - proxy: - repository: rancher/mirrored-istio-proxyv2 -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.19.6 - tag: 1.19.6-distroless - proxy_init: - repository: rancher/mirrored-istio-proxyv2 -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.19.6 - tag: 1.19.6-distroless - defaultPodDisruptionBudget: - enabled: true - -# Kiali subchart from rancher-kiali-server -kiali: - enabled: true - # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ - auth: - strategy: token - server: - web_root: / - deployment: - ingress_enabled: false - external_services: - prometheus: - custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" - url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" - tracing: - in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" - use_grpc: false - grafana: - in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" - url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" - -tracing: - enabled: false - contextPath: "/jaeger" - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] diff --git a/packages/rancher-istio/1.19/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml b/packages/rancher-istio/1.19/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml deleted file mode 100644 index d03d38966f..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml +++ /dev/null @@ -1,2 +0,0 @@ -workingDir: "" -url: packages/rancher-istio/1.19/rancher-kiali-server diff --git a/packages/rancher-istio/1.19/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml b/packages/rancher-istio/1.19/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml deleted file mode 100644 index d3eec34317..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml +++ /dev/null @@ -1,2 +0,0 @@ -workingDir: "" -url: packages/rancher-istio/1.19/rancher-tracing diff --git a/packages/rancher-istio/1.19/rancher-istio/package.yaml b/packages/rancher-istio/1.19/rancher-istio/package.yaml deleted file mode 100644 index 1bc83cd34d..0000000000 --- a/packages/rancher-istio/1.19/rancher-istio/package.yaml +++ /dev/null @@ -1,2 +0,0 @@ -url: local -version: 105.0.0+up1.19.6 diff --git a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml b/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml deleted file mode 100644 index e31d706d4b..0000000000 --- a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "kiali-server.fullname" . }}-psp -subjects: - - kind: ServiceAccount - name: kiali ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: - - policy - resourceNames: - - {{ include "kiali-server.fullname" . }}-psp - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml b/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b7..0000000000 --- a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml b/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml deleted file mode 100644 index 970d4e4f5d..0000000000 --- a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.web_root_override }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: kiali-console - namespace: {{ .Release.Namespace }} - labels: - {{- include "kiali-server.labels" . | nindent 4 }} -data: - env.js: | - window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch b/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch deleted file mode 100644 index 2c841da3a7..0000000000 --- a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- charts-original/Chart.yaml -+++ charts/Chart.yaml -@@ -1,17 +1,26 @@ -+annotations: -+ catalog.cattle.io/hidden: "true" -+ catalog.cattle.io/os: linux -+ catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 -+ catalog.rancher.io/namespace: cattle-istio-system -+ catalog.rancher.io/release-name: rancher-kiali-server - apiVersion: v2 - appVersion: v1.75.0 - description: Kiali is an open source project for service mesh observability, refer -- to https://www.kiali.io for details. -+ to https://www.kiali.io for details. This is installed as sub-chart with customized -+ values in Rancher's Istio. - home: https://github.com/kiali/kiali - icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg - keywords: - - istio - - kiali -+- networking -+- infrastructure - maintainers: - - email: kiali-users@googlegroups.com - name: Kiali - url: https://kiali.io --name: kiali-server -+name: rancher-kiali-server - sources: - - https://github.com/kiali/kiali - - https://github.com/kiali/kiali-operator diff --git a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch deleted file mode 100644 index cd8d4397cc..0000000000 --- a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch +++ /dev/null @@ -1,49 +0,0 @@ ---- charts-original/templates/_helpers.tpl -+++ charts/templates/_helpers.tpl -@@ -50,8 +50,15 @@ - Selector labels - */}} - {{- define "kiali-server.selectorLabels" -}} -+{{- $releaseName := .Release.Name -}} -+{{- $fullName := include "kiali-server.fullname" . -}} -+{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} - app.kubernetes.io/name: kiali --app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }} -+{{- if (and .Release.IsUpgrade $deployment)}} -+app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} -+{{- else }} -+app.kubernetes.io/instance: {{ $fullName }} -+{{- end }} - {{- end }} - - {{/* -@@ -172,6 +179,29 @@ - {{- end }} - {{- end }} - -+{{- define "system_default_registry" -}} -+{{- if .Values.global.cattle.systemDefaultRegistry -}} -+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -+{{- else -}} -+{{- "" -}} -+{{- end -}} -+{{- end -}} -+ -+{{/* -+Windows cluster will add default taint for linux nodes, -+add below linux tolerations to workloads could be scheduled to those linux nodes -+*/}} -+{{- define "linux-node-tolerations" -}} -+- key: "cattle.io/os" -+ value: "linux" -+ effect: "NoSchedule" -+ operator: "Equal" -+{{- end -}} -+ -+{{- define "linux-node-selector" -}} -+kubernetes.io/os: linux -+{{- end -}} -+ - {{/* - Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. - Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. diff --git a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch b/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch deleted file mode 100644 index 1a787d4bce..0000000000 --- a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch +++ /dev/null @@ -1,69 +0,0 @@ ---- charts-original/templates/deployment.yaml -+++ charts/templates/deployment.yaml -@@ -6,6 +6,9 @@ - namespace: {{ .Release.Namespace }} - labels: - {{- include "kiali-server.labels" . | nindent 4 }} -+ annotations: -+ "helm.sh/hook": post-install, post-upgrade -+ "helm.sh/hook-weight": "-4" - spec: - replicas: {{ .Values.deployment.replicas }} - selector: -@@ -53,7 +56,7 @@ - {{- toYaml .Values.deployment.host_aliases | nindent 6 }} - {{- end }} - containers: -- - image: "{{ .Values.deployment.image_name }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.image_version }}" -+ - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" - imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} - name: {{ include "kiali-server.fullname" . }} - command: -@@ -115,6 +118,11 @@ - - name: LOG_SAMPLER_RATE - value: "{{ .Values.deployment.logger.sampler_rate }}" - volumeMounts: -+ {{- if .Values.web_root_override }} -+ - name: kiali-console -+ subPath: env.js -+ mountPath: /opt/kiali/console/env.js -+ {{- end }} - - name: {{ include "kiali-server.fullname" . }}-configuration - mountPath: "/kiali-configuration" - - name: {{ include "kiali-server.fullname" . }}-cert -@@ -140,6 +148,14 @@ - {{- toYaml .Values.deployment.resources | nindent 10 }} - {{- end }} - volumes: -+ {{- if .Values.web_root_override }} -+ - name: kiali-console -+ configMap: -+ name: kiali-console -+ items: -+ - key: env.js -+ path: env.js -+ {{- end }} - - name: {{ include "kiali-server.fullname" . }}-configuration - configMap: - name: {{ include "kiali-server.fullname" . }} -@@ -194,12 +210,12 @@ - {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} - {{- end }} - {{- end }} -- {{- if .Values.deployment.tolerations }} -- tolerations: -- {{- toYaml .Values.deployment.tolerations | nindent 8 }} -- {{- end }} -- {{- if .Values.deployment.node_selector }} -- nodeSelector: -- {{- toYaml .Values.deployment.node_selector | nindent 8 }} -- {{- end }} -+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -+{{- if .Values.deployment.tolerations }} -+{{ toYaml .Values.deployment.tolerations | indent 8 }} -+{{- end }} -+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -+{{- if .Values.deployment.node_selector }} -+{{ toYaml .Values.deployment.node_selector | indent 8 }} -+{{- end }} - ... diff --git a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/values.yaml.patch b/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/values.yaml.patch deleted file mode 100644 index 36cb4b50d2..0000000000 --- a/packages/rancher-istio/1.19/rancher-kiali-server/generated-changes/patch/values.yaml.patch +++ /dev/null @@ -1,39 +0,0 @@ ---- charts-original/values.yaml -+++ charts/values.yaml -@@ -13,6 +13,8 @@ - # do this, a PR would be welcome. - kiali_route_url: "" - -+# rancher specific override that allows proxy access to kiali url -+web_root_override: true - # - # Settings that mimic the Kiali CR which are placed in the ConfigMap. - # Note that only those values used by the Helm Chart will be here. -@@ -42,10 +44,10 @@ - api_version: "autoscaling/v2" - spec: {} - image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") -- image_name: quay.io/kiali/kiali -+ repository: rancher/mirrored-kiali-kiali - image_pull_policy: "Always" - image_pull_secrets: [] -- image_version: v1.75.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash -+ tag: v1.75.0 # version like "v1.75" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash - ingress: - additional_labels: {} - class_name: "nginx" -@@ -110,3 +112,13 @@ - metrics_enabled: true - metrics_port: 9090 - web_root: "" -+ -+# Common settings used among istio subcharts. -+global: -+ # Specify rancher clusterId of external tracing config -+ # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 -+ cattle: -+ systemDefaultRegistry: "" -+ clusterId: -+ psp: -+ enabled: false -\ No newline at end of file diff --git a/packages/rancher-istio/1.19/rancher-kiali-server/package.yaml b/packages/rancher-istio/1.19/rancher-kiali-server/package.yaml deleted file mode 100644 index 223bfb97d3..0000000000 --- a/packages/rancher-istio/1.19/rancher-kiali-server/package.yaml +++ /dev/null @@ -1,3 +0,0 @@ -url: https://kiali.org/helm-charts/kiali-server-1.75.0.tgz -version: 104.1.0 -doNotRelease: true \ No newline at end of file diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/.helmignore b/packages/rancher-istio/1.19/rancher-tracing/charts/.helmignore deleted file mode 100644 index 0e8a0eb36f..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/Chart.yaml b/packages/rancher-istio/1.19/rancher-tracing/charts/Chart.yaml deleted file mode 100644 index 7fdc7accb9..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -annotations: - catalog.cattle.io/hidden: "true" - catalog.cattle.io/os: linux - catalog.rancher.io/certified: rancher - catalog.rancher.io/namespace: istio-system - catalog.rancher.io/release-name: rancher-tracing -apiVersion: v1 -appVersion: 1.52.0 -description: A quick start Jaeger Tracing installation using the all-in-one demo. - This is not production qualified. Refer to https://www.jaegertracing.io/ for details. -name: rancher-tracing -version: 1.52.0 diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/README.md b/packages/rancher-istio/1.19/rancher-tracing/charts/README.md deleted file mode 100644 index 25534c6288..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Jaeger - -A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. - -> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/_affinity.tpl b/packages/rancher-istio/1.19/rancher-tracing/charts/templates/_affinity.tpl deleted file mode 100644 index bf6a9aee5c..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/_affinity.tpl +++ /dev/null @@ -1,92 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} -{{- define "nodeAffinity" }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .Values.global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .Values.global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .Values.podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if or .Values.podAntiAffinityTermLabelSelector}} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/_helpers.tpl b/packages/rancher-istio/1.19/rancher-tracing/charts/templates/_helpers.tpl deleted file mode 100644 index 09c6b05467..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/_helpers.tpl +++ /dev/null @@ -1,47 +0,0 @@ -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Expand the name of the chart. -*/}} -{{- define "tracing.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "tracing.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/deployment.yaml b/packages/rancher-istio/1.19/rancher-tracing/charts/templates/deployment.yaml deleted file mode 100644 index f8a6828085..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/deployment.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ .Values.provider }} - template: - metadata: - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - prometheus.io/scrape: "true" - prometheus.io/port: "14269" -{{- if .Values.jaeger.podAnnotations }} -{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} -{{- end }} - spec: - containers: - - name: jaeger - image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - env: - {{- if eq .Values.jaeger.spanStorageType "badger" }} - - name: BADGER_EPHEMERAL - value: "false" - - name: SPAN_STORAGE_TYPE - value: "badger" - - name: BADGER_DIRECTORY_VALUE - value: "/badger/data" - - name: BADGER_DIRECTORY_KEY - value: "/badger/key" - {{- end }} - - name: COLLECTOR_ZIPKIN_HOST_PORT - value: "9411" - - name: MEMORY_MAX_TRACES - value: "{{ .Values.jaeger.memory.max_traces }}" - - name: QUERY_BASE_PATH - value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} - livenessProbe: - httpGet: - path: / - port: 14269 - readinessProbe: - httpGet: - path: / - port: 14269 -{{- if eq .Values.jaeger.spanStorageType "badger" }} - volumeMounts: - - name: data - mountPath: /badger -{{- end }} - resources: -{{- if .Values.jaeger.resources }} -{{ toYaml .Values.jaeger.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - affinity: - {{- include "nodeAffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.global.cattle.psp.enabled }} - securityContext: - runAsNonRoot: true - runAsUser: 1000 - {{- end }} - serviceAccountName: {{ include "tracing.fullname" . }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} -{{- if eq .Values.jaeger.spanStorageType "badger" }} - volumes: - - name: data -{{- if .Values.jaeger.persistentVolumeClaim.enabled }} - persistentVolumeClaim: - claimName: istio-jaeger-pvc -{{- else }} - emptyDir: {} -{{- end }} -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/psp.yaml b/packages/rancher-istio/1.19/rancher-tracing/charts/templates/psp.yaml deleted file mode 100644 index 4d5c271e1b..