From c6d29f6000f78c47f2e34ce4f47012e7692b81a0 Mon Sep 17 00:00:00 2001 From: mcgin314 Date: Tue, 17 Sep 2024 12:49:35 -0400 Subject: [PATCH 1/9] Merge all clusters into single directory structure --- .../_envcommon/common-variables.hcl | 0 lab/account.hcl | 7 - .../development/account.hcl | 2 +- .../development/us-gov-east-1/region.hcl | 0 .../eks-cert-manager/terragrunt.hcl | 0 .../eks-config/terragrunt.hcl | 0 .../eks-grafana/terragrunt.hcl | 0 .../eks-istio/terragrunt.hcl | 0 .../eks-karpenter/terragrunt.hcl | 0 .../eks-kiali.disable/terragrunt.hcl.disable | 0 .../eks-loki/terragrunt.hcl | 0 .../eks-metrics-server/terragrunt.hcl | 0 .../eks-prometheus/README.md | 0 .../eks-prometheus/terragrunt.hcl | 0 .../eks-tempo/terragrunt.hcl | 0 .../platform-eng-eks-mcm}/eks/terragrunt.hcl | 0 .../eks-cert-manager/terragrunt.hcl | 0 .../eks-config/terragrunt.hcl | 0 .../eks-grafana/terragrunt.hcl | 0 .../eks-istio/terragrunt.hcl | 0 .../eks-karpenter/terragrunt.hcl | 0 .../eks-kiali.disable/terragrunt.hcl.disable | 0 .../eks-loki/terragrunt.hcl | 0 .../eks-metrics-server/terragrunt.hcl | 0 .../eks-prometheus/README.md | 0 .../eks-prometheus/terragrunt.hcl | 0 .../eks-tempo/terragrunt.hcl | 0 .../platform-eng-eks-test}/eks/terragrunt.hcl | 43 +- .../eks-cert-manager/terragrunt.hcl | 0 .../eks-config/terragrunt.hcl | 0 .../eks-grafana/terragrunt.hcl | 0 .../eks-istio/terragrunt.hcl | 0 .../eks-karpenter/terragrunt.hcl | 0 .../eks-kiali.disable/terragrunt.hcl.disable | 0 .../eks-loki/terragrunt.hcl | 0 .../eks-metrics-server/terragrunt.hcl | 0 .../eks-prometheus/README.md | 0 .../eks-prometheus/terragrunt.hcl | 0 .../eks-tempo/terragrunt.hcl | 0 .../platform-test-cicd}/eks/terragrunt.hcl | 0 .../eks-cert-manager/terragrunt.hcl | 15 +- .../platform-test-x/eks-config/terragrunt.hcl | 42 + .../eks-grafana/terragrunt.hcl | 38 + .../platform-test-x}/eks-istio/terragrunt.hcl | 15 +- .../eks-karpenter/terragrunt.hcl | 38 + .../eks-kiali.disable/terragrunt.hcl} | 51 +- .../platform-test-x/eks-loki/terragrunt.hcl | 31 + .../eks-metrics-server/terragrunt.hcl | 25 + .../platform-test-x/eks-prometheus/README.md | 0 .../eks-prometheus/terragrunt.hcl | 30 + .../platform-test-x/eks-tempo/terragrunt.hcl | 41 + .../vpc/platform-test-x/eks/terragrunt.hcl | 0 .../development/us-gov-east-1/vpc/vpc.hcl | 0 {project-x-infra-live => lab}/terragrunt.hcl | 0 lab/us-gov-east-1/region.hcl | 3 - .../vpc/_mcmCluster/common_vars.hcl | 170 - .../vpc/_mcmCluster/eks-config/terragrunt.hcl | 33 - .../_mcmCluster/eks-grafana/terragrunt.hcl | 36 - .../_mcmCluster/eks-karpenter/terragrunt.hcl | 30 - .../vpc/_mcmCluster/eks-loki/terragrunt.hcl | 27 - .../eks-metrics-server/terragrunt.hcl | 30 - .../_mcmCluster/eks-prometheus/terragrunt.hcl | 26 - .../vpc/_mcmCluster/eks-tempo/terragrunt.hcl | 31 - .../vpc/_mcmCluster/terragrunt.hcl | 94 - lab/us-gov-east-1/vpc/cluster/common_vars.hcl | 170 - .../cluster/eks-cert-manager/terragrunt.hcl | 32 - .../vpc/cluster/eks-config/terragrunt.hcl | 36 - .../vpc/cluster/eks-grafana/terragrunt.hcl | 41 - .../cluster/eks-istio/charts/base/Chart.yaml | 10 - .../cluster/eks-istio/charts/base/README.md | 35 - .../charts/base/crds/crd-all.gen.yaml | 13051 ---------------- .../charts/base/files/profile-ambient.yaml | 21 - .../profile-compatibility-version-1.20.yaml | 23 - .../profile-compatibility-version-1.21.yaml | 16 - .../charts/base/files/profile-demo.yaml | 73 - .../base/files/profile-openshift-ambient.yaml | 34 - .../charts/base/files/profile-openshift.yaml | 20 - .../charts/base/files/profile-preview.yaml | 13 - .../charts/base/files/profile-stable.yaml | 8 - .../eks-istio/charts/base/templates/NOTES.txt | 5 - .../eks-istio/charts/base/templates/crds.yaml | 3 - .../charts/base/templates/default.yaml | 54 - .../charts/base/templates/endpoints.yaml | 23 - .../base/templates/reader-serviceaccount.yaml | 16 - .../charts/base/templates/services.yaml | 37 - .../templates/validatingadmissionpolicy.yaml | 51 - .../charts/base/templates/zzz_profile.yaml | 38 - .../cluster/eks-istio/charts/base/values.yaml | 40 - .../eks-istio/charts/gateway/Chart.yaml | 12 - .../eks-istio/charts/gateway/README.md | 170 - .../charts/gateway/files/profile-ambient.yaml | 21 - .../profile-compatibility-version-1.20.yaml | 23 - .../profile-compatibility-version-1.21.yaml | 16 - .../charts/gateway/files/profile-demo.yaml | 73 - .../files/profile-openshift-ambient.yaml | 34 - .../gateway/files/profile-openshift.yaml | 20 - .../charts/gateway/files/profile-preview.yaml | 13 - .../charts/gateway/files/profile-stable.yaml | 8 - .../charts/gateway/templates/NOTES.txt | 9 - .../charts/gateway/templates/_helpers.tpl | 61 - .../charts/gateway/templates/deployment.yaml | 111 - .../charts/gateway/templates/hpa.yaml | 38 - .../templates/poddisruptionbudget.yaml | 16 - .../charts/gateway/templates/role.yaml | 33 - .../charts/gateway/templates/service.yaml | 64 - .../gateway/templates/serviceaccount.yaml | 13 - .../charts/gateway/templates/zzz_profile.yaml | 38 - .../charts/gateway/values.schema.json | 301 - .../eks-istio/charts/gateway/values.yaml | 152 - .../eks-istio/charts/istiod/Chart.yaml | 12 - .../cluster/eks-istio/charts/istiod/README.md | 73 - .../files/gateway-injection-template.yaml | 246 - .../charts/istiod/files/grpc-agent.yaml | 310 - .../charts/istiod/files/grpc-simple.yaml | 65 - .../istiod/files/injection-template.yaml | 542 - .../charts/istiod/files/kube-gateway.yaml | 352 - .../charts/istiod/files/profile-ambient.yaml | 21 - .../profile-compatibility-version-1.20.yaml | 23 - .../profile-compatibility-version-1.21.yaml | 16 - .../charts/istiod/files/profile-demo.yaml | 73 - .../files/profile-openshift-ambient.yaml | 34 - .../istiod/files/profile-openshift.yaml | 20 - .../charts/istiod/files/profile-preview.yaml | 13 - .../charts/istiod/files/profile-stable.yaml | 8 - .../charts/istiod/files/waypoint.yaml | 304 - .../charts/istiod/templates/NOTES.txt | 74 - .../charts/istiod/templates/_helpers.tpl | 23 - .../charts/istiod/templates/autoscale.yaml | 39 - .../charts/istiod/templates/clusterrole.yaml | 157 - .../istiod/templates/clusterrolebinding.yaml | 33 - .../istiod/templates/configmap-jwks.yaml | 14 - .../charts/istiod/templates/configmap.yaml | 112 - .../charts/istiod/templates/deployment.yaml | 257 - .../templates/istiod-injector-configmap.yaml | 78 - .../istiod/templates/mutatingwebhook.yaml | 158 - .../istiod/templates/poddisruptionbudget.yaml | 25 - .../istiod/templates/reader-clusterrole.yaml | 60 - .../templates/reader-clusterrolebinding.yaml | 15 - .../istiod/templates/revision-tags.yaml | 141 - .../charts/istiod/templates/role.yaml | 30 - .../charts/istiod/templates/rolebinding.yaml | 16 - .../charts/istiod/templates/service.yaml | 50 - .../istiod/templates/serviceaccount.yaml | 19 - .../templates/validatingadmissionpolicy.yaml | 57 - .../validatingwebhookconfiguration.yaml | 63 - .../charts/istiod/templates/zzz_profile.yaml | 38 - .../eks-istio/charts/istiod/values.yaml | 507 - .../vpc/cluster/eks-istio/terragrunt.hcl | 26 - .../vpc/cluster/eks-karpenter/terragrunt.hcl | 29 - .../eks-log-trace-monitor/terragrunt.hcl | 44 - .../vpc/cluster/eks-loki/terragrunt.hcl | 26 - .../cluster/eks-metrics-server/terragrunt.hcl | 28 - .../vpc/cluster/eks-prometheus/README.md | 55 - .../vpc/cluster/eks-prometheus/provider.tf | 17 - .../vpc/cluster/eks-prometheus/terragrunt.hcl | 34 - .../vpc/cluster/eks-slim/.terraform.lock.hcl | 125 - .../vpc/cluster/eks-slim/terragrunt.hcl | 85 - .../vpc/cluster/eks-tempo/terragrunt.hcl | 31 - .../vpc/cluster/eks/.terraform.lock.hcl | 105 - .../vpc/cluster/eks/terragrunt.hcl | 81 - .../vpc/cluster/terragrunt-hcl.bak | 67 - lab/us-gov-east-1/vpc/cluster/terragrunt.hcl | 79 - .../platform-test-2/common_vars.hcl.disable | 170 - 163 files changed, 324 insertions(+), 20690 deletions(-) rename {project-x-infra-live => lab}/_envcommon/common-variables.hcl (100%) delete mode 100644 lab/account.hcl rename {project-x-infra-live => lab}/development/account.hcl (89%) rename {project-x-infra-live => lab}/development/us-gov-east-1/region.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-cert-manager/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-config/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-grafana/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-istio/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-karpenter/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-kiali.disable/terragrunt.hcl.disable (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-loki/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-metrics-server/terragrunt.hcl (100%) rename lab/{us-gov-east-1/vpc/_mcmCluster => development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-prometheus/README.md (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-prometheus/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks-tempo/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm}/eks/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-cert-manager/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-config/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-grafana/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-istio/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-karpenter/terragrunt.hcl (100%) rename project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl => lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-kiali.disable/terragrunt.hcl.disable (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-loki/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-metrics-server/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-prometheus/README.md (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-prometheus/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-eng-eks-test}/eks-tempo/terragrunt.hcl (100%) rename lab/{us-gov-east-1/vpc/_mcmCluster => development/us-gov-east-1/vpc/platform-eng-eks-test}/eks/terragrunt.hcl (56%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-cert-manager/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-config/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-grafana/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-istio/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-karpenter/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-kiali.disable/terragrunt.hcl.disable (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-loki/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-metrics-server/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-prometheus/README.md (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-prometheus/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks-tempo/terragrunt.hcl (100%) rename {project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2 => lab/development/us-gov-east-1/vpc/platform-test-cicd}/eks/terragrunt.hcl (100%) rename lab/{us-gov-east-1/vpc/_mcmCluster => development/us-gov-east-1/vpc/platform-test-x}/eks-cert-manager/terragrunt.hcl (59%) create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl rename lab/{us-gov-east-1/vpc/_mcmCluster => development/us-gov-east-1/vpc/platform-test-x}/eks-istio/terragrunt.hcl (59%) create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl rename lab/{us-gov-east-1/vpc/_mcmCluster/eks-kiali/terragrunt.hcl.off => development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl} (51%) create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl rename {project-x-infra-live => lab}/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/README.md (100%) create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl rename {project-x-infra-live => lab}/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl (100%) rename {project-x-infra-live => lab}/development/us-gov-east-1/vpc/vpc.hcl (100%) rename {project-x-infra-live => lab}/terragrunt.hcl (100%) delete mode 100644 lab/us-gov-east-1/region.