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/psp.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "tracing.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "tracing.fullname" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: - - policy - resourceNames: - - {{ include "tracing.fullname" . }} - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - emptyDir - - secret - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/pvc.yaml b/packages/rancher-istio/1.19/rancher-tracing/charts/templates/pvc.yaml deleted file mode 100644 index 9b4c55e4fb..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/pvc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.jaeger.persistentVolumeClaim.enabled }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: istio-jaeger-pvc - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} -spec: - storageClassName: {{ .Values.jaeger.storageClassName }} - accessModes: - - {{ .Values.jaeger.accessMode }} - resources: - requests: - storage: {{.Values.jaeger.persistentVolumeClaim.storage }} -{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/service.yaml b/packages/rancher-istio/1.19/rancher-tracing/charts/templates/service.yaml deleted file mode 100644 index 4210a9b5fc..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/service.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.name }} - port: {{ .Values.service.externalPort }} - protocol: TCP - targetPort: 16686 - selector: - app: {{ .Values.provider }} ---- -# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. -apiVersion: v1 -kind: Service -metadata: - name: zipkin - namespace: {{ .Release.Namespace }} - labels: - name: zipkin - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - ports: - - name: {{ .Values.service.name }} - port: {{ .Values.zipkin.queryPort }} - targetPort: {{ .Values.zipkin.queryPort }} - selector: - app: {{ .Values.provider }} ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-collector - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: ClusterIP - ports: - - name: jaeger-collector-http - port: 14268 - targetPort: 14268 - protocol: TCP - - name: jaeger-collector-grpc - port: 14250 - targetPort: 14250 - protocol: TCP - selector: - app: {{ .Values.provider }} diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.19/rancher-tracing/charts/templates/serviceaccount.yaml deleted file mode 100644 index 1bff77ff66..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/serviceaccount.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} \ No newline at end of file diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.19/rancher-tracing/charts/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b7..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/packages/rancher-istio/1.19/rancher-tracing/charts/values.yaml b/packages/rancher-istio/1.19/rancher-tracing/charts/values.yaml deleted file mode 100644 index 52e7deaa8c..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/charts/values.yaml +++ /dev/null @@ -1,53 +0,0 @@ -provider: jaeger -contextPath: "" -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] -nameOverride: "" -fullnameOverride: "" - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false - defaultResources: {} - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - arch: - arm64: 2 - amd64: 2 - s390x: 2 - ppc64le: 2 - defaultNodeSelector: - kubernetes.io/os: linux - rbac: - pspEnabled: false - -jaeger: - repository: rancher/mirrored-jaegertracing-all-in-one - tag: 1.52.0 - # spanStorageType value can be "memory" and "badger" for all-in-one image - spanStorageType: badger - resources: - requests: - cpu: 10m - persistentVolumeClaim: - enabled: false - storage: 5Gi - storageClassName: "" - accessMode: ReadWriteMany - memory: - max_traces: 50000 -zipkin: - queryPort: 9411 -service: - annotations: {} - name: http-query - type: ClusterIP - externalPort: 16686 diff --git a/packages/rancher-istio/1.19/rancher-tracing/package.yaml b/packages/rancher-istio/1.19/rancher-tracing/package.yaml deleted file mode 100644 index 0c468f5382..0000000000 --- a/packages/rancher-istio/1.19/rancher-tracing/package.yaml +++ /dev/null @@ -1,3 +0,0 @@ -url: local -version: 104.1.0 -doNotRelease: true \ No newline at end of file From 18c7cf12c8ad8527ffda466af4cea372dc13c6b6 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:33:59 -0300 Subject: [PATCH 08/10] remove istio 1.20 package --- .../1.20/rancher-istio/charts/Chart.yaml | 24 ---- .../1.20/rancher-istio/charts/README.md | 79 ---------- .../1.20/rancher-istio/charts/app-readme.md | 65 --------- .../charts/configs/istio-base.yaml | 135 ------------------ .../rancher-istio/charts/requirements.yaml | 9 -- .../charts/samples/overlay-example.yaml | 37 ----- .../charts/templates/_helpers.tpl | 27 ---- .../charts/templates/admin-role.yaml | 43 ------ .../charts/templates/base-config-map.yaml | 7 - .../charts/templates/clusterrole.yaml | 135 ------------------ .../charts/templates/clusterrolebinding.yaml | 12 -- .../charts/templates/edit-role.yaml | 43 ------ .../charts/templates/istio-cni-psp.yaml | 51 ------- .../charts/templates/istio-install-job.yaml | 66 --------- .../charts/templates/istio-install-psp.yaml | 30 ---- .../charts/templates/istio-psp.yaml | 81 ----------- .../charts/templates/istio-uninstall-job.yaml | 53 ------- .../charts/templates/overlay-config-map.yaml | 9 -- .../charts/templates/service-monitors.yaml | 51 ------- .../charts/templates/serviceaccount.yaml | 5 - .../templates/validate-psp-install.yaml | 7 - .../charts/templates/view-role.yaml | 41 ------ .../1.20/rancher-istio/charts/values.yaml | 119 --------------- .../dependencies/kiali/dependency.yaml | 2 - .../dependencies/tracing/dependency.yaml | 2 - .../1.20/rancher-istio/package.yaml | 2 - .../overlay/templates/psp.yaml | 67 --------- .../templates/validate-psp-install.yaml | 7 - .../overlay/templates/web-root-configmap.yaml | 12 -- .../generated-changes/patch/Chart.yaml.patch | 31 ---- .../patch/templates/_helpers.tpl.patch | 49 ------- .../patch/templates/deployment.yaml.patch | 69 --------- .../generated-changes/patch/values.yaml.patch | 39 ----- .../1.20/rancher-kiali-server/package.yaml | 3 - .../1.20/rancher-tracing/charts/.helmignore | 23 --- .../1.20/rancher-tracing/charts/Chart.yaml | 12 -- .../1.20/rancher-tracing/charts/README.md | 5 - .../charts/templates/_affinity.tpl | 92 ------------ .../charts/templates/_helpers.tpl | 47 ------ .../charts/templates/deployment.yaml | 94 ------------ .../rancher-tracing/charts/templates/psp.yaml | 76 ---------- .../rancher-tracing/charts/templates/pvc.yaml | 16 --- .../charts/templates/service.yaml | 63 -------- .../charts/templates/serviceaccount.yaml | 9 -- .../templates/validate-psp-install.yaml | 7 - .../1.20/rancher-tracing/charts/values.yaml | 53 ------- .../1.20/rancher-tracing/package.yaml | 3 - 47 files changed, 1912 deletions(-) delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/Chart.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/README.md delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/app-readme.md delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/configs/istio-base.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/requirements.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/samples/overlay-example.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/_helpers.tpl delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/admin-role.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/base-config-map.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/clusterrole.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/clusterrolebinding.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/edit-role.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-cni-psp.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-install-job.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-install-psp.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-psp.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-uninstall-job.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/overlay-config-map.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/service-monitors.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/serviceaccount.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/templates/view-role.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/charts/values.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-istio/package.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch delete mode 100644 packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch delete mode 100644 packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch delete mode 100644 packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/values.yaml.patch delete mode 100644 packages/rancher-istio/1.20/rancher-kiali-server/package.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/.helmignore delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/Chart.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/README.md delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/templates/_affinity.tpl delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/templates/_helpers.tpl delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/templates/deployment.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/templates/psp.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/templates/pvc.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/templates/service.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/templates/serviceaccount.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/charts/values.yaml delete mode 100644 packages/rancher-istio/1.20/rancher-tracing/package.yaml diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/Chart.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/Chart.yaml deleted file mode 100644 index 3872f16812..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: Istio - catalog.cattle.io/kube-version: '>= 1.25.0-0 < 1.30.0-0' - catalog.cattle.io/namespace: istio-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' - catalog.cattle.io/release-name: rancher-istio - catalog.cattle.io/requests-cpu: 710m - catalog.cattle.io/requests-memory: 2314Mi - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: istio - catalog.cattle.io/upstream-version: 1.20.3 -apiVersion: v1 -appVersion: 1.20.3 -description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ - for details. -icon: https://charts.rancher.io/assets/logos/istio.svg -keywords: -- networking -- infrastructure -name: rancher-istio -version: 1.20.3 diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/README.md b/packages/rancher-istio/1.20/rancher-istio/charts/README.md deleted file mode 100644 index 2230c61859..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Rancher-Istio Chart - -Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. - -See the app-readme for known issues and deprecations. - -## Installation Requirements - -#### Chart Dependencies -- rancher-monitoring chart or other Prometheus installation - -#### Install -To install the rancher-istio chart with helm, use the following command: -``` -helm install rancher-istio --create-namespace -n istio-system -``` - -#### Uninstall -To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. - -**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** -`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` - -## Addons -The addons that are included with rancher-istio are: - -- Kiali -- Jaeger - -Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. -### Kiali Addon - -Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. - -#### Kiali Dependencies -##### rancher-monitoring chart or other Prometheus installation - -This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. - -#### Prometheus Configuration for Kiali -> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. - -The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. - -To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. - -1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. -1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. - -#### Kiali External Services - -The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. - -##### Prometheus -The `kiali.external_services.prometheus` url is set in the values.yaml: -``` -http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} -``` -The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. - -##### Grafana -The `kiali.external_services.grafana` url is set in the values.yaml: -``` -http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} -``` -The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. - -##### Tracing -The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: -``` -http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} -``` -The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. - -## Jaeger Addon - -Jaeger allows you to trace and monitor distributed microservices. - -> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/app-readme.md b/packages/rancher-istio/1.20/rancher-istio/charts/app-readme.md deleted file mode 100644 index 3ef8193a72..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/app-readme.md +++ /dev/null @@ -1,65 +0,0 @@ -# Rancher Istio - -Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: -* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh -* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. - -For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). - -## Upgrading to Kubernetes v1.25+ - -Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. - -As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. - -> **Note:** -> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. - -> **Note:** -> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** -> -> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. - -Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. - -As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. - -## Warnings -- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. - -## Known Issues - -#### Airgapped Environments -**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) - -#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. -To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. -`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` -See [this issue](https://github.com/rancher/rancher/issues/33291) for details. - -## Installing istio with distroless-images. -Istio `104.2.0+up1.20.3` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. - -## Deprecations - -#### v1alpha1 security policies -As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ - -If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. - -> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: -``` -Error: found 6 CRD of unsupported v1alpha1 security policy -``` -``` - Error: found 1 unsupported v1alpha1 security policy - ``` - ``` - Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x - ``` - Continue with the migration steps below before retrying the upgrade process. - -#### Migrating Resources: -Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). - -You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/configs/istio-base.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/configs/istio-base.yaml deleted file mode 100644 index 9d99112e36..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/configs/istio-base.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: {{ .Values.base.enabled }} - cni: - enabled: {{ .Values.cni.enabled }} - k8s: - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - egressGateways: - - enabled: {{ .Values.egressGateways.enabled }} - name: istio-egressgateway - k8s: - {{- if .Values.egressGateways.hpaSpec }} - hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.egressGateways.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - ingressGateways: - - enabled: {{ .Values.ingressGateways.enabled }} - name: istio-ingressgateway - k8s: - {{- if .Values.ingressGateways.hpaSpec }} - hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.ingressGateways.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - service: - ports: - - name: status-port - port: 15021 - targetPort: 15021 - - name: http2 - port: 80 - targetPort: 8080 - nodePort: 31380 - - name: https - port: 443 - targetPort: 8443 - nodePort: 31390 - - name: tcp - port: 31400 - targetPort: 31400 - nodePort: 31400 - - name: tls - port: 15443 - targetPort: 15443 - istiodRemote: - enabled: {{ .Values.istiodRemote.enabled }} - pilot: - enabled: {{ .Values.pilot.enabled }} - k8s: - {{- if .Values.pilot.hpaSpec }} - hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.pilot.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} - profile: default - tag: {{ .Values.tag }} - revision: {{ .Values.revision }} - meshConfig: - defaultConfig: - proxyMetadata: - {{- if .Values.dns.enabled }} - ISTIO_META_DNS_CAPTURE: "true" - {{- end }} - values: - gateways: - istio-egressgateway: - name: istio-egressgateway - type: {{ .Values.egressGateways.type }} - istio-ingressgateway: - name: istio-ingressgateway - type: {{ .Values.ingressGateways.type }} - global: - istioNamespace: {{ template "istio.namespace" . }} - proxy: - image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} - proxy_init: - image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} - {{- if .Values.global.defaultPodDisruptionBudget.enabled }} - defaultPodDisruptionBudget: - enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} - {{- end }} - {{- if .Values.pilot.enabled }} - pilot: - image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} - {{- end }} - telemetry: - enabled: {{ .Values.telemetry.enabled }} - v2: - enabled: {{ .Values.telemetry.v2.enabled }} - {{- if .Values.cni.enabled }} - cni: - image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} - excludeNamespaces: - {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} - logLevel: {{ .Values.cni.logLevel }} - {{- end }} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/requirements.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/requirements.yaml deleted file mode 100644 index 73bc894951..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/requirements.yaml +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- condition: kiali.enabled - name: kiali - repository: file://./charts/kiali - version: 1.78.0 -- condition: tracing.enabled - name: tracing - repository: file://./charts/tracing - version: 1.53.0 diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/samples/overlay-example.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/samples/overlay-example.yaml deleted file mode 100644 index 5cf3cf3b0b..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/samples/overlay-example.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - ingressGateways: - - enabled: true - name: ilb-gateway - namespace: user-ingressgateway-ns - k8s: - resources: - requests: - cpu: 200m - service: - ports: - - name: tcp-citadel-grpc-tls - port: 8060 - targetPort: 8060 - - name: tcp-dns - port: 5353 - serviceAnnotations: - cloud.google.com/load-balancer-type: internal - - enabled: true - name: other-gateway - namespace: cattle-istio-system - k8s: - resources: - requests: - cpu: 200m - service: - ports: - - name: tcp-citadel-grpc-tls - port: 8060 - targetPort: 8060 - - name: tcp-dns - port: 5353 - serviceAnnotations: - cloud.google.com/load-balancer-type: internal diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/_helpers.tpl b/packages/rancher-istio/1.20/rancher-istio/charts/templates/_helpers.tpl deleted file mode 100644 index 30b429a800..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/_helpers.tpl +++ /dev/null @@ -1,27 +0,0 @@ -{{/* Ensure namespace is set the same everywhere */}} -{{- define "istio.namespace" -}} - {{- .Release.Namespace | default "istio-system" -}} -{{- end -}} - -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/admin-role.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/admin-role.yaml deleted file mode 100644 index ad1313c4f1..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/admin-role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - name: istio-admin - namespace: {{ template "istio.namespace" . }} -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: - - '*' - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: - - '*' diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/base-config-map.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/base-config-map.yaml deleted file mode 100644 index 5323917bc3..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/base-config-map.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-installer-base - namespace: {{ template "istio.namespace" . }} -data: -{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/clusterrole.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/clusterrole.yaml deleted file mode 100644 index f8f229987d..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/clusterrole.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-installer -rules: -# istio groups -- apiGroups: - - extensions.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - authentication.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - config.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - install.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - rbac.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - security.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - telemetry.istio.io - resources: - - '*' - verbs: - - '*' -# k8s groups -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions.apiextensions.k8s.io - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - apps - - extensions - resources: - - daemonsets - - deployments - - deployments/finalizers - - ingresses - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - roles - - rolebindings - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - pods - - pods/exec - - pods/portforward - - persistentvolumeclaims - - secrets - - services - - serviceaccounts - verbs: - - '*' -{{- if and .Values.global.cattle.psp.enabled }} -- apiGroups: - - policy - resourceNames: - - istio-installer - resources: - - podsecuritypolicies - verbs: - - use -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/clusterrolebinding.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/clusterrolebinding.yaml deleted file mode 100644 index 9d74a04345..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-installer -subjects: -- kind: ServiceAccount - name: istio-installer - namespace: {{ template "istio.namespace" . }} -roleRef: - kind: ClusterRole - name: istio-installer - apiGroup: rbac.authorization.k8s.io diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/edit-role.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/edit-role.yaml deleted file mode 100644 index d1059d58d7..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/edit-role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - namespace: {{ template "istio.namespace" . }} - name: istio-edit -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: - - '*' - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: - - '*' diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-cni-psp.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-cni-psp.yaml deleted file mode 100644 index a71561e676..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-cni-psp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -spec: - allowPrivilegeEscalation: true - fsGroup: - rule: RunAsAny - hostNetwork: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - secret - - configMap - - emptyDir - - hostPath ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: psp-istio-cni -subjects: - - kind: ServiceAccount - name: istio-cni ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -rules: -- apiGroups: - - policy - resourceNames: - - psp-istio-cni - resources: - - podsecuritypolicies - verbs: - - use -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-install-job.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-install-job.yaml deleted file mode 100644 index c2e362e684..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-install-job.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: istioctl-installer - namespace: {{ template "istio.namespace" . }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - backoffLimit: 1 - template: - spec: - {{- if .Values.installer.releaseMirror.enabled }} - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "github.com" - {{- end }} - containers: - - name: istioctl-installer - image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} - env: - - name: RELEASE_NAME - value: {{ .Release.Name }} - - name: ISTIO_NAMESPACE - value: {{ template "istio.namespace" . }} - - name: FORCE_INSTALL - value: {{ .Values.forceInstall | default "false" | quote }} - - name: RELEASE_MIRROR_ENABLED - value: {{ .Values.installer.releaseMirror.enabled | quote }} - - name: SECONDS_SLEEP - value: {{ .Values.installer.debug.secondsSleep | quote}} - command: ["/bin/sh","-c"] - args: ["/usr/local/app/scripts/run.sh"] - volumeMounts: - - name: config-volume - mountPath: /app/istio-base.yaml - subPath: istio-base.yaml - {{- if .Values.overlayFile }} - - name: overlay-volume - mountPath: /app/overlay-config.yaml - subPath: overlay-config.yaml - {{- end }} - volumes: - - name: config-volume - configMap: - name: istio-installer-base - {{- if .Values.overlayFile }} - - name: overlay-volume - configMap: - name: istio-installer-overlay - {{- end }} - serviceAccountName: istio-installer - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - securityContext: - runAsUser: 499 - runAsGroup: 487 - restartPolicy: Never diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-install-psp.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-install-psp.yaml deleted file mode 100644 index 9da3391d40..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-install-psp.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: istio-installer - namespace: {{ template "istio.namespace" . }} -spec: - privileged: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - volumes: - - 'configMap' - - 'secret' -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-psp.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-psp.yaml deleted file mode 100644 index cfada1bf7f..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-psp.yaml +++ /dev/null @@ -1,81 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-psp -subjects: - - kind: ServiceAccount - name: istio-egressgateway-service-account - - kind: ServiceAccount - name: istio-ingressgateway-service-account - - kind: ServiceAccount - name: istio-mixer-service-account - - kind: ServiceAccount - name: istio-operator-authproxy - - kind: ServiceAccount - name: istiod-service-account - - kind: ServiceAccount - name: istio-sidecar-injector-service-account - - kind: ServiceAccount - name: istiocoredns-service-account - - kind: ServiceAccount - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -rules: -- apiGroups: - - policy - resourceNames: - - istio-psp - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-uninstall-job.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-uninstall-job.yaml deleted file mode 100644 index 0091d0c176..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/istio-uninstall-job.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: istioctl-uninstaller - namespace: {{ template "istio.namespace" . }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - template: - spec: - containers: - - name: istioctl-uninstaller - image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} - env: - - name: RELEASE_NAME - value: {{ .Release.Name }} - - name: ISTIO_NAMESPACE - value: {{ template "istio.namespace" . }} - command: ["/bin/sh","-c"] - args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] - volumeMounts: - - name: config-volume - mountPath: /app/istio-base.yaml - subPath: istio-base.yaml - {{- if .Values.overlayFile }} - - name: overlay-volume - mountPath: /app/overlay-config.yaml - subPath: overlay-config.yaml - {{ end }} - volumes: - - name: config-volume - configMap: - name: istio-installer-base - {{- if .Values.overlayFile }} - - name: overlay-volume - configMap: - name: istio-installer-overlay - {{ end }} - serviceAccountName: istio-installer - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - securityContext: - runAsUser: 101 - runAsGroup: 101 - restartPolicy: OnFailure diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/overlay-config-map.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/overlay-config-map.yaml deleted file mode 100644 index 287d26b2c3..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/overlay-config-map.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.overlayFile }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-installer-overlay - namespace: {{ template "istio.namespace" . }} -data: - overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/service-monitors.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/service-monitors.yaml deleted file mode 100644 index c3d60c4fce..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/service-monitors.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.kiali.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: envoy-stats-monitor - namespace: {{ template "istio.namespace" . }} - labels: - monitoring: istio-proxies -spec: - selector: - matchExpressions: - - {key: istio-prometheus-ignore, operator: DoesNotExist} - namespaceSelector: - any: true - jobLabel: envoy-stats - endpoints: - - path: /stats/prometheus - targetPort: 15090 - interval: 15s - relabelings: - - sourceLabels: [__meta_kubernetes_pod_container_port_name] - action: keep - regex: '.*-envoy-prom' - - action: labeldrop - regex: "__meta_kubernetes_pod_label_(.