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/common_vars.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/eks-config/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/eks-grafana/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/eks-karpenter/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/eks-loki/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/eks-metrics-server/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/eks-tempo/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/_mcmCluster/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/common_vars.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-cert-manager/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-config/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-grafana/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/Chart.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/README.md delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/crds/crd-all.gen.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-ambient.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-compatibility-version-1.20.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-compatibility-version-1.21.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-demo.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-openshift-ambient.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-openshift.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-preview.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-stable.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/NOTES.txt delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/crds.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/default.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/endpoints.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/reader-serviceaccount.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/services.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/validatingadmissionpolicy.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/zzz_profile.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/values.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/Chart.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/README.md delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-ambient.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-compatibility-version-1.20.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-compatibility-version-1.21.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-demo.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-openshift-ambient.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-openshift.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-preview.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-stable.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/NOTES.txt delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/_helpers.tpl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/deployment.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/hpa.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/poddisruptionbudget.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/role.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/service.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/serviceaccount.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/zzz_profile.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/values.schema.json delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/values.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/Chart.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/README.md delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/gateway-injection-template.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/grpc-agent.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/grpc-simple.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/injection-template.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/kube-gateway.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-ambient.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-compatibility-version-1.20.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-compatibility-version-1.21.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-demo.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-openshift-ambient.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-openshift.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-preview.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-stable.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/waypoint.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/NOTES.txt delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/_helpers.tpl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/autoscale.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/clusterrole.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/clusterrolebinding.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/configmap-jwks.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/configmap.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/deployment.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/istiod-injector-configmap.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/mutatingwebhook.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/poddisruptionbudget.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/reader-clusterrole.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/reader-clusterrolebinding.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/revision-tags.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/role.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/rolebinding.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/service.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/serviceaccount.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/validatingadmissionpolicy.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/validatingwebhookconfiguration.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/zzz_profile.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/values.yaml delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-istio/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-karpenter/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-log-trace-monitor/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-loki/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-metrics-server/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-prometheus/README.md delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-prometheus/provider.tf delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-prometheus/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-slim/.terraform.lock.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-slim/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks-tempo/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks/.terraform.lock.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/eks/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/cluster/terragrunt-hcl.bak delete mode 100644 lab/us-gov-east-1/vpc/cluster/terragrunt.hcl delete mode 100644 lab/us-gov-east-1/vpc/platform-test-2/common_vars.hcl.disable diff --git a/project-x-infra-live/_envcommon/common-variables.hcl b/lab/_envcommon/common-variables.hcl similarity index 100% rename from project-x-infra-live/_envcommon/common-variables.hcl rename to lab/_envcommon/common-variables.hcl diff --git a/lab/account.hcl b/lab/account.hcl deleted file mode 100644 index 0dd1f68..0000000 --- a/lab/account.hcl +++ /dev/null @@ -1,7 +0,0 @@ -locals { - account_name = "lab-dev-ew" - aws_account_id = "224384469011" - environment = "development" - aws_profile = "224384469011-lab-dev-gov" - vpc_domain_name = "dev.lab.csp2.census.gov" -} diff --git a/project-x-infra-live/development/account.hcl b/lab/development/account.hcl similarity index 89% rename from project-x-infra-live/development/account.hcl rename to lab/development/account.hcl index 31ffcb3..1992080 100644 --- a/project-x-infra-live/development/account.hcl +++ b/lab/development/account.hcl @@ -5,7 +5,7 @@ locals { account_name = "lab-dev-ew" aws_account_id = "224384469011" - aws_profile = "224384469011-lab-dev-gov.inf-admin-t2" + aws_profile = "224384469011-lab-dev-gov" environment = "development" environment_abbr = "dev" } \ No newline at end of file diff --git a/project-x-infra-live/development/us-gov-east-1/region.hcl b/lab/development/us-gov-east-1/region.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/region.hcl rename to lab/development/us-gov-east-1/region.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-cert-manager/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-config/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-grafana/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-istio/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-karpenter/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-kiali.disable/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali.disable/terragrunt.hcl.disable similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-kiali.disable/terragrunt.hcl.disable rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali.disable/terragrunt.hcl.disable diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-loki/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-metrics-server/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/README.md similarity index 100% rename from lab/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/README.md rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/README.md diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-tempo/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-cert-manager/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-cert-manager/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-cert-manager/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-config/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-config/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-config/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-grafana/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-grafana/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-grafana/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-istio/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-istio/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-istio/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-karpenter/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-karpenter/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-karpenter/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-kiali.disable/terragrunt.hcl.disable similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-kiali.disable/terragrunt.hcl.disable diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-loki/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-loki/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-loki/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-metrics-server/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-metrics-server/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-metrics-server/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/README.md similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/README.md rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/README.md diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-prometheus/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-prometheus/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-tempo/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl similarity index 56% rename from lab/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl index 79966ad..570c0ea 100644 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl @@ -4,29 +4,29 @@ include "root" { } locals { - account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) - region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) - # In which AWS region are operations being performed - account_id = local.account_vars.locals.aws_account_id - vpc_name = "vpc3-lab-dev" - cluster_name = "platform-eng-eks-mcm" + # Set cluster/platform specific variables, or extract from the hierarchy. + account_id = include.root.inputs.aws_account_id + vpc_name = include.root.inputs.vpc_name + cluster_name = "platform-eng-eks-test" cluster_version = "1.30" - vpc_domain_name = "dev.lab.csp2.census.gov" + vpc_domain_name = include.root.inputs.vpc_domain_name eks_instance_disk_size = 100 - eks_vpc_name = "vpc3-lab-dev" + eks_vpc_name = include.root.inputs.vpc_name eks_ng_desired_size = 2 eks_ng_max_size = 10 eks_ng_min_size = 2 operators_ns = "operators" enable_cluster_creator_admin_permissions = true cluster_endpoint_public_access = true - profile = "224384469011-lab-dev-gov" - region = local.region_vars.locals.aws_region - cluster_mailing_list = "matthew.c.morgan@census.gov" + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_mailing_list = "srinivasa.nangunuri@census.gov" + environment_abbr = include.root.inputs.environment_abbr # Tags applied to AWS objects created tags = { - "Environment" = "dev" + "eks-cluster-name" = local.cluster_name + "Environment" = local.environment_abbr "slim:schedule" = "8:00-17:00" "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } @@ -34,7 +34,7 @@ locals { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=main" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] @@ -42,13 +42,14 @@ terraform { } inputs = { - aws_account_id = local.account_id - profile = local.profile - vpc_name = local.eks_vpc_name - cluster_name = local.cluster_name - cluster_version = local.cluster_version - eks_instance_disk_size = local.eks_instance_disk_size - eks_vpc_name = local.eks_vpc_name + aws_account_id = local.account_id + profile = local.profile + vpc_name = local.eks_vpc_name + cluster_name = local.cluster_name + cluster_version = local.cluster_version + eks_instance_disk_size = local.eks_instance_disk_size + eks_vpc_name = local.eks_vpc_name + # eks_instance_types = local.eks_instance_types eks_ng_desired_size = local.eks_ng_desired_size eks_ng_max_size = local.eks_ng_max_size eks_ng_min_size = local.eks_ng_min_size @@ -60,5 +61,5 @@ inputs = { region = local.region creator = local.cluster_mailing_list os_username = local.cluster_mailing_list - shared_vpc_label = "dev" + shared_vpc_label = local.environment_abbr } diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-cert-manager/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-cert-manager/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-config/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-config/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-grafana/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-grafana/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-istio/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-istio/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-karpenter/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-karpenter/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-kiali.disable/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-kiali.disable/terragrunt.hcl.disable similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-kiali.disable/terragrunt.hcl.disable rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-kiali.disable/terragrunt.hcl.disable diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-loki/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-loki/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-metrics-server/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-metrics-server/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/README.md similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks-prometheus/README.md rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/README.md diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-2/eks/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl similarity index 59% rename from lab/us-gov-east-1/vpc/_mcmCluster/eks-cert-manager/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl index bd7f869..1448ac8 100644 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl @@ -1,9 +1,10 @@ include "root" { - path = find_in_parent_folders() + path = find_in_parent_folders() + expose = true } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=main" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] @@ -12,14 +13,18 @@ terraform { dependency "eks" { config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" + } } inputs = { - cluster_name = dependency.eks.inputs.cluster_name + cluster_name = dependency.eks.outputs.cluster_name cluster_mailing_list = dependency.eks.inputs.creator oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - profile = dependency.eks.inputs.profile - region = dependency.eks.inputs.region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region cert_manager_helm_chart = "1.15.1" cert_manager_cainjector_tag = "v1.15.1" cert_manager_controller_tag = "v1.15.1" diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl new file mode 100644 index 0000000..84bb1ff --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl @@ -0,0 +1,42 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +# locals { +# tag_costallocation = "census:csvd:platformbaseline" +# } + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + vpc_id = "a-vpc-id" + cluster_name = "a-cluster-name" + subnets = ["subnet-00000000000000001", "subnet-00000000000000002", "subnet-00000000000000003", ] + security_group_all_worker_mgmt_id = "sg-00b0000000000000" + eks_managed_node_groups_autoscaling_group_names = ["eks-eks-a-cluster-name-node_group-0000000000000000000000000-5ac8a5e3-14dd-c043-2cc9-f4b6ffb36d32"] + oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" + } +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + vpc_id = dependency.eks.outputs.vpc_id + cluster_name = dependency.eks.outputs.cluster_name + subnets = dependency.eks.outputs.subnets + security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id + eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + # tags = dependency.eks.inputs.tags + # tag_costallocation = local.tag_costallocation + # cluster_autoscaler_role_name = dependency.eks.outputs.cluster_autoscaler_role_name +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl new file mode 100644 index 0000000..c2172e8 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl @@ -0,0 +1,38 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} +dependency "eks-loki" { + config_path = "../eks-loki" + mock_outputs = { + rwo_storage_class = "gp3-encrypted" + } +} +# dependency "eks-tempo" { +# config_path = "../eks-tempo" +# skip_outputs = true +# } + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks.inputs.vpc_domain_name + rwo_storage_class = dependency.eks-loki.outputs.rwo_storage_class + # datasources = dependency.eks-loki.outputs.gateway_internal_endpoint +} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl similarity index 59% rename from lab/us-gov-east-1/vpc/_mcmCluster/eks-istio/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl index 5cd7643..5a30c0e 100644 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl @@ -1,9 +1,10 @@ include "root" { - path = find_in_parent_folders() + path = find_in_parent_folders() + expose = true } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=main" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] @@ -12,17 +13,19 @@ terraform { dependency "eks" { config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } } - dependency "eks-karpenter" { config_path = "../eks-karpenter" skip_outputs = true } inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - region = dependency.eks.inputs.region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name istio_chart_version = "1.22.1" istio_version = "1.22.1" } diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl new file mode 100644 index 0000000..982e1d7 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl @@ -0,0 +1,38 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_endpoint = "https://0000000000000000AAAAAAAAAAAAAAAA.sk1.us-gov-east-1.eks.amazonaws.com" + cluster_name = "a-cluster-name" + node_group_name = "node_group_a-cluster-name" + oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" + vpc_id = "a-vpc-name" + } +} + +dependency "eks-config" { + config_path = "../eks-config" + skip_outputs = true +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_endpoint = dependency.eks.outputs.cluster_endpoint + cluster_name = dependency.eks.outputs.cluster_name + karpenter_node_group_name = dependency.eks.outputs.node_group_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + vpc_id = dependency.eks.outputs.vpc_id +} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-kiali/terragrunt.hcl.off b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl similarity index 51% rename from lab/us-gov-east-1/vpc/_mcmCluster/eks-kiali/terragrunt.hcl.off rename to lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl index f3c35f4..c395110 100644 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-kiali/terragrunt.hcl.off +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl @@ -1,13 +1,11 @@ include "root" { path = find_in_parent_folders() -} - -locals { - tag_costallocation = "census:csvd:platformbaseline" + expose = true } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" + # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" + source = "../../../../../../../tfmod-kiali" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] @@ -16,32 +14,57 @@ terraform { dependency "eks" { config_path = "../eks" -} -dependency "eks-config" { - config_path = "../eks-config" + mock_outputs = { + cluster_name = "a-cluster-name" + } } dependency "eks-cert-manager" { config_path = "../eks-cert-manager" + mock_outputs = { + cluster_issuer_name = "acmpca-clusterissuer" + } } dependency "eks-prometheus" { config_path = "../eks-prometheus" + mock_outputs = { + prometheus_server_internal_endpoint = { + hostname = "prometheus-server.prometheus.svc.cluster.local" + port_number = 9090 + url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" + } + } } dependency "eks-grafana" { config_path = "../eks-grafana" + mock_outputs = { + internal_endpoint = { + hostname = "grafana.grafana.svc.cluster.local" + port_number = "80" + url = "https://grafana.grafana.svc.cluster.local:80/" + } + namespace = "grafana" + public_endpoint = { + hostname = "grafana.dev.lab.csp2.census.gov" + port_number = "80" + url = "https://grafana.dev.lab.csp2.census.gov:80/" + } + secret_name = "grafana" + } } inputs = { - certificate_issuer = dependency.eks-cert-manager.outputs.certificate_issuer + profile = include.root.inputs.aws_profile cluster_domain = dependency.eks.inputs.vpc_domain_name - cluster_name = dependency.eks.inputs.cluster_name + operators_namespace = dependency.eks.inputs.operators_ns + cluster_name = dependency.eks.outputs.cluster_name + certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name + prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url grafana_namespace = dependency.eks-grafana.outputs.namespace grafana_public_url = dependency.eks-grafana.outputs.public_endpoint.url - grafana_secret_name = dependency.eks-grafana.outputs.secret_name + grafana_secret_name = "grafana" + # grafana_secret_name = dependency.eks-grafana.outputs.secret_name jaeger_internal_url = "" - operators_namespace = dependency.eks-config.outputs.operators_ns - profile = dependency.eks.inputs.profile - prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url # client_id = var.sso_client_id diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl new file mode 100644 index 0000000..cc94f7f --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl @@ -0,0 +1,31 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" + } +} +dependency "eks-istio" { + config_path = "../eks-istio" + skip_outputs = true +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl new file mode 100644 index 0000000..5414a72 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl @@ -0,0 +1,25 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} + +inputs = { + profile = include.root.inputs.aws_profile + cluster_name = dependency.eks.outputs.cluster_name + region = include.root.inputs.aws_region +} diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/README.md similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/README.md rename to lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/README.md diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl new file mode 100644 index 0000000..62611b1 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl @@ -0,0 +1,30 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} + +dependency "eks-istio" { + config_path = "../eks-istio" + skip_outputs = true +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl new file mode 100644 index 0000000..02fad53 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl @@ -0,0 +1,41 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" + } +} + +dependency "eks-prometheus" { + config_path = "../eks-prometheus" + mock_outputs = { + prometheus_server_internal_endpoint = { + hostname = "prometheus-server.prometheus.svc.cluster.local" + port_number = 9090 + url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" + } + prometheus_namespace = "prometheus" + } +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number + prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace +} diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl diff --git a/project-x-infra-live/development/us-gov-east-1/vpc/vpc.hcl b/lab/development/us-gov-east-1/vpc/vpc.hcl similarity index 100% rename from project-x-infra-live/development/us-gov-east-1/vpc/vpc.hcl rename to lab/development/us-gov-east-1/vpc/vpc.hcl diff --git a/project-x-infra-live/terragrunt.hcl b/lab/terragrunt.hcl similarity index 100% rename from project-x-infra-live/terragrunt.hcl rename to lab/terragrunt.hcl diff --git a/lab/us-gov-east-1/region.hcl b/lab/us-gov-east-1/region.hcl deleted file mode 100644 index f974d39..0000000 --- a/lab/us-gov-east-1/region.hcl +++ /dev/null @@ -1,3 +0,0 @@ -locals { - aws_region = "us-gov-east-1" -} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/common_vars.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/common_vars.hcl deleted file mode 100644 index fbbb5ef..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/common_vars.hcl +++ /dev/null @@ -1,170 +0,0 @@ -locals { - # Automatically load account-level variables (NOTE: In our environment account = environment so there is not separate environment layer) - account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) - - # Automatically load region-level variables - region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) - - # Which AWS_PROFILE to use to perform the operations - profile = local.account_vars.locals.aws_profile - - # In which AWS region are operations being performed - region = local.region_vars.locals.aws_region - - # Tags applied to AWS objects created - application_tags = { - "Project Name" = local.project_name - "ProjectNumber" = local.project_number - "CostAllocation" = local.organization - "Organization" = local.organization - "Environment" = local.account_vars.locals.environment - } - - #################################################### - ## VPC Information - #################################################### - # Information about the VPC in which artifacts are being created - - vpc_name = "vpc3-lab-dev" - - #################################################### - ## EKS Configuration - #################################################### - - # The name of the EKS cluster - cluster_name = "platform-eng-eks-mcm" - - # The kubernetes version to use for the cluster - cluster_version = "1.30" - - # The domain in which the cluster is being built - domain = local.account_vars.locals.vpc_domain_name - - # The size of the disk for the worker nodes, in GB - # Loki claims 60 GB - 10g claims - 2 services each with 3 replicas - # Prometheus claims 10g - # Tempo claims 10g x 3 replicas - eks_instance_disk_size = 120 - - # The VPC name in which the cluster will operate - eks_vpc_name = local.vpc_name - - # The types of instances to use for the worker nodes - eks_instance_types = ["t3.xlarge", "m4.xlarge", "m5.xlarge"] - - # How many worker nodes are desired - eks_ng_desired_size = 1 - - # What is the maximum number of worker nodes allowed. - eks_ng_max_size = 10 - - # What is the minimum number of worker nodes allowed. - eks_ng_min_size = 1 - - # Namespace to use for operator installation - operators_namespace = "operators" - - #################################################### - ## Cloudwatch Agent Configuration for EKS - #################################################### - # Uses cluster_name and region - - # The namespace that cloudwatch-agent and fluentbit will be installed. - cw_namespace = "cloudwatch" - - # How long the logs will be maintained within cloudwatch before deletion. - cw_log_retention_days = "30" - - # Fluent Bit reads log files from the tail, and will capture only new - # logs after it is deployed. If you want the opposite, set - # fluent_bit_read_from_head='On' and it will collect all logs in the - # file system and set fluent_bit_read_from_tail='Off'. - cw_fluent_bit_read_from_head = "off" - cw_fluent_bit_read_from_tail = "on" - - # Fluent Bit can integrate with prometheus and serve metrics. If the - # metrics server is desired, set this to "on" else set it to "off" to - # disable the metrics server - cw_fluent_bit_http_server = "on" - - # When the metrics server is enabled, the port on which the server is to run. - cw_fluent_bit_http_port = "2020" - - #################################################### - ## cert-manager Configuration - #################################################### - # Uses cluster_name and region - - # The namespace that cert-manager will be installed. - cm_namespace = "cert-manager" - - # The name of the cluster issuer to install - cm_cluster_issuer_name = "clusterissuer" - - # How to issue certs: - # Intermediate CA - Request an intermediate CA from TCO and provide the - # name of the file here: - #cm_intermediate_ca_crt = "./certs/pki.adsd-cumulus-sandbox.dev.csp1.census.gov.bundle.crt" - #cm_intermediate_ca_key = "./certs/pki.adsd-cumulus-sandbox.dev.csp1.census.gov.key" - # - # ACM - Use aws-pca-issuer to request leaf certs from AWS ACM. - cm_acm = true - - #################################################### - ## Istio Configuration - #################################################### - # Uses cluster_name and region - - # The namespace that Istio will be installed. - istio_namespace = "istio-system" - - istio_enable_telemetry = true - - # Potentially allow istio to control traffic outbound from the cluster. - istio_enable_egressgateway = true - - #################################################### - ## Keycloak Configuration - #################################################### - # Uses cluster_name and region - - keycloak_enabled = true - - # The namespace that Keycloak will be installed. - keycloak_namespace = "keycloak" - - # The email address of the person considered the keycloak administrator - keycloak_admin_email = "robel.t.fesshaye@census.gov" - - # Details about the database keycloak should use to store configuration data - keycloak_db_vendor = "postgresql" - keycloak_db_address = "adsd-rds-mft-sbox.c2tx3ocukdth.us-gov-east-1.rds.amazonaws.com" - keycloak_db_port = "5432" - keycloak_db_database = "keycloak" - keycloak_db_username = "keycloak" - keycloak_db_password = "a-secret-password" - - #################################################### - ## log-trace-monitor configuration - #################################################### - log_trace_monitor_namespace = "default" - log_trace_monitor_create_namespace = false - - #################################################### - ## Kubernetes Dashboard configuration - #################################################### - # Uses cluster_name and region - - # The namespace that kubernetes dashboard will be installed. - kube_dashboard_namespace = "kube-dashboard" - - #################################################### - ## Metrics Server configuration - #################################################### - # Uses cluster_name and region - - # The namespace that metrics-server will be installed. - ms_namespace = "kube-system" - - -} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-config/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/eks-config/terragrunt.hcl deleted file mode 100644 index 8b288b5..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-config/terragrunt.hcl +++ /dev/null @@ -1,33 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -locals { - tag_costallocation = "census:csvd:platformbaseline" -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} - -inputs = { - profile = dependency.eks.inputs.profile - vpc_id = dependency.eks.outputs.vpc_id - cluster_name = dependency.eks.inputs.cluster_name - # cluster_autoscaler_role_name = dependency.eks.outputs.cluster_autoscaler_role_name - subnets = dependency.eks.outputs.subnets - security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id - eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - tags = dependency.eks.inputs.tags - tag_costallocation = local.tag_costallocation - region = dependency.eks.inputs.region -} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-grafana/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/eks-grafana/terragrunt.hcl deleted file mode 100644 index 4836624..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-grafana/terragrunt.hcl +++ /dev/null @@ -1,36 +0,0 @@ -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} - -dependency "eks-config" { - config_path = "../eks-config" -} - -dependency "eks-istio" { - config_path = "../eks-istio" - skip_outputs = true -} - -dependency "eks-karpenter" { - config_path = "../eks-karpenter" - skip_outputs = true -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - region = dependency.eks.inputs.region - cluster_domain = dependency.eks.inputs.vpc_domain_name - # datasources = { - # loki = dependency.eks-loki.outputs.gateway_internal_endpoint - # } - rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class -} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-karpenter/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/eks-karpenter/terragrunt.hcl deleted file mode 100644 index f8702a8..