+)" - - sourceLabels: [__meta_kubernetes_namespace] - action: replace - targetLabel: namespace - - sourceLabels: [__meta_kubernetes_pod_name] - action: replace - targetLabel: pod_name ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: istio-component-monitor - namespace: {{ template "istio.namespace" . }} - labels: - monitoring: istio-components -spec: - jobLabel: istio - targetLabels: [app] - selector: - matchExpressions: - - {key: istio, operator: In, values: [pilot]} - namespaceSelector: - any: true - endpoints: - - port: http-monitoring - interval: 15s -{{- end -}} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/serviceaccount.yaml deleted file mode 100644 index 82b6cbb7e6..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-installer - namespace: {{ template "istio.namespace" . }} diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/validate-psp-install.yaml deleted file mode 100644 index 4b0e5cfb65..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} \ No newline at end of file diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/templates/view-role.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/templates/view-role.yaml deleted file mode 100644 index 5947d3eba9..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/templates/view-role.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - namespace: {{ template "istio.namespace" . }} - name: istio-view -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: ["get", "watch", "list"] - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: ["get", "watch", "list"] diff --git a/packages/rancher-istio/1.20/rancher-istio/charts/values.yaml b/packages/rancher-istio/1.20/rancher-istio/charts/values.yaml deleted file mode 100644 index bf9a7e7ee2..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/charts/values.yaml +++ /dev/null @@ -1,119 +0,0 @@ -overlayFile: "" -tag: 1.20.3 -##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install -forceInstall: false - -installer: - repository: rancher/istio-installer - tag: 1.20.3-rancher1 - ##releaseMirror are configurations for istio upgrades. - ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal - ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. - releaseMirror: - enabled: false - - ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging - debug: - secondsSleep: 0 - -##Native support for dns added in 1.8 -dns: - enabled: false - -base: - enabled: true - -cni: - enabled: false - repository: rancher/mirrored-istio-install-cni -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.20.3 - tag: 1.20.3-distroless - logLevel: info - excludeNamespaces: - - istio-system - - kube-system - -egressGateways: - enabled: false - type: NodePort - hpaSpec: {} - podDisruptionBudget: {} - -ingressGateways: - enabled: true - type: NodePort - hpaSpec: {} - podDisruptionBudget: {} - -istiodRemote: - enabled: false - -pilot: - enabled: true - repository: rancher/mirrored-istio-pilot -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.20.3 - tag: 1.20.3-distroless - hpaSpec: {} - podDisruptionBudget: {} - -telemetry: - enabled: true - v2: - enabled: true - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false - proxy: - repository: rancher/mirrored-istio-proxyv2 -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.20.3 - tag: 1.20.3-distroless - proxy_init: - repository: rancher/mirrored-istio-proxyv2 -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.20.3 - tag: 1.20.3-distroless - defaultPodDisruptionBudget: - enabled: true - -# Kiali subchart from rancher-kiali-server -kiali: - enabled: true - # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ - auth: - strategy: token - server: - web_root: / - deployment: - ingress_enabled: false - external_services: - prometheus: - custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" - url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" - tracing: - in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" - use_grpc: false - grafana: - in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" - url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" - -tracing: - enabled: false - contextPath: "/jaeger" - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] diff --git a/packages/rancher-istio/1.20/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml b/packages/rancher-istio/1.20/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml deleted file mode 100644 index b70451d1f6..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml +++ /dev/null @@ -1,2 +0,0 @@ -workingDir: "" -url: packages/rancher-istio/1.20/rancher-kiali-server diff --git a/packages/rancher-istio/1.20/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml b/packages/rancher-istio/1.20/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml deleted file mode 100644 index 9dfe602279..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml +++ /dev/null @@ -1,2 +0,0 @@ -workingDir: "" -url: packages/rancher-istio/1.20/rancher-tracing diff --git a/packages/rancher-istio/1.20/rancher-istio/package.yaml b/packages/rancher-istio/1.20/rancher-istio/package.yaml deleted file mode 100644 index 84ac4aff48..0000000000 --- a/packages/rancher-istio/1.20/rancher-istio/package.yaml +++ /dev/null @@ -1,2 +0,0 @@ -url: local -version: 105.1.0+up1.20.3 diff --git a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml b/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml deleted file mode 100644 index e31d706d4b..0000000000 --- a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "kiali-server.fullname" . }}-psp -subjects: - - kind: ServiceAccount - name: kiali ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: - - policy - resourceNames: - - {{ include "kiali-server.fullname" . }}-psp - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml b/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b7..0000000000 --- a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml b/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml deleted file mode 100644 index 970d4e4f5d..0000000000 --- a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.web_root_override }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: kiali-console - namespace: {{ .Release.Namespace }} - labels: - {{- include "kiali-server.labels" . | nindent 4 }} -data: - env.js: | - window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch b/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch deleted file mode 100644 index be9cca276f..0000000000 --- a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- charts-original/Chart.yaml -+++ charts/Chart.yaml -@@ -1,17 +1,26 @@ -+annotations: -+ catalog.cattle.io/hidden: "true" -+ catalog.cattle.io/os: linux -+ catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 -+ catalog.rancher.io/namespace: cattle-istio-system -+ catalog.rancher.io/release-name: rancher-kiali-server - apiVersion: v2 - appVersion: v1.78.0 - description: Kiali is an open source project for service mesh observability, refer -- to https://www.kiali.io for details. -+ to https://www.kiali.io for details. This is installed as sub-chart with customized -+ values in Rancher's Istio. - home: https://github.com/kiali/kiali - icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg - keywords: - - istio - - kiali -+- networking -+- infrastructure - maintainers: - - email: kiali-users@googlegroups.com - name: Kiali - url: https://kiali.io --name: kiali-server -+name: rancher-kiali-server - sources: - - https://github.com/kiali/kiali - - https://github.com/kiali/kiali-operator diff --git a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch deleted file mode 100644 index cd8d4397cc..0000000000 --- a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch +++ /dev/null @@ -1,49 +0,0 @@ ---- charts-original/templates/_helpers.tpl -+++ charts/templates/_helpers.tpl -@@ -50,8 +50,15 @@ - Selector labels - */}} - {{- define "kiali-server.selectorLabels" -}} -+{{- $releaseName := .Release.Name -}} -+{{- $fullName := include "kiali-server.fullname" . -}} -+{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} - app.kubernetes.io/name: kiali --app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }} -+{{- if (and .Release.IsUpgrade $deployment)}} -+app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} -+{{- else }} -+app.kubernetes.io/instance: {{ $fullName }} -+{{- end }} - {{- end }} - - {{/* -@@ -172,6 +179,29 @@ - {{- end }} - {{- end }} - -+{{- define "system_default_registry" -}} -+{{- if .Values.global.cattle.systemDefaultRegistry -}} -+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -+{{- else -}} -+{{- "" -}} -+{{- end -}} -+{{- end -}} -+ -+{{/* -+Windows cluster will add default taint for linux nodes, -+add below linux tolerations to workloads could be scheduled to those linux nodes -+*/}} -+{{- define "linux-node-tolerations" -}} -+- key: "cattle.io/os" -+ value: "linux" -+ effect: "NoSchedule" -+ operator: "Equal" -+{{- end -}} -+ -+{{- define "linux-node-selector" -}} -+kubernetes.io/os: linux -+{{- end -}} -+ - {{/* - Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. - Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. diff --git a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch b/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch deleted file mode 100644 index 1a787d4bce..0000000000 --- a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch +++ /dev/null @@ -1,69 +0,0 @@ ---- charts-original/templates/deployment.yaml -+++ charts/templates/deployment.yaml -@@ -6,6 +6,9 @@ - namespace: {{ .Release.Namespace }} - labels: - {{- include "kiali-server.labels" . | nindent 4 }} -+ annotations: -+ "helm.sh/hook": post-install, post-upgrade -+ "helm.sh/hook-weight": "-4" - spec: - replicas: {{ .Values.deployment.replicas }} - selector: -@@ -53,7 +56,7 @@ - {{- toYaml .Values.deployment.host_aliases | nindent 6 }} - {{- end }} - containers: -- - image: "{{ .Values.deployment.image_name }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.image_version }}" -+ - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" - imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} - name: {{ include "kiali-server.fullname" . }} - command: -@@ -115,6 +118,11 @@ - - name: LOG_SAMPLER_RATE - value: "{{ .Values.deployment.logger.sampler_rate }}" - volumeMounts: -+ {{- if .Values.web_root_override }} -+ - name: kiali-console -+ subPath: env.js -+ mountPath: /opt/kiali/console/env.js -+ {{- end }} - - name: {{ include "kiali-server.fullname" . }}-configuration - mountPath: "/kiali-configuration" - - name: {{ include "kiali-server.fullname" . }}-cert -@@ -140,6 +148,14 @@ - {{- toYaml .Values.deployment.resources | nindent 10 }} - {{- end }} - volumes: -+ {{- if .Values.web_root_override }} -+ - name: kiali-console -+ configMap: -+ name: kiali-console -+ items: -+ - key: env.js -+ path: env.js -+ {{- end }} - - name: {{ include "kiali-server.fullname" . }}-configuration - configMap: - name: {{ include "kiali-server.fullname" . }} -@@ -194,12 +210,12 @@ - {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} - {{- end }} - {{- end }} -- {{- if .Values.deployment.tolerations }} -- tolerations: -- {{- toYaml .Values.deployment.tolerations | nindent 8 }} -- {{- end }} -- {{- if .Values.deployment.node_selector }} -- nodeSelector: -- {{- toYaml .Values.deployment.node_selector | nindent 8 }} -- {{- end }} -+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -+{{- if .Values.deployment.tolerations }} -+{{ toYaml .Values.deployment.tolerations | indent 8 }} -+{{- end }} -+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -+{{- if .Values.deployment.node_selector }} -+{{ toYaml .Values.deployment.node_selector | indent 8 }} -+{{- end }} - ... diff --git a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/values.yaml.patch b/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/values.yaml.patch deleted file mode 100644 index 8a75c30847..0000000000 --- a/packages/rancher-istio/1.20/rancher-kiali-server/generated-changes/patch/values.yaml.patch +++ /dev/null @@ -1,39 +0,0 @@ ---- charts-original/values.yaml -+++ charts/values.yaml -@@ -13,6 +13,8 @@ - # do this, a PR would be welcome. - kiali_route_url: "" - -+# rancher specific override that allows proxy access to kiali url -+web_root_override: true - # - # Settings that mimic the Kiali CR which are placed in the ConfigMap. - # Note that only those values used by the Helm Chart will be here. -@@ -47,10 +49,10 @@ - api_version: "autoscaling/v2" - spec: {} - image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") -- image_name: quay.io/kiali/kiali -+ repository: rancher/mirrored-kiali-kiali - image_pull_policy: "Always" - image_pull_secrets: [] -- image_version: v1.78.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash -+ tag: v1.78.0 # version like "v1.78" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash - ingress: - additional_labels: {} - class_name: "nginx" -@@ -115,3 +117,13 @@ - metrics_enabled: true - metrics_port: 9090 - web_root: "" -+ -+# Common settings used among istio subcharts. -+global: -+ # Specify rancher clusterId of external tracing config -+ # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 -+ cattle: -+ systemDefaultRegistry: "" -+ clusterId: -+ psp: -+ enabled: false -\ No newline at end of file diff --git a/packages/rancher-istio/1.20/rancher-kiali-server/package.yaml b/packages/rancher-istio/1.20/rancher-kiali-server/package.yaml deleted file mode 100644 index c735fe8813..0000000000 --- a/packages/rancher-istio/1.20/rancher-kiali-server/package.yaml +++ /dev/null @@ -1,3 +0,0 @@ -url: https://kiali.org/helm-charts/kiali-server-1.78.0.tgz -version: 104.2.0 -doNotRelease: true \ No newline at end of file diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/.helmignore b/packages/rancher-istio/1.20/rancher-tracing/charts/.helmignore deleted file mode 100644 index 0e8a0eb36f..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/Chart.yaml b/packages/rancher-istio/1.20/rancher-tracing/charts/Chart.yaml deleted file mode 100644 index 9d5ccb67bc..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -annotations: - catalog.cattle.io/hidden: "true" - catalog.cattle.io/os: linux - catalog.rancher.io/certified: rancher - catalog.rancher.io/namespace: istio-system - catalog.rancher.io/release-name: rancher-tracing -apiVersion: v1 -appVersion: 1.53.0 -description: A quick start Jaeger Tracing installation using the all-in-one demo. - This is not production qualified. Refer to https://www.jaegertracing.io/ for details. -name: rancher-tracing -version: 1.53.0 diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/README.md b/packages/rancher-istio/1.20/rancher-tracing/charts/README.md deleted file mode 100644 index 25534c6288..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Jaeger - -A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. - -> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/_affinity.tpl b/packages/rancher-istio/1.20/rancher-tracing/charts/templates/_affinity.tpl deleted file mode 100644 index bf6a9aee5c..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/_affinity.tpl +++ /dev/null @@ -1,92 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} -{{- define "nodeAffinity" }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .Values.global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .Values.global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .Values.podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if or .Values.podAntiAffinityTermLabelSelector}} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/_helpers.tpl b/packages/rancher-istio/1.20/rancher-tracing/charts/templates/_helpers.tpl deleted file mode 100644 index 09c6b05467..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/_helpers.tpl +++ /dev/null @@ -1,47 +0,0 @@ -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Expand the name of the chart. -*/}} -{{- define "tracing.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "tracing.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/deployment.yaml b/packages/rancher-istio/1.20/rancher-tracing/charts/templates/deployment.yaml deleted file mode 100644 index f8a6828085..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/deployment.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ .Values.provider }} - template: - metadata: - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - prometheus.io/scrape: "true" - prometheus.io/port: "14269" -{{- if .Values.jaeger.podAnnotations }} -{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} -{{- end }} - spec: - containers: - - name: jaeger - image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - env: - {{- if eq .Values.jaeger.spanStorageType "badger" }} - - name: BADGER_EPHEMERAL - value: "false" - - name: SPAN_STORAGE_TYPE - value: "badger" - - name: BADGER_DIRECTORY_VALUE - value: "/badger/data" - - name: BADGER_DIRECTORY_KEY - value: "/badger/key" - {{- end }} - - name: COLLECTOR_ZIPKIN_HOST_PORT - value: "9411" - - name: MEMORY_MAX_TRACES - value: "{{ .Values.jaeger.memory.max_traces }}" - - name: QUERY_BASE_PATH - value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} - livenessProbe: - httpGet: - path: / - port: 14269 - readinessProbe: - httpGet: - path: / - port: 14269 -{{- if eq .Values.jaeger.spanStorageType "badger" }} - volumeMounts: - - name: data - mountPath: /badger -{{- end }} - resources: -{{- if .Values.jaeger.resources }} -{{ toYaml .Values.jaeger.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - affinity: - {{- include "nodeAffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.global.cattle.psp.enabled }} - securityContext: - runAsNonRoot: true - runAsUser: 1000 - {{- end }} - serviceAccountName: {{ include "tracing.fullname" . }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} -{{- if eq .Values.jaeger.spanStorageType "badger" }} - volumes: - - name: data -{{- if .Values.jaeger.persistentVolumeClaim.enabled }} - persistentVolumeClaim: - claimName: istio-jaeger-pvc -{{- else }} - emptyDir: {} -{{- end }} -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/psp.yaml b/packages/rancher-istio/1.20/rancher-tracing/charts/templates/psp.yaml deleted file mode 100644 index 4d5c271e1b..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/psp.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "tracing.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "tracing.fullname" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: - - policy - resourceNames: - - {{ include "tracing.fullname" . }} - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - emptyDir - - secret - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/pvc.yaml b/packages/rancher-istio/1.20/rancher-tracing/charts/templates/pvc.yaml deleted file mode 100644 index 9b4c55e4fb..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/pvc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.jaeger.persistentVolumeClaim.enabled }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: istio-jaeger-pvc - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} -spec: - storageClassName: {{ .Values.jaeger.storageClassName }} - accessModes: - - {{ .Values.jaeger.accessMode }} - resources: - requests: - storage: {{.Values.jaeger.persistentVolumeClaim.storage }} -{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/service.yaml b/packages/rancher-istio/1.20/rancher-tracing/charts/templates/service.yaml deleted file mode 100644 index 4210a9b5fc..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/service.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.name }} - port: {{ .Values.service.externalPort }} - protocol: TCP - targetPort: 16686 - selector: - app: {{ .Values.provider }} ---- -# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. -apiVersion: v1 -kind: Service -metadata: - name: zipkin - namespace: {{ .Release.Namespace }} - labels: - name: zipkin - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - ports: - - name: {{ .Values.service.name }} - port: {{ .Values.zipkin.queryPort }} - targetPort: {{ .Values.zipkin.queryPort }} - selector: - app: {{ .Values.provider }} ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-collector - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: ClusterIP - ports: - - name: jaeger-collector-http - port: 14268 - targetPort: 14268 - protocol: TCP - - name: jaeger-collector-grpc - port: 14250 - targetPort: 14250 - protocol: TCP - selector: - app: {{ .Values.provider }} diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.20/rancher-tracing/charts/templates/serviceaccount.yaml deleted file mode 100644 index 1bff77ff66..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/serviceaccount.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} \ No newline at end of file diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.20/rancher-tracing/charts/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b7..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/packages/rancher-istio/1.20/rancher-tracing/charts/values.yaml b/packages/rancher-istio/1.20/rancher-tracing/charts/values.yaml deleted file mode 100644 index 86a4063091..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/charts/values.yaml +++ /dev/null @@ -1,53 +0,0 @@ -provider: jaeger -contextPath: "" -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] -nameOverride: "" -fullnameOverride: "" - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false - defaultResources: {} - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - arch: - arm64: 2 - amd64: 2 - s390x: 2 - ppc64le: 2 - defaultNodeSelector: - kubernetes.io/os: linux - rbac: - pspEnabled: false - -jaeger: - repository: rancher/mirrored-jaegertracing-all-in-one - tag: 1.53.0 - # spanStorageType value can be "memory" and "badger" for all-in-one image - spanStorageType: badger - resources: - requests: - cpu: 10m - persistentVolumeClaim: - enabled: false - storage: 5Gi - storageClassName: "" - accessMode: ReadWriteMany - memory: - max_traces: 50000 -zipkin: - queryPort: 9411 -service: - annotations: {} - name: http-query - type: ClusterIP - externalPort: 16686 diff --git a/packages/rancher-istio/1.20/rancher-tracing/package.yaml b/packages/rancher-istio/1.20/rancher-tracing/package.yaml deleted file mode 100644 index b99625032e..0000000000 --- a/packages/rancher-istio/1.20/rancher-tracing/package.yaml +++ /dev/null @@ -1,3 +0,0 @@ -url: local -version: 104.2.0 -doNotRelease: true \ No newline at end of file From a07534d1a24c969a1ced30c0660d88b659895157 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:34:07 -0300 Subject: [PATCH 09/10] remove istio 1.21 package --- .../1.21/rancher-istio/charts/Chart.yaml | 24 ---- .../1.21/rancher-istio/charts/README.md | 79 ---------- .../1.21/rancher-istio/charts/app-readme.md | 65 --------- .../charts/configs/istio-base.yaml | 135 ------------------ .../rancher-istio/charts/requirements.yaml | 9 -- .../charts/samples/overlay-example.yaml | 37 ----- .../charts/templates/_helpers.tpl | 27 ---- .../charts/templates/admin-role.yaml | 43 ------ .../charts/templates/base-config-map.yaml | 7 - .../charts/templates/clusterrole.yaml | 135 ------------------ .../charts/templates/clusterrolebinding.yaml | 12 -- .../charts/templates/edit-role.yaml | 43 ------ .../charts/templates/istio-cni-psp.yaml | 51 ------- .../charts/templates/istio-install-job.yaml | 66 --------- .../charts/templates/istio-install-psp.yaml | 30 ---- .../charts/templates/istio-psp.yaml | 81 ----------- .../charts/templates/istio-uninstall-job.yaml | 53 ------- .../charts/templates/overlay-config-map.yaml | 9 -- .../charts/templates/service-monitors.yaml | 51 ------- .../charts/templates/serviceaccount.yaml | 5 - .../templates/validate-psp-install.yaml | 7 - .../charts/templates/view-role.yaml | 41 ------ .../1.21/rancher-istio/charts/values.yaml | 119 --------------- .../dependencies/kiali/dependency.yaml | 2 - .../dependencies/tracing/dependency.yaml | 2 - .../1.21/rancher-istio/package.yaml | 2 - .../overlay/templates/psp.yaml | 67 --------- .../templates/validate-psp-install.yaml | 7 - .../overlay/templates/web-root-configmap.yaml | 12 -- .../generated-changes/patch/Chart.yaml.patch | 31 ---- .../patch/templates/_helpers.tpl.patch | 49 ------- .../patch/templates/deployment.yaml.patch | 69 --------- .../generated-changes/patch/values.yaml.patch | 39 ----- .../1.21/rancher-kiali-server/package.yaml | 3 - .../1.21/rancher-tracing/charts/.helmignore | 23 --- .../1.21/rancher-tracing/charts/Chart.yaml | 12 -- .../1.21/rancher-tracing/charts/README.md | 5 - .../charts/templates/_affinity.tpl | 92 ------------ .../charts/templates/_helpers.tpl | 47 ------ .../charts/templates/deployment.yaml | 94 ------------ .../rancher-tracing/charts/templates/psp.yaml | 76 ---------- .../rancher-tracing/charts/templates/pvc.yaml | 16 --- .../charts/templates/service.yaml | 63 -------- .../charts/templates/serviceaccount.yaml | 9 -- .../templates/validate-psp-install.yaml | 7 - .../1.21/rancher-tracing/charts/values.yaml | 53 ------- .../1.21/rancher-tracing/package.yaml | 3 - 47 files changed, 1912 deletions(-) delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/Chart.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/README.md delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/app-readme.md delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/configs/istio-base.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/requirements.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/samples/overlay-example.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/_helpers.tpl delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/admin-role.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/base-config-map.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/clusterrole.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/clusterrolebinding.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/edit-role.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-cni-psp.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-install-job.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-install-psp.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-psp.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-uninstall-job.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/overlay-config-map.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/service-monitors.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/serviceaccount.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/templates/view-role.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/charts/values.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-istio/package.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch delete mode 100644 packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch delete mode 100644 packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch delete mode 100644 packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/values.yaml.patch delete mode 100644 packages/rancher-istio/1.21/rancher-kiali-server/package.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/.helmignore delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/Chart.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/README.md delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/templates/_affinity.tpl delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/templates/_helpers.tpl delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/templates/deployment.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/templates/psp.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/templates/pvc.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/templates/service.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/templates/serviceaccount.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/templates/validate-psp-install.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/charts/values.yaml delete mode 100644 packages/rancher-istio/1.21/rancher-tracing/package.yaml diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/Chart.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/Chart.yaml deleted file mode 100644 index d8176b88cc..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: Istio - catalog.cattle.io/kube-version: '>= 1.26.0-0 < 1.30.0-0' - catalog.cattle.io/namespace: istio-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' - catalog.cattle.io/release-name: rancher-istio - catalog.cattle.io/requests-cpu: 710m - catalog.cattle.io/requests-memory: 2314Mi - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: istio - catalog.cattle.io/upstream-version: 1.21.1 -apiVersion: v1 -appVersion: 1.21.1 -description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/ - for details. -icon: https://charts.rancher.io/assets/logos/istio.svg -keywords: -- networking -- infrastructure -name: rancher-istio -version: 1.21.1 diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/README.md b/packages/rancher-istio/1.21/rancher-istio/charts/README.md deleted file mode 100644 index 2230c61859..