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-karpenter/terragrunt.hcl +++ /dev/null @@ -1,30 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} - -dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" - skip_outputs = true -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_endpoint = dependency.eks.outputs.cluster_endpoint - cluster_name = dependency.eks.inputs.cluster_name - karpenter_node_group_name = dependency.eks.outputs.node_group_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - region = dependency.eks.inputs.region - vpc_id = dependency.eks.outputs.vpc_id -} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-loki/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/eks-loki/terragrunt.hcl deleted file mode 100644 index c9fa6ba..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-loki/terragrunt.hcl +++ /dev/null @@ -1,27 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} - -dependency "eks-grafana" { - config_path = "../eks-grafana" - skip_outputs = true -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - region = dependency.eks.inputs.region -} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-metrics-server/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/eks-metrics-server/terragrunt.hcl deleted file mode 100644 index f8bd9c2..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-metrics-server/terragrunt.hcl +++ /dev/null @@ -1,30 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -locals { - tag_costallocation = "census:csvd:platformbaseline" -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} - -# dependency "eks-config" { -# config_path = "../eks-config" -# skip_outputs = true -# } - -inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - region = dependency.eks.inputs.region -} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/terragrunt.hcl deleted file mode 100644 index a8679ef..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-prometheus/terragrunt.hcl +++ /dev/null @@ -1,26 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} -dependency "eks-grafana" { - config_path = "../eks-grafana" - skip_outputs = true -} - - -inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - region = dependency.eks.inputs.region -} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks-tempo/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/eks-tempo/terragrunt.hcl deleted file mode 100644 index 87becc7..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/eks-tempo/terragrunt.hcl +++ /dev/null @@ -1,31 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -locals { - tag_costallocation = "census:csvd:platformbaseline" -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} -dependency "eks-prometheus" { - config_path = "../eks-prometheus" -} - -inputs = { - profile = dependency.eks.inputs.profile - region = dependency.eks.inputs.region - cluster_name = dependency.eks.inputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number - prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace -} diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/terragrunt.hcl deleted file mode 100644 index 2886607..0000000 --- a/lab/us-gov-east-1/vpc/_mcmCluster/terragrunt.hcl +++ /dev/null @@ -1,94 +0,0 @@ -locals { - # Automatically load _envcommon, cross account and environment common variables - # common_vars = read_terragrunt_config(find_in_parent_folders("common_vars.hcl")) - // "${get_tfvars_dir()}/${find_in_parent_folders("account.tfvars", "skip-account-if-does-not-exist")}", - - # Automatically load account-level variables (NOTE: In our environment account = environment so there is not separate environment layer) - account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) - - # Automatically load region-level variables - region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) - - # Automatically load vpc-level variables - # Not applicable in this demo, but including for reference, would be next level of variables and configurations - # vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl", "skip-account-if-does-not-exist")) - - # Extract the variables we need for easy access - account_id = local.account_vars.locals.aws_account_id - account_name = local.account_vars.locals.account_name - creator = "matthew.c.morgan@census.gov" - organization = "census:ocio:csvd" - profile = "224384469011-lab-dev-gov" - project_name = "csvd_platformbaseline" - project_number = "fs0000000078" - project_role = "csvd_platformbaseline_mcm" - region = local.region_vars.locals.aws_region - state_bucket_prefix = "inf-tfstate" - state_table_name = "tf_remote_state" -} - -generate "provider" { - path = "provider.tf" - if_exists = "overwrite_terragrunt" - contents = <`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/crds/crd-all.gen.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/crds/crd-all.gen.yaml deleted file mode 100644 index 1625d85..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/crds/crd-all.gen.yaml +++ /dev/null @@ -1,13051 +0,0 @@ -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - failStrategy: - description: |- - Specifies the failure behavior for the plugin due to fatal errors. - - Valid Options: FAIL_CLOSE, FAIL_OPEN - enum: - - FAIL_CLOSE - - FAIL_OPEN - type: string - imagePullPolicy: - description: |- - The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. - - Valid Options: IfNotPresent, Always - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - maxLength: 253 - minLength: 1 - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: |- - Criteria for selecting traffic by their direction. - - Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - maximum: 65535 - minimum: 1 - type: integer - required: - - number - type: object - type: array - x-kubernetes-list-map-keys: - - number - x-kubernetes-list-type: map - type: object - type: array - phase: - description: |- - Determines where in the filter chain this `WasmPlugin` is to be injected. - - Valid Options: AUTHN, AUTHZ, STATS - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - description: The plugin name to be used in the Envoy configuration - (used to be called `rootID`). - maxLength: 256 - minLength: 1 - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - format: int32 - nullable: true - type: integer - selector: - description: Criteria used to select the specific set of pods/VMs - on which this plugin configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - pattern: (^$|^[a-f0-9]{64}$) - type: string - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: - description: |- - Specifies the type of Wasm Extension to be used. - - Valid Options: HTTP, NETWORK - enum: - - UNSPECIFIED_PLUGIN_TYPE - - HTTP - - NETWORK - type: string - url: - description: URL of a Wasm module or OCI container. - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have schema one of [http, https, file, oci] - rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', - ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && - url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', - ''oci'', ''file''])' - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - description: Name of the environment variable. - maxLength: 256 - minLength: 1 - type: string - value: - description: Value for the environment variable. - maxLength: 2048 - type: string - valueFrom: - description: |- - Source for the environment variable's value. - - Valid Options: INLINE, HOST - enum: - - INLINE - - HOST - type: string - required: - - name - type: object - x-kubernetes-validations: - - message: value may only be set when valueFrom is INLINE - rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' - || !has(self.value)' - maxItems: 256 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - url - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - required: - - host - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - required: - - host - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - required: - - host - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - description: |- - Specifies where in the Envoy configuration, the patch should be applied. - - Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - maximum: 4294967295 - minimum: 0 - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: |- - The specific config generation context to match on. - - Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - maximum: 4294967295 - minimum: 0 - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this - filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which - traffic is being sent/received. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by - a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format - (RE2) that can be used to select proxies using a specific - version of istio proxy. - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - description: The Istio gateway config's namespace/name - for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server - port number for which this route configuration was - generated. - maximum: 4294967295 - minimum: 0 - type: integer - vhost: - description: Match a specific virtual host in a route - configuration and apply the patch to the virtual host. - properties: - name: - description: The VirtualHosts objects generated - by Istio are named as host:port, where the host - typically corresponds to the VirtualService's - host field or the hostname of a service in the - registry. - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: |- - Match a route with specific action type. - - Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - description: The Route objects generated by - default are named as default. - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: |- - Determines the filter insertion order. - - Valid Options: AUTHN, AUTHZ, STATS - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: |- - Determines how the patch should be applied. - - Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - format: int32 - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: '`WorkloadGroup` enables specifying the properties of a single - workload for bootstrap and provides a template for `WorkloadEntry`, - similar to how `Deployment` specifies properties of workloads via `Pod` - templates.' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - template - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - template - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: '`WorkloadGroup` enables specifying the properties of a single - workload for bootstrap and provides a template for `WorkloadEntry`, - similar to how `Deployment` specifies properties of workloads via `Pod` - templates.' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - template - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - shortNames: - - ap - singular: authorizationpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The operation to take. - jsonPath: .spec.action - name: Action - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: |- - Optional. - - Valid Options: ALLOW, DENY, AUDIT, CUSTOM - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The operation to take. - jsonPath: .spec.action - name: Action - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: |- - Optional. - - Valid Options: ALLOW, DENY, AUDIT, CUSTOM - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - timeout: - description: The maximum amount of time that the resolver, determined - by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, - will spend waiting for the JWKS to be fetched. - type: string - required: - - issuer - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - timeout: - description: The maximum amount of time that the resolver, determined - by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, - will spend waiting for the JWKS to be fetched. - type: string - required: - - issuer - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: |- - This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: |- - One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - - Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: |- - Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: |- - Operation controls whether or not to update/add a tag, or to remove it. - - Valid Options: UPSERT, REMOVE - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: |- - This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: |- - This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: |- - One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - - Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: |- - Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: |- - Operation controls whether or not to update/add a tag, or to remove it. - - Valid Options: UPSERT, REMOVE - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: |- - This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-ambient.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 7b2c18c..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -cni: - ambient: - enabled: true - -# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel -variant: distroless diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-compatibility-version-1.20.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index e602ba8..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.21 behavioral changes - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" - - # 1.22 behavioral changes - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-compatibility-version-1.21.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 0c0fbfa..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-demo.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-demo.yaml deleted file mode 100644 index 83b9d6b..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-openshift-ambient.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-openshift-ambient.yaml deleted file mode 100644 index 0908fd1..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - variant: distroless - env: - PILOT_ENABLE_AMBIENT: "true" - # Allow sidecars/ingress to send/receive HBONE. This is required for interop. - PILOT_ENABLE_SENDING_HBONE: "true" - PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -platform: openshift -variant: distroless -seLinuxOptions: - type: spc_t \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-openshift.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-openshift.yaml deleted file mode 100644 index 18f61b8..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-preview.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-preview.yaml deleted file mode 100644 index 181d7bd..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-stable.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-stable.yaml deleted file mode 100644 index 358282e..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/NOTES.txt b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/NOTES.txt deleted file mode 100644 index f12616f..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/crds.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/crds.yaml deleted file mode 100644 index af9901c..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/crds.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{- if .Values.base.enableCRDTemplates }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/default.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/default.yaml deleted file mode 100644 index e5b3465..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/default.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/endpoints.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/endpoints.yaml deleted file mode 100644 index 3657520..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/reader-serviceaccount.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index d9ce18c..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/services.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/services.yaml deleted file mode 100644 index fc1fa1a..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/services.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/validatingadmissionpolicy.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 2376d99..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/zzz_profile.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index 6359d43..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/values.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/values.yaml deleted file mode 100644 index 88bca43..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/base/values.yaml +++ /dev/null @@ -1,40 +0,0 @@ -defaults: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - externalIstiod: false - remotePilotAddress: "" - - # Platform where Istio is deployed. Possible values are: "openshift", "gcp". - # An empty value means it is a vanilla Kubernetes distribution, therefore no special - # treatment will be considered. - platform: "" - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - # This is intended only for use with external istiod. - ipFamilyPolicy: "" - ipFamilies: [] - - base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # Validation webhook caBundle value. Useful when running pilot with a well known cert - validationCABundle: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" - experimental: - stableValidationPolicy: false diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/Chart.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/Chart.yaml deleted file mode 100644 index 12ae4ce..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.22.1 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.22.1 diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/README.md b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/README.md deleted file mode 100644 index 5c064d1..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-ambient.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 7b2c18c..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -cni: - ambient: - enabled: true - -# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel -variant: distroless diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-compatibility-version-1.20.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index e602ba8..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.21 behavioral changes - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" - - # 1.22 behavioral changes - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-compatibility-version-1.21.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 0c0fbfa..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-demo.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index 83b9d6b..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-openshift-ambient.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-openshift-ambient.yaml deleted file mode 100644 index 0908fd1..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - variant: distroless - env: - PILOT_ENABLE_AMBIENT: "true" - # Allow sidecars/ingress to send/receive HBONE. This is required for interop. - PILOT_ENABLE_SENDING_HBONE: "true" - PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -platform: openshift -variant: distroless -seLinuxOptions: - type: spc_t \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-openshift.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-openshift.yaml deleted file mode 100644 index 18f61b8..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-preview.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 181d7bd..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-stable.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-stable.yaml deleted file mode 100644 index 358282e..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/NOTES.txt b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/NOTES.txt deleted file mode 100644 index fd01429..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/_helpers.tpl b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index a777d43..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,61 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gateway.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{- define "gateway.labels" -}} -helm.sh/chart: {{ include "gateway.chart" . }} -{{ include "gateway.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ include "gateway.name" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.podLabels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -{{- if hasKey .Values.labels "app" }} -{{- with .Values.labels.app }}app: {{.|quote}} -{{- end}} -{{- else }}app: {{ include "gateway.name" . }} -{{- end }} -{{- if hasKey .Values.labels "istio" }} -{{- with .Values.labels.istio }} -istio: {{.|quote}} -{{- end}} -{{- else }} -istio: {{ include "gateway.name" . | trimPrefix "istio-" }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/deployment.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/deployment.yaml deleted file mode 100644 index c8dc484..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,111 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- with .Values.replicaCount }} - replicas: {{ . }} - {{- end }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . | quote }} - {{- end }} - {{- include "gateway.podLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq .Values.platform "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{ toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/hpa.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/hpa.yaml deleted file mode 100644 index 1b0f936..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/poddisruptionbudget.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index 77f71e7..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/role.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/role.yaml deleted file mode 100644 index c8a25cb..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/service.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/service.yaml deleted file mode 100644 index 9177d2a..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/serviceaccount.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index e5b2304..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/zzz_profile.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index 6359d43..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/values.schema.json b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/values.schema.json deleted file mode 100644 index c97d84c..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/values.schema.json +++ /dev/null @@ -1,301 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "additionalProperties": false, - "$defs": { - "values": { - "type": "object", - "properties": { - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - }, - "revision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "priorityClassName": { - "type": "string" - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/values.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/values.yaml deleted file mode 100644 index a74a3ab..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/gateway/values.yaml +++ /dev/null @@ -1,152 +0,0 @@ -defaults: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: ~ - containerSecurityContext: ~ - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Labels to apply to all resources - labels: {} - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/Chart.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/Chart.yaml deleted file mode 100644 index 43b7425..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -appVersion: 1.22.1 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.22.1 diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/README.md b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/README.md deleted file mode 100644 index ddbfbc8..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/gateway-injection-template.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index 97f4788..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,246 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/grpc-agent.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 7290fcd..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,310 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/grpc-simple.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/injection-template.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/injection-template.yaml deleted file mode 100644 index 248b7ad..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,542 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} - {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ .ProxyUID | default "1337" | quote }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/kube-gateway.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 8d1dc5d..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,352 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 8 }} - spec: - {{- if ge .KubeVersion 122 }} - {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - {{- if ge .KubeVersion 122 }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-ambient.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 7b2c18c..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -cni: - ambient: - enabled: true - -# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel -variant: distroless diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-compatibility-version-1.20.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index e602ba8..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.21 behavioral changes - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" - - # 1.22 behavioral changes - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-compatibility-version-1.21.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 0c0fbfa..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-demo.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index 83b9d6b..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-openshift-ambient.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-openshift-ambient.yaml deleted file mode 100644 index 0908fd1..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - variant: distroless - env: - PILOT_ENABLE_AMBIENT: "true" - # Allow sidecars/ingress to send/receive HBONE. This is required for interop. - PILOT_ENABLE_SENDING_HBONE: "true" - PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -platform: openshift -variant: distroless -seLinuxOptions: - type: spc_t \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-openshift.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-openshift.yaml deleted file mode 100644 index 18f61b8..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-preview.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 181d7bd..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-stable.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-stable.yaml deleted file mode 100644 index 358282e..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/waypoint.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 0787767..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,304 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 8}} - spec: - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - runAsGroup: 1337 - runAsUser: 0 - capabilities: - drop: - - ALL - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/NOTES.txt b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 0771b91..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,74 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: -{{- if (eq .Values.profile "ambient") }} - * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ - * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ -{{- else }} - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ -{{- end }} - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/_helpers.tpl b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index 47b89a4..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/autoscale.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 91311d0..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} - {{- if .Values.pilot.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.pilot.autoscaleBehavior }} - behavior: {{ toYaml .Values.pilot.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/clusterrole.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index a68c114..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,157 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.pilot.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/clusterrolebinding.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index f6e4252..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/configmap-jwks.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index b4c49df..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.pilot.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -data: - extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/configmap.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/configmap.yaml deleted file mode 100644 index b7f11e2..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.pilot.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/deployment.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/deployment.yaml deleted file mode 100644 index eabe69d..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,257 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} -{{- range $key, $val := .Values.pilot.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} -spec: -{{- if not .Values.pilot.autoscaleEnabled }} -{{- if .Values.pilot.replicaCount }} - replicas: {{ .Values.pilot.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.pilot.rollingMaxSurge }} - maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.pilot.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - {{- end }} - sidecar.istio.io/inject: "false" - {{- if .Values.pilot.podAnnotations }} -{{ toYaml .Values.pilot.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.pilot.nodeSelector }} - nodeSelector: -{{ toYaml .Values.pilot.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.pilot.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.pilot.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.pilot.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.pilot.image }} - image: "{{ .Values.pilot.image }}" -{{- else }} - image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.pilot.taint.namespace }} - - --cniNamespace={{ .Values.pilot.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" -{{- if .Values.pilot.extraContainerArgs }} - {{- with .Values.pilot.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - {{- if .Values.pilot.env }} - {{- range $key, $val := .Values.pilot.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} -{{- if .Values.pilot.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.pilot.traceSampling }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PLATFORM - value: "{{ .Values.global.platform }}" - resources: -{{- if .Values.pilot.resources }} -{{ toYaml .Values.pilot.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.pilot.seccompProfile }} - seccompProfile: -{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.pilot.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert - defaultMode: 420 - optional: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.pilot.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/istiod-injector-configmap.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 30e4714..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values.pilot "cni" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/mutatingwebhook.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 542164f..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,158 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/poddisruptionbudget.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index ce61de5..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/reader-clusterrole.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index 68f8105..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/reader-clusterrolebinding.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 4f9925c..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/revision-tags.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 5884e18..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,141 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/role.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/role.yaml deleted file mode 100644 index 195bdde..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/rolebinding.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 0d700f0..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/service.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/service.yaml deleted file mode 100644 index 208e835..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.pilot.serviceAnnotations }} - annotations: -{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.pilot.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.pilot.ipFamilyPolicy }} - {{- end }} - {{- if .Values.pilot.ipFamilies }} - ipFamilies: - {{- range .Values.pilot.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/serviceaccount.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index b7a35c7..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - {{- if .Values.pilot.serviceAccountAnnotations -}} - annotations: -{{- toYaml .Values.pilot.serviceAccountAnnotations | indent 4 }} - {{- end }} ---- diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/validatingadmissionpolicy.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index a5cc418..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/validatingwebhookconfiguration.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 1b44f76..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/zzz_profile.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index 6359d43..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/values.yaml b/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/values.yaml deleted file mode 100644 index e87b1bf..