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Rancher-Istio Chart - -Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. - -See the app-readme for known issues and deprecations. - -## Installation Requirements - -#### Chart Dependencies -- rancher-monitoring chart or other Prometheus installation - -#### Install -To install the rancher-istio chart with helm, use the following command: -``` -helm install rancher-istio --create-namespace -n istio-system -``` - -#### Uninstall -To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal. - -**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:** -`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"` - -## Addons -The addons that are included with rancher-istio are: - -- Kiali -- Jaeger - -Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon. -### Kiali Addon - -Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard. - -#### Kiali Dependencies -##### rancher-monitoring chart or other Prometheus installation - -This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation. - -#### Prometheus Configuration for Kiali -> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding. - -The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces. - -To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. - -1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape. -1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces. - -#### Kiali External Services - -The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing. - -##### Prometheus -The `kiali.external_services.prometheus` url is set in the values.yaml: -``` -http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }} -``` -The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance. - -##### Grafana -The `kiali.external_services.grafana` url is set in the values.yaml: -``` -http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }} -``` -The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance. - -##### Tracing -The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml: -``` -http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }} -``` -The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance. - -## Jaeger Addon - -Jaeger allows you to trace and monitor distributed microservices. - -> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/app-readme.md b/packages/rancher-istio/1.21/rancher-istio/charts/app-readme.md deleted file mode 100644 index df1f81fe5c..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/app-readme.md +++ /dev/null @@ -1,65 +0,0 @@ -# Rancher Istio - -Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes: -* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh -* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead. - -For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/istio/v2.5/). - -## Upgrading to Kubernetes v1.25+ - -Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. - -As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. - -> **Note:** -> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. - -> **Note:** -> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** -> -> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. - -Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. - -As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. - -## Warnings -- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details. - -## Known Issues - -#### Airgapped Environments -**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402) - -#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster. -To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster. -`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni` -See [this issue](https://github.com/rancher/rancher/issues/33291) for details. - -## Installing istio with distroless-images. -Istio `104.3.0+up1.21.1` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file. - -## Deprecations - -#### v1alpha1 security policies -As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/ - -If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version. - -> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to: -``` -Error: found 6 CRD of unsupported v1alpha1 security policy -``` -``` - Error: found 1 unsupported v1alpha1 security policy - ``` - ``` - Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x - ``` - Continue with the migration steps below before retrying the upgrade process. - -#### Migrating Resources: -Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post"). - -You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps. diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/configs/istio-base.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/configs/istio-base.yaml deleted file mode 100644 index 9d99112e36..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/configs/istio-base.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: {{ .Values.base.enabled }} - cni: - enabled: {{ .Values.cni.enabled }} - k8s: - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - egressGateways: - - enabled: {{ .Values.egressGateways.enabled }} - name: istio-egressgateway - k8s: - {{- if .Values.egressGateways.hpaSpec }} - hpaSpec: {{ toYaml .Values.egressGateways.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.egressGateways.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.egressGateways.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - ingressGateways: - - enabled: {{ .Values.ingressGateways.enabled }} - name: istio-ingressgateway - k8s: - {{- if .Values.ingressGateways.hpaSpec }} - hpaSpec: {{ toYaml .Values.ingressGateways.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.ingressGateways.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.ingressGateways.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - service: - ports: - - name: status-port - port: 15021 - targetPort: 15021 - - name: http2 - port: 80 - targetPort: 8080 - nodePort: 31380 - - name: https - port: 443 - targetPort: 8443 - nodePort: 31390 - - name: tcp - port: 31400 - targetPort: 31400 - nodePort: 31400 - - name: tls - port: 15443 - targetPort: 15443 - istiodRemote: - enabled: {{ .Values.istiodRemote.enabled }} - pilot: - enabled: {{ .Values.pilot.enabled }} - k8s: - {{- if .Values.pilot.hpaSpec }} - hpaSpec: {{ toYaml .Values.pilot.hpaSpec | nindent 12 }} - {{- end }} - {{- if .Values.pilot.podDisruptionBudget }} - podDisruptionBudget: {{ toYaml .Values.pilot.podDisruptionBudget | nindent 12 }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 12 }} -{{- if .Values.nodeSelector }} -{{- toYaml .Values.nodeSelector | nindent 12 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 12 }} -{{- if .Values.tolerations }} -{{- toYaml .Values.tolerations | nindent 12 }} -{{- end }} - hub: {{ .Values.systemDefaultRegistry | default "docker.io" }} - profile: default - tag: {{ .Values.tag }} - revision: {{ .Values.revision }} - meshConfig: - defaultConfig: - proxyMetadata: - {{- if .Values.dns.enabled }} - ISTIO_META_DNS_CAPTURE: "true" - {{- end }} - values: - gateways: - istio-egressgateway: - name: istio-egressgateway - type: {{ .Values.egressGateways.type }} - istio-ingressgateway: - name: istio-ingressgateway - type: {{ .Values.ingressGateways.type }} - global: - istioNamespace: {{ template "istio.namespace" . }} - proxy: - image: {{ template "system_default_registry" . }}{{ .Values.global.proxy.repository }}:{{ .Values.global.proxy.tag }} - proxy_init: - image: {{ template "system_default_registry" . }}{{ .Values.global.proxy_init.repository }}:{{ .Values.global.proxy_init.tag }} - {{- if .Values.global.defaultPodDisruptionBudget.enabled }} - defaultPodDisruptionBudget: - enabled: {{ .Values.global.defaultPodDisruptionBudget.enabled }} - {{- end }} - {{- if .Values.pilot.enabled }} - pilot: - image: {{ template "system_default_registry" . }}{{ .Values.pilot.repository }}:{{ .Values.pilot.tag }} - {{- end }} - telemetry: - enabled: {{ .Values.telemetry.enabled }} - v2: - enabled: {{ .Values.telemetry.v2.enabled }} - {{- if .Values.cni.enabled }} - cni: - image: {{ template "system_default_registry" . }}{{ .Values.cni.repository }}:{{ .Values.cni.tag }} - excludeNamespaces: - {{- toYaml .Values.cni.excludeNamespaces | nindent 8 }} - logLevel: {{ .Values.cni.logLevel }} - {{- end }} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/requirements.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/requirements.yaml deleted file mode 100644 index 6db92ab2fa..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/requirements.yaml +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- condition: kiali.enabled - name: kiali - repository: file://./charts/kiali - version: 1.79.0 -- condition: tracing.enabled - name: tracing - repository: file://./charts/tracing - version: 1.56.0 diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/samples/overlay-example.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/samples/overlay-example.yaml deleted file mode 100644 index 5cf3cf3b0b..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/samples/overlay-example.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - ingressGateways: - - enabled: true - name: ilb-gateway - namespace: user-ingressgateway-ns - k8s: - resources: - requests: - cpu: 200m - service: - ports: - - name: tcp-citadel-grpc-tls - port: 8060 - targetPort: 8060 - - name: tcp-dns - port: 5353 - serviceAnnotations: - cloud.google.com/load-balancer-type: internal - - enabled: true - name: other-gateway - namespace: cattle-istio-system - k8s: - resources: - requests: - cpu: 200m - service: - ports: - - name: tcp-citadel-grpc-tls - port: 8060 - targetPort: 8060 - - name: tcp-dns - port: 5353 - serviceAnnotations: - cloud.google.com/load-balancer-type: internal diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/_helpers.tpl b/packages/rancher-istio/1.21/rancher-istio/charts/templates/_helpers.tpl deleted file mode 100644 index 30b429a800..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/_helpers.tpl +++ /dev/null @@ -1,27 +0,0 @@ -{{/* Ensure namespace is set the same everywhere */}} -{{- define "istio.namespace" -}} - {{- .Release.Namespace | default "istio-system" -}} -{{- end -}} - -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/admin-role.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/admin-role.yaml deleted file mode 100644 index ad1313c4f1..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/admin-role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - name: istio-admin - namespace: {{ template "istio.namespace" . }} -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: - - '*' - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: - - '*' diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/base-config-map.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/base-config-map.yaml deleted file mode 100644 index 5323917bc3..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/base-config-map.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-installer-base - namespace: {{ template "istio.namespace" . }} -data: -{{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/clusterrole.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/clusterrole.yaml deleted file mode 100644 index f8f229987d..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/clusterrole.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-installer -rules: -# istio groups -- apiGroups: - - extensions.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - authentication.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - config.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - install.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - rbac.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - security.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - telemetry.istio.io - resources: - - '*' - verbs: - - '*' -# k8s groups -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions.apiextensions.k8s.io - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - apps - - extensions - resources: - - daemonsets - - deployments - - deployments/finalizers - - ingresses - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - roles - - rolebindings - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - pods - - pods/exec - - pods/portforward - - persistentvolumeclaims - - secrets - - services - - serviceaccounts - verbs: - - '*' -{{- if and .Values.global.cattle.psp.enabled }} -- apiGroups: - - policy - resourceNames: - - istio-installer - resources: - - podsecuritypolicies - verbs: - - use -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/clusterrolebinding.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/clusterrolebinding.yaml deleted file mode 100644 index 9d74a04345..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-installer -subjects: -- kind: ServiceAccount - name: istio-installer - namespace: {{ template "istio.namespace" . }} -roleRef: - kind: ClusterRole - name: istio-installer - apiGroup: rbac.authorization.k8s.io diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/edit-role.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/edit-role.yaml deleted file mode 100644 index d1059d58d7..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/edit-role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - namespace: {{ template "istio.namespace" . }} - name: istio-edit -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: - - '*' - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: - - '*' diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-cni-psp.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-cni-psp.yaml deleted file mode 100644 index a71561e676..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-cni-psp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -spec: - allowPrivilegeEscalation: true - fsGroup: - rule: RunAsAny - hostNetwork: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - secret - - configMap - - emptyDir - - hostPath ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: psp-istio-cni -subjects: - - kind: ServiceAccount - name: istio-cni ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: psp-istio-cni - namespace: {{ template "istio.namespace" . }} -rules: -- apiGroups: - - policy - resourceNames: - - psp-istio-cni - resources: - - podsecuritypolicies - verbs: - - use -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-install-job.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-install-job.yaml deleted file mode 100644 index c2e362e684..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-install-job.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: istioctl-installer - namespace: {{ template "istio.namespace" . }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - backoffLimit: 1 - template: - spec: - {{- if .Values.installer.releaseMirror.enabled }} - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "github.com" - {{- end }} - containers: - - name: istioctl-installer - image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} - env: - - name: RELEASE_NAME - value: {{ .Release.Name }} - - name: ISTIO_NAMESPACE - value: {{ template "istio.namespace" . }} - - name: FORCE_INSTALL - value: {{ .Values.forceInstall | default "false" | quote }} - - name: RELEASE_MIRROR_ENABLED - value: {{ .Values.installer.releaseMirror.enabled | quote }} - - name: SECONDS_SLEEP - value: {{ .Values.installer.debug.secondsSleep | quote}} - command: ["/bin/sh","-c"] - args: ["/usr/local/app/scripts/run.sh"] - volumeMounts: - - name: config-volume - mountPath: /app/istio-base.yaml - subPath: istio-base.yaml - {{- if .Values.overlayFile }} - - name: overlay-volume - mountPath: /app/overlay-config.yaml - subPath: overlay-config.yaml - {{- end }} - volumes: - - name: config-volume - configMap: - name: istio-installer-base - {{- if .Values.overlayFile }} - - name: overlay-volume - configMap: - name: istio-installer-overlay - {{- end }} - serviceAccountName: istio-installer - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - securityContext: - runAsUser: 499 - runAsGroup: 487 - restartPolicy: Never diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-install-psp.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-install-psp.yaml deleted file mode 100644 index 9da3391d40..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-install-psp.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: istio-installer - namespace: {{ template "istio.namespace" . }} -spec: - privileged: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - volumes: - - 'configMap' - - 'secret' -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-psp.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-psp.yaml deleted file mode 100644 index cfada1bf7f..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-psp.yaml +++ /dev/null @@ -1,81 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-psp -subjects: - - kind: ServiceAccount - name: istio-egressgateway-service-account - - kind: ServiceAccount - name: istio-ingressgateway-service-account - - kind: ServiceAccount - name: istio-mixer-service-account - - kind: ServiceAccount - name: istio-operator-authproxy - - kind: ServiceAccount - name: istiod-service-account - - kind: ServiceAccount - name: istio-sidecar-injector-service-account - - kind: ServiceAccount - name: istiocoredns-service-account - - kind: ServiceAccount - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -rules: -- apiGroups: - - policy - resourceNames: - - istio-psp - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: istio-psp - namespace: {{ template "istio.namespace" . }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-uninstall-job.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-uninstall-job.yaml deleted file mode 100644 index 0091d0c176..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/istio-uninstall-job.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: istioctl-uninstaller - namespace: {{ template "istio.namespace" . }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - template: - spec: - containers: - - name: istioctl-uninstaller - image: {{ template "system_default_registry" . }}{{ .Values.installer.repository }}:{{ .Values.installer.tag }} - env: - - name: RELEASE_NAME - value: {{ .Release.Name }} - - name: ISTIO_NAMESPACE - value: {{ template "istio.namespace" . }} - command: ["/bin/sh","-c"] - args: ["/usr/local/app/scripts/uninstall_istio_system.sh"] - volumeMounts: - - name: config-volume - mountPath: /app/istio-base.yaml - subPath: istio-base.yaml - {{- if .Values.overlayFile }} - - name: overlay-volume - mountPath: /app/overlay-config.yaml - subPath: overlay-config.yaml - {{ end }} - volumes: - - name: config-volume - configMap: - name: istio-installer-base - {{- if .Values.overlayFile }} - - name: overlay-volume - configMap: - name: istio-installer-overlay - {{ end }} - serviceAccountName: istio-installer - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - securityContext: - runAsUser: 101 - runAsGroup: 101 - restartPolicy: OnFailure diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/overlay-config-map.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/overlay-config-map.yaml deleted file mode 100644 index 287d26b2c3..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/overlay-config-map.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.overlayFile }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-installer-overlay - namespace: {{ template "istio.namespace" . }} -data: - overlay-config.yaml: {{ toYaml .Values.overlayFile | indent 2 }} -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/service-monitors.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/service-monitors.yaml deleted file mode 100644 index c3d60c4fce..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/service-monitors.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.kiali.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: envoy-stats-monitor - namespace: {{ template "istio.namespace" . }} - labels: - monitoring: istio-proxies -spec: - selector: - matchExpressions: - - {key: istio-prometheus-ignore, operator: DoesNotExist} - namespaceSelector: - any: true - jobLabel: envoy-stats - endpoints: - - path: /stats/prometheus - targetPort: 15090 - interval: 15s - relabelings: - - sourceLabels: [__meta_kubernetes_pod_container_port_name] - action: keep - regex: '.*-envoy-prom' - - action: labeldrop - regex: "__meta_kubernetes_pod_label_(.+)" - - sourceLabels: [__meta_kubernetes_namespace] - action: replace - targetLabel: namespace - - sourceLabels: [__meta_kubernetes_pod_name] - action: replace - targetLabel: pod_name ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: istio-component-monitor - namespace: {{ template "istio.namespace" . }} - labels: - monitoring: istio-components -spec: - jobLabel: istio - targetLabels: [app] - selector: - matchExpressions: - - {key: istio, operator: In, values: [pilot]} - namespaceSelector: - any: true - endpoints: - - port: http-monitoring - interval: 15s -{{- end -}} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/serviceaccount.yaml deleted file mode 100644 index 82b6cbb7e6..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-installer - namespace: {{ template "istio.namespace" . }} diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/validate-psp-install.yaml deleted file mode 100644 index 4b0e5cfb65..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} \ No newline at end of file diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/templates/view-role.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/templates/view-role.yaml deleted file mode 100644 index 5947d3eba9..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/templates/view-role.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - namespace: {{ template "istio.namespace" . }} - name: istio-view -rules: - - apiGroups: - - config.istio.io - resources: - - adapters - - attributemanifests - - handlers - - httpapispecbindings - - httpapispecs - - instances - - quotaspecbindings - - quotaspecs - - rules - - templates - verbs: ["get", "watch", "list"] - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - - workloadentries - verbs: ["get", "watch", "list"] - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - - peerauthentications - - requestauthentications - verbs: ["get", "watch", "list"] diff --git a/packages/rancher-istio/1.21/rancher-istio/charts/values.yaml b/packages/rancher-istio/1.21/rancher-istio/charts/values.yaml deleted file mode 100644 index 8a9b3bc779..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/charts/values.yaml +++ /dev/null @@ -1,119 +0,0 @@ -overlayFile: "" -tag: 1.21.1 -##Setting forceInstall: true will remove the check for istio version < 1.6.x and will not analyze your install cluster prior to install -forceInstall: false - -installer: - repository: rancher/istio-installer - tag: 1.21.1-rancher1 - ##releaseMirror are configurations for istio upgrades. - ##Setting releaseMirror.enabled: true will cause istio to use bundled in images from rancher/istio-installer to perfom an upgrade - this is ideal - ##for airgap setups. Setting releaseMirror.enabled to false means istio will call externally to github to fetch the required assets. - releaseMirror: - enabled: false - - ##Set the secondsSleep to run a sleep command `sleep s` to allow time to exec into istio-installer pod for debugging - debug: - secondsSleep: 0 - -##Native support for dns added in 1.8 -dns: - enabled: false - -base: - enabled: true - -cni: - enabled: false - repository: rancher/mirrored-istio-install-cni -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.21.1 - tag: 1.21.1-distroless - logLevel: info - excludeNamespaces: - - istio-system - - kube-system - -egressGateways: - enabled: false - type: NodePort - hpaSpec: {} - podDisruptionBudget: {} - -ingressGateways: - enabled: true - type: NodePort - hpaSpec: {} - podDisruptionBudget: {} - -istiodRemote: - enabled: false - -pilot: - enabled: true - repository: rancher/mirrored-istio-pilot -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.21.1 - tag: 1.21.1-distroless - hpaSpec: {} - podDisruptionBudget: {} - -telemetry: - enabled: true - v2: - enabled: true - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false - proxy: - repository: rancher/mirrored-istio-proxyv2 -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.21.1 - tag: 1.21.1-distroless - proxy_init: - repository: rancher/mirrored-istio-proxyv2 -# If you wish to troubleshoot Istio, you can switch to regular images by uncommenting the following tag and deleting -# the distroless tag: -# tag: 1.21.1 - tag: 1.21.1-distroless - defaultPodDisruptionBudget: - enabled: true - -# Kiali subchart from rancher-kiali-server -kiali: - enabled: true - # If you wish to change the authentication you can check the options in the Kiali documentation https://kiali.io/docs/configuration/authentication/ - auth: - strategy: token - server: - web_root: / - deployment: - ingress_enabled: false - external_services: - prometheus: - custom_metrics_url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" - url: "http://rancher-monitoring-prometheus.cattle-monitoring-system.svc:9090" - tracing: - in_cluster_url: "http://tracing.istio-system.svc:16686/jaeger" - use_grpc: false - grafana: - in_cluster_url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" - url: "http://rancher-monitoring-grafana.cattle-monitoring-system.svc:80" - -tracing: - enabled: false - contextPath: "/jaeger" - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] diff --git a/packages/rancher-istio/1.21/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml b/packages/rancher-istio/1.21/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml deleted file mode 100644 index 7aad944a2e..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/generated-changes/dependencies/kiali/dependency.yaml +++ /dev/null @@ -1,2 +0,0 @@ -workingDir: "" -url: packages/rancher-istio/1.21/rancher-kiali-server diff --git a/packages/rancher-istio/1.21/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml b/packages/rancher-istio/1.21/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml deleted file mode 100644 index 8da47fc1a2..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/generated-changes/dependencies/tracing/dependency.yaml +++ /dev/null @@ -1,2 +0,0 @@ -workingDir: "" -url: packages/rancher-istio/1.21/rancher-tracing diff --git a/packages/rancher-istio/1.21/rancher-istio/package.yaml b/packages/rancher-istio/1.21/rancher-istio/package.yaml deleted file mode 100644 index 764b75a051..0000000000 --- a/packages/rancher-istio/1.21/rancher-istio/package.yaml +++ /dev/null @@ -1,2 +0,0 @@ -url: local -version: 105.2.0+up1.21.1 diff --git a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml b/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml deleted file mode 100644 index e31d706d4b..0000000000 --- a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "kiali-server.fullname" . }}-psp -subjects: - - kind: ServiceAccount - name: kiali ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: - - policy - resourceNames: - - {{ include "kiali-server.fullname" . }}-psp - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "kiali-server.fullname" . }}-psp - namespace: {{ .Release.Namespace }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml b/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b7..0000000000 --- a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml b/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml deleted file mode 100644 index 970d4e4f5d..0000000000 --- a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/overlay/templates/web-root-configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.web_root_override }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: kiali-console - namespace: {{ .Release.Namespace }} - labels: - {{- include "kiali-server.labels" . | nindent 4 }} -data: - env.js: | - window.WEB_ROOT='/k8s/clusters/{{ .Values.global.cattle.clusterId }}/api/v1/namespaces/{{ .Release.Namespace }}/services/http:kiali:20001/proxy/kiali'; -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch b/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch deleted file mode 100644 index cbf2875381..0000000000 --- a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/Chart.yaml.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- charts-original/Chart.yaml -+++ charts/Chart.yaml -@@ -1,17 +1,26 @@ -+annotations: -+ catalog.cattle.io/hidden: "true" -+ catalog.cattle.io/os: linux -+ catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1 -+ catalog.rancher.io/namespace: cattle-istio-system -+ catalog.rancher.io/release-name: rancher-kiali-server - apiVersion: v2 - appVersion: v1.79.0 - description: Kiali is an open source project for service mesh observability, refer -- to https://www.kiali.io for details. -+ to https://www.kiali.io for details. This is installed as sub-chart with customized -+ values in Rancher's Istio. - home: https://github.com/kiali/kiali - icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg - keywords: - - istio - - kiali -+- networking -+- infrastructure - maintainers: - - email: kiali-users@googlegroups.com - name: Kiali - url: https://kiali.io --name: kiali-server -+name: rancher-kiali-server - sources: - - https://github.com/kiali/kiali - - https://github.com/kiali/kiali-operator diff --git a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch deleted file mode 100644 index cd8d4397cc..0000000000 --- a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/templates/_helpers.tpl.patch +++ /dev/null @@ -1,49 +0,0 @@ ---- charts-original/templates/_helpers.tpl -+++ charts/templates/_helpers.tpl -@@ -50,8 +50,15 @@ - Selector labels - */}} - {{- define "kiali-server.selectorLabels" -}} -+{{- $releaseName := .Release.Name -}} -+{{- $fullName := include "kiali-server.fullname" . -}} -+{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace $fullName) -}} - app.kubernetes.io/name: kiali --app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }} -+{{- if (and .Release.IsUpgrade $deployment)}} -+app.kubernetes.io/instance: {{ (get (($deployment).metadata.labels) "app.kubernetes.io/instance") | default $fullName }} -+{{- else }} -+app.kubernetes.io/instance: {{ $fullName }} -+{{- end }} - {{- end }} - - {{/* -@@ -172,6 +179,29 @@ - {{- end }} - {{- end }} - -+{{- define "system_default_registry" -}} -+{{- if .Values.global.cattle.systemDefaultRegistry -}} -+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -+{{- else -}} -+{{- "" -}} -+{{- end -}} -+{{- end -}} -+ -+{{/* -+Windows cluster will add default taint for linux nodes, -+add below linux tolerations to workloads could be scheduled to those linux nodes -+*/}} -+{{- define "linux-node-tolerations" -}} -+- key: "cattle.io/os" -+ value: "linux" -+ effect: "NoSchedule" -+ operator: "Equal" -+{{- end -}} -+ -+{{- define "linux-node-selector" -}} -+kubernetes.io/os: linux -+{{- end -}} -+ - {{/* - Autodetect remote cluster