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/charts/istiod/values.yaml +++ /dev/null @@ -1,507 +0,0 @@ -defaults: - #.Values.pilot for discovery and mesh wide config - - ## Discovery Settings - pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # This is used to set the source of configuration for - # the associated address in configSource, if nothing is specified - # the default MCP is assumed. - configSource: - subscribedResources: [] - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - # Default tag for Istio images. - tag: 1.22.1 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # `istio_cni` has been deprecated and will be removed in a future release. use `pilot.cni` instead - istio_cni: - # `chained` has been deprecated and will be removed in a future release. use `provider` instead - chained: true - provider: default diff --git a/lab/us-gov-east-1/vpc/cluster/eks-istio/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks-istio/terragrunt.hcl deleted file mode 100644 index 3a75068..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-istio/terragrunt.hcl +++ /dev/null @@ -1,26 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} -dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - region = dependency.eks.inputs.region - istio_chart_version = "1.22.1" - istio_version = "1.22.1" -} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-karpenter/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks-karpenter/terragrunt.hcl deleted file mode 100644 index e24960c..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-karpenter/terragrunt.hcl +++ /dev/null @@ -1,29 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -locals { - tag_costallocation = "census:csvd:platformbaseline" -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_endpoint = dependency.eks.outputs.cluster_endpoint - cluster_name = dependency.eks.inputs.cluster_name - karpenter_node_group_name = dependency.eks.outputs.node_group_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - region = dependency.eks.inputs.region - vpc_id = dependency.eks.outputs.vpc_id -} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-log-trace-monitor/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks-log-trace-monitor/terragrunt.hcl deleted file mode 100644 index 414d039..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-log-trace-monitor/terragrunt.hcl +++ /dev/null @@ -1,44 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -locals { - tag_costallocation = "census:csvd:platformbaseline" -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-log-trace-monitor.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} -dependency "eks-config" { - config_path = "../eks-config" -} -dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_endpoint = dependency.eks.outputs.cluster_endpoint - cluster_name = dependency.eks.inputs.cluster_name - karpenter_node_group_name = dependency.eks.outputs.node_group_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - region = dependency.eks.inputs.region - vpc_id = dependency.eks.outputs.vpc_id - certificate_issuer = "clusterissuer" - cluster_domain = dependency.eks.inputs.vpc_domain_name - kubectl_image_registry = dependency.eks-config.outputs.kubectl_image_registry - kubectl_image_repository = dependency.eks-config.outputs.kubectl_image_repository - kubectl_image_tag = dependency.eks-config.outputs.kubectl_image_tag - operators_namespace = dependency.eks.inputs.operators_ns - rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class - region = "us-gov-east-1" - s3_bucket_region = "us-gov-east-1" -} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-loki/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks-loki/terragrunt.hcl deleted file mode 100644 index 6974959..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-loki/terragrunt.hcl +++ /dev/null @@ -1,26 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} - -dependency "eks-istio" { - config_path = "../eks-istio" -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - region = dependency.eks.inputs.region -} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-metrics-server/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks-metrics-server/terragrunt.hcl deleted file mode 100644 index 2468913..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-metrics-server/terragrunt.hcl +++ /dev/null @@ -1,28 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -locals { - tag_costallocation = "census:csvd:platformbaseline" -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} -dependency "eks-config" { - config_path = "../eks-config" -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - region = dependency.eks.inputs.region -} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-prometheus/README.md b/lab/us-gov-east-1/vpc/cluster/eks-prometheus/README.md deleted file mode 100644 index f4b317e..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-prometheus/README.md +++ /dev/null @@ -1,55 +0,0 @@ -## eks-prometheus -This module deploys EKS kubeenetes prometheus inside existing EKS cluster. Prometheus is an open-source systems monitoring and alerting tool. -This module consisits of 4 components. It creates prometheus namespace and copies image repositories for the following components from quay.io into local account ECR repository. It deploys these components using helm charts using the configured ECR repositories. - 1. prometheus-alert-manager - 2. prometheus-node-exporter - 3. prometheus-pushgateway - 4. prometheus-server - -### Dependencies -This module is dependent on EKS module (eks). The cluster should exist already for this module to work. - -### Inputs - cluster_name - profile - prometheus_chart_version - prometheus_server_tag - prometheus_config_reloader_tag - alertmanager_tag - kube_state_metrics_tag - node_exporter_tag - pushgateway_tag - rwo_storage_class - -### Outputs - alertmanager_internal_endpoint - alertmanager_headless_internal_endpoint - pushgateway_internal_endpoint - prometheus_server_internal_endpoint - -### Issues observed/fixed -1. The rwo_storage_class value had to be updated from "gp3" to "gp3-encrypted" -2. The node_exporter_tag value had to be updated from "1.6.1" to "v1.8.1" -3. The kube_state_metrics_tag value had to be updated from "2.10.0" to "v2.6.0" -4. The alertmanager_tag value had to be updated from -5. The helm chart set config for the ecr image had to be split into 2 components, one for registry and other for repository as an example mentioned below: - ``` - set { - name = "kube-state-metrics.image.registry" - value = module.images.images[local.ksm_key].dest_registry - } - set { - name = "kube-state-metrics.image.repository" - value = module.images.images[local.ksm_key].dest_repository - } - ``` -6. In some other cases the image ecr repository had to be split by the colon separatory (:) - ``` - set { - name = "alertmanager.configmapReload.image.repository" - value = split(":", module.images.images[local.prom_config_reload_key].dest_full_path)[0] - } - ``` - - - diff --git a/lab/us-gov-east-1/vpc/cluster/eks-prometheus/provider.tf b/lab/us-gov-east-1/vpc/cluster/eks-prometheus/provider.tf deleted file mode 100644 index a451c11..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-prometheus/provider.tf +++ /dev/null @@ -1,17 +0,0 @@ -# provider.tf -provider "aws" { - region = "us-gov-east-1" - profile = "224384469011-lab-dev-gov.inf-admin-t3" -} - -provider "kubernetes" { - config_path = "~/.kube/config" - config_context = "arn:aws-us-gov:eks:us-gov-east-1:224384469011:cluster/platform-eng-eks-test" -} - -provider "helm" { - kubernetes { - config_path = "~/.kube/config" - config_context = "arn:aws-us-gov:eks:us-gov-east-1:224384469011:cluster/platform-eng-eks-test" - } -} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-prometheus/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks-prometheus/terragrunt.hcl deleted file mode 100644 index 04ebf87..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-prometheus/terragrunt.hcl +++ /dev/null @@ -1,34 +0,0 @@ -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -remote_state { - backend = "s3" - generate = { - path = "backend.tf" - if_exists = "overwrite_terragrunt" - } - config = { - bucket = "tg-infrastructure-tf-state-lab-dev-ew-us-gov-east-1" - key = "platform-eks-test-prometheus/terraform.tfstate" - region = "us-gov-east-1" - encrypt = true - } -} - -dependency "eks" { - config_path = "../eks" -} -dependency "eks-loki" { - config_path = "../eks-loki" -} - -inputs = { - profile = dependency.eks.inputs.profile - cluster_name = dependency.eks.inputs.cluster_name - region = "us-gov-east-1" -} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-slim/.terraform.lock.hcl b/lab/us-gov-east-1/vpc/cluster/eks-slim/.terraform.lock.hcl deleted file mode 100644 index 9b60462..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-slim/.terraform.lock.hcl +++ /dev/null @@ -1,125 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.54.1" - constraints = ">= 4.0.0, >= 4.33.0, >= 5.14.0, >= 5.40.0" - hashes = [ - "h1:SOdZNOAcBvbrkV6V1S7UiGh9K//O66qfyXpHgyXeBeI=", - "zh:37c09b9a0a0a2f7854fe52c6adb15f71593810b458a8283ed71d68036af7ba3a", - "zh:42fe11d87723d4e43b9c6224ae6bacdcb53faee8abc58f0fc625a161d1f71cb1", - "zh:57c6dfc46f28c9c2737559bd84acbc05aeae90431e731bb72a0024028a2d2412", - "zh:5ba9665a4ca0e182effd75575b19a4d47383ec02662024b9fe26f78286c36619", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:b55980be0237644123a02a30b56d4cc03863ef29036c47d6e8ab5429ab45adf5", - "zh:b81e7664f10855a3a6fc234a18b4c4f1456273126a40c41516f2061696fb9870", - "zh:bd09736ffafd92af104c3c34b5add138ae8db4402eb687863ce472ca7e5ff2e2", - "zh:cc2eb1c62fba2a11d1f239e650cc2ae94bcab01c907384dcf2e213a6ee1bd5b2", - "zh:e5dc40205d9cf6f353c0ca532ae29afc6c83928bc9bcca47d74b640d3bb5a38c", - "zh:ebf1acdcd13f10db1b9c85050ddaadc70ab269c47c5a240753362446442d8371", - "zh:f2fc28a4ad94af5e6144a7309286505e3eb7a94d9dc106722b506c372ff7f591", - "zh:f49445e8435944df122aa89853260a2716ba8b73d6a6a70cae1661554926d5a2", - "zh:fc3b5046e60ae7cab20715be23de8436eb12736136fd6d0f0cc1549ebda6cc73", - "zh:fdb98a53500e245a3b5bec077b994da6959dba8fc4eb7534528658d820e06bd5", - ] -} - -provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.4" - constraints = ">= 2.0.0, >= 2.3.2" - hashes = [ - "h1:cVIIhnXweOHavu1uV2bdKScTjLbM1WnKM/25wqYBJWo=", - "zh:09f1f1e1d232da96fbf9513b0fb5263bc2fe9bee85697aa15d40bb93835efbeb", - "zh:381e74b90d7a038c3a8dcdcc2ce8c72d6b86da9f208a27f4b98cabe1a1032773", - "zh:398eb321949e28c4c5f7c52e9b1f922a10d0b2b073b7db04cb69318d24ffc5a9", - "zh:4a425679614a8f0fe440845828794e609b35af17db59134c4f9e56d61e979813", - "zh:4d955d8608ece4984c9f1dacda2a59fdb4ea6b0243872f049b388181aab8c80a", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:a48fbee1d58d55a1f4c92c2f38c83a37c8b2f2701ed1a3c926cefb0801fa446a", - "zh:b748fe6631b16a1dafd35a09377c3bffa89552af584cf95f47568b6cd31fc241", - "zh:d4b931f7a54603fa4692a2ec6e498b95464babd2be072bed5c7c2e140a280d99", - "zh:f1c9337fcfe3a7be39d179eb7986c22a979cfb2c587c05f1b3b83064f41785c5", - "zh:f58fc57edd1ee3250a28943cd84de3e4b744cdb52df0356a53403fc240240636", - "zh:f5f50de0923ff530b03e1bca0ac697534d61bb3e5fc7f60e13becb62229097a9", - ] -} - -provider "registry.terraform.io/hashicorp/http" { - version = "3.4.3" - constraints = ">= 3.4.0" - hashes = [ - "h1:WUwrzNfcBamA4mm3Stzt6+GcwTosQv2T0CEmZefPBAo=", - "zh:001e12b8079955a9fa7f8fcd515ae665b2e1087107fd337c4b872e88a86d540b", - "zh:0874fb3f870b2ac24c967a9685f2da641079589024109340389694696301a85b", - "zh:3b5e533c3d2859575945568aad0aac66b71bfc709706231fc2de94e01ca76d7f", - "zh:622ee28d42ed9d4b1399dde377db515e62