secrets if enabled - looks for secrets in the same namespace where Kiali is installed. - Returns a JSON dict whose keys are the cluster names and values are the cluster secret data. diff --git a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch b/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch deleted file mode 100644 index 1a787d4bce..0000000000 --- a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/templates/deployment.yaml.patch +++ /dev/null @@ -1,69 +0,0 @@ ---- charts-original/templates/deployment.yaml -+++ charts/templates/deployment.yaml -@@ -6,6 +6,9 @@ - namespace: {{ .Release.Namespace }} - labels: - {{- include "kiali-server.labels" . | nindent 4 }} -+ annotations: -+ "helm.sh/hook": post-install, post-upgrade -+ "helm.sh/hook-weight": "-4" - spec: - replicas: {{ .Values.deployment.replicas }} - selector: -@@ -53,7 +56,7 @@ - {{- toYaml .Values.deployment.host_aliases | nindent 6 }} - {{- end }} - containers: -- - image: "{{ .Values.deployment.image_name }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.image_version }}" -+ - image: "{{ template "system_default_registry" . }}{{ .Values.deployment.repository }}{{ if .Values.deployment.image_digest }}@{{ .Values.deployment.image_digest }}{{ end }}:{{ .Values.deployment.tag }}" - imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} - name: {{ include "kiali-server.fullname" . }} - command: -@@ -115,6 +118,11 @@ - - name: LOG_SAMPLER_RATE - value: "{{ .Values.deployment.logger.sampler_rate }}" - volumeMounts: -+ {{- if .Values.web_root_override }} -+ - name: kiali-console -+ subPath: env.js -+ mountPath: /opt/kiali/console/env.js -+ {{- end }} - - name: {{ include "kiali-server.fullname" . }}-configuration - mountPath: "/kiali-configuration" - - name: {{ include "kiali-server.fullname" . }}-cert -@@ -140,6 +148,14 @@ - {{- toYaml .Values.deployment.resources | nindent 10 }} - {{- end }} - volumes: -+ {{- if .Values.web_root_override }} -+ - name: kiali-console -+ configMap: -+ name: kiali-console -+ items: -+ - key: env.js -+ path: env.js -+ {{- end }} - - name: {{ include "kiali-server.fullname" . }}-configuration - configMap: - name: {{ include "kiali-server.fullname" . }} -@@ -194,12 +210,12 @@ - {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} - {{- end }} - {{- end }} -- {{- if .Values.deployment.tolerations }} -- tolerations: -- {{- toYaml .Values.deployment.tolerations | nindent 8 }} -- {{- end }} -- {{- if .Values.deployment.node_selector }} -- nodeSelector: -- {{- toYaml .Values.deployment.node_selector | nindent 8 }} -- {{- end }} -+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -+{{- if .Values.deployment.tolerations }} -+{{ toYaml .Values.deployment.tolerations | indent 8 }} -+{{- end }} -+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -+{{- if .Values.deployment.node_selector }} -+{{ toYaml .Values.deployment.node_selector | indent 8 }} -+{{- end }} - ... diff --git a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/values.yaml.patch b/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/values.yaml.patch deleted file mode 100644 index a6ef900b06..0000000000 --- a/packages/rancher-istio/1.21/rancher-kiali-server/generated-changes/patch/values.yaml.patch +++ /dev/null @@ -1,39 +0,0 @@ ---- charts-original/values.yaml -+++ charts/values.yaml -@@ -13,6 +13,8 @@ - # do this, a PR would be welcome. - kiali_route_url: "" - -+# rancher specific override that allows proxy access to kiali url -+web_root_override: true - # - # Settings that mimic the Kiali CR which are placed in the ConfigMap. - # Note that only those values used by the Helm Chart will be here. -@@ -53,10 +55,10 @@ - api_version: "autoscaling/v2" - spec: {} - image_digest: "" # use "sha256" if image_version is a sha256 hash (do NOT prefix this value with a "@") -- image_name: quay.io/kiali/kiali -+ repository: rancher/mirrored-kiali-kiali - image_pull_policy: "Always" - image_pull_secrets: [] -- image_version: v1.79.0 # version like "v1.39" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash -+ tag: v1.79.0 # version like "v1.79" (see: https://quay.io/repository/kiali/kiali?tab=tags) or a digest hash - ingress: - additional_labels: {} - class_name: "nginx" -@@ -118,3 +120,13 @@ - enabled: true - port: 9090 - web_root: "" -+ -+# Common settings used among istio subcharts. -+global: -+ # Specify rancher clusterId of external tracing config -+ # https://github.com/istio/istio.io/issues/4146#issuecomment-493543032 -+ cattle: -+ systemDefaultRegistry: "" -+ clusterId: -+ psp: -+ enabled: false -\ No newline at end of file diff --git a/packages/rancher-istio/1.21/rancher-kiali-server/package.yaml b/packages/rancher-istio/1.21/rancher-kiali-server/package.yaml deleted file mode 100644 index 7069f34c31..0000000000 --- a/packages/rancher-istio/1.21/rancher-kiali-server/package.yaml +++ /dev/null @@ -1,3 +0,0 @@ -url: https://kiali.org/helm-charts/kiali-server-1.79.0.tgz -version: 104.3.0 -doNotRelease: true \ No newline at end of file diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/.helmignore b/packages/rancher-istio/1.21/rancher-tracing/charts/.helmignore deleted file mode 100644 index 0e8a0eb36f..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/Chart.yaml b/packages/rancher-istio/1.21/rancher-tracing/charts/Chart.yaml deleted file mode 100644 index aab32623c4..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -annotations: - catalog.cattle.io/hidden: "true" - catalog.cattle.io/os: linux - catalog.rancher.io/certified: rancher - catalog.rancher.io/namespace: istio-system - catalog.rancher.io/release-name: rancher-tracing -apiVersion: v1 -appVersion: 1.56.0 -description: A quick start Jaeger Tracing installation using the all-in-one demo. - This is not production qualified. Refer to https://www.jaegertracing.io/ for details. -name: rancher-tracing -version: 1.56.0 diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/README.md b/packages/rancher-istio/1.21/rancher-tracing/charts/README.md deleted file mode 100644 index 25534c6288..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Jaeger - -A Rancher chart based on the Jaeger all-in-one quick installation option. This chart will allow you to trace and monitor distributed microservices. - -> **Note:** The basic all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io) documentation to determine which installation you will need for your production needs. diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/_affinity.tpl b/packages/rancher-istio/1.21/rancher-tracing/charts/templates/_affinity.tpl deleted file mode 100644 index bf6a9aee5c..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/_affinity.tpl +++ /dev/null @@ -1,92 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} -{{- define "nodeAffinity" }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .Values.global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .Values.global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .Values.podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if or .Values.podAntiAffinityTermLabelSelector}} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/_helpers.tpl b/packages/rancher-istio/1.21/rancher-tracing/charts/templates/_helpers.tpl deleted file mode 100644 index 09c6b05467..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/_helpers.tpl +++ /dev/null @@ -1,47 +0,0 @@ -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Expand the name of the chart. -*/}} -{{- define "tracing.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "tracing.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} \ No newline at end of file diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/deployment.yaml b/packages/rancher-istio/1.21/rancher-tracing/charts/templates/deployment.yaml deleted file mode 100644 index f8a6828085..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/deployment.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: {{ .Values.provider }} - template: - metadata: - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - prometheus.io/scrape: "true" - prometheus.io/port: "14269" -{{- if .Values.jaeger.podAnnotations }} -{{ toYaml .Values.jaeger.podAnnotations | indent 8 }} -{{- end }} - spec: - containers: - - name: jaeger - image: "{{ template "system_default_registry" . }}{{ .Values.jaeger.repository }}:{{ .Values.jaeger.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - env: - {{- if eq .Values.jaeger.spanStorageType "badger" }} - - name: BADGER_EPHEMERAL - value: "false" - - name: SPAN_STORAGE_TYPE - value: "badger" - - name: BADGER_DIRECTORY_VALUE - value: "/badger/data" - - name: BADGER_DIRECTORY_KEY - value: "/badger/key" - {{- end }} - - name: COLLECTOR_ZIPKIN_HOST_PORT - value: "9411" - - name: MEMORY_MAX_TRACES - value: "{{ .Values.jaeger.memory.max_traces }}" - - name: QUERY_BASE_PATH - value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} - livenessProbe: - httpGet: - path: / - port: 14269 - readinessProbe: - httpGet: - path: / - port: 14269 -{{- if eq .Values.jaeger.spanStorageType "badger" }} - volumeMounts: - - name: data - mountPath: /badger -{{- end }} - resources: -{{- if .Values.jaeger.resources }} -{{ toYaml .Values.jaeger.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - affinity: - {{- include "nodeAffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.global.cattle.psp.enabled }} - securityContext: - runAsNonRoot: true - runAsUser: 1000 - {{- end }} - serviceAccountName: {{ include "tracing.fullname" . }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} -{{- if eq .Values.jaeger.spanStorageType "badger" }} - volumes: - - name: data -{{- if .Values.jaeger.persistentVolumeClaim.enabled }} - persistentVolumeClaim: - claimName: istio-jaeger-pvc -{{- else }} - emptyDir: {} -{{- end }} -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/psp.yaml b/packages/rancher-istio/1.21/rancher-tracing/charts/templates/psp.yaml deleted file mode 100644 index 4d5c271e1b..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/psp.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "tracing.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "tracing.fullname" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: - - policy - resourceNames: - - {{ include "tracing.fullname" . }} - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - allowPrivilegeEscalation: false - forbiddenSysctls: - - '*' - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - emptyDir - - secret - - persistentVolumeClaim -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/pvc.yaml b/packages/rancher-istio/1.21/rancher-tracing/charts/templates/pvc.yaml deleted file mode 100644 index 9b4c55e4fb..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/pvc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.jaeger.persistentVolumeClaim.enabled }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: istio-jaeger-pvc - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} -spec: - storageClassName: {{ .Values.jaeger.storageClassName }} - accessModes: - - {{ .Values.jaeger.accessMode }} - resources: - requests: - storage: {{.Values.jaeger.persistentVolumeClaim.storage }} -{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/service.yaml b/packages/rancher-istio/1.21/rancher-tracing/charts/templates/service.yaml deleted file mode 100644 index 4210a9b5fc..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/service.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.name }} - port: {{ .Values.service.externalPort }} - protocol: TCP - targetPort: 16686 - selector: - app: {{ .Values.provider }} ---- -# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. -apiVersion: v1 -kind: Service -metadata: - name: zipkin - namespace: {{ .Release.Namespace }} - labels: - name: zipkin - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - ports: - - name: {{ .Values.service.name }} - port: {{ .Values.zipkin.queryPort }} - targetPort: {{ .Values.zipkin.queryPort }} - selector: - app: {{ .Values.provider }} ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger-collector - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: ClusterIP - ports: - - name: jaeger-collector-http - port: 14268 - targetPort: 14268 - protocol: TCP - - name: jaeger-collector-grpc - port: 14250 - targetPort: 14250 - protocol: TCP - selector: - app: {{ .Values.provider }} diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/serviceaccount.yaml b/packages/rancher-istio/1.21/rancher-tracing/charts/templates/serviceaccount.yaml deleted file mode 100644 index 1bff77ff66..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/serviceaccount.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} \ No newline at end of file diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.21/rancher-tracing/charts/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b7..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/packages/rancher-istio/1.21/rancher-tracing/charts/values.yaml b/packages/rancher-istio/1.21/rancher-tracing/charts/values.yaml deleted file mode 100644 index d6debaf4d4..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/charts/values.yaml +++ /dev/null @@ -1,53 +0,0 @@ -provider: jaeger -contextPath: "" -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] -nameOverride: "" -fullnameOverride: "" - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false - defaultResources: {} - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - arch: - arm64: 2 - amd64: 2 - s390x: 2 - ppc64le: 2 - defaultNodeSelector: - kubernetes.io/os: linux - rbac: - pspEnabled: false - -jaeger: - repository: rancher/mirrored-jaegertracing-all-in-one - tag: 1.56.0 - # spanStorageType value can be "memory" and "badger" for all-in-one image - spanStorageType: badger - resources: - requests: - cpu: 10m - persistentVolumeClaim: - enabled: false - storage: 5Gi - storageClassName: "" - accessMode: ReadWriteMany - memory: - max_traces: 50000 -zipkin: - queryPort: 9411 -service: - annotations: {} - name: http-query - type: ClusterIP - externalPort: 16686 diff --git a/packages/rancher-istio/1.21/rancher-tracing/package.yaml b/packages/rancher-istio/1.21/rancher-tracing/package.yaml deleted file mode 100644 index b99625032e..0000000000 --- a/packages/rancher-istio/1.21/rancher-tracing/package.yaml +++ /dev/null @@ -1,3 +0,0 @@ -url: local -version: 104.2.0 -doNotRelease: true \ No newline at end of file From ae5d312167d5b39de00135bb81583309dba4d5e9 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 24 Feb 2025 20:36:19 -0300 Subject: [PATCH 10/10] update release.yaml --- release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/release.yaml b/release.yaml index d0bcd3eb97..3caac7f625 100644 --- a/release.yaml +++ b/release.yaml @@ -64,6 +64,10 @@ rancher-gke-operator: - 106.0.0+up1.11.0-rc.1 rancher-gke-operator-crd: - 106.0.0+up1.11.0-rc.1 +rancher-istio: + - 106.0.0+up1.22.1 + - 106.1.0+up1.23.2 + - 106.2.0+up1.24.1 rancher-logging: - 106.0.0-rc.1+up4.10.0-rancher.1 rancher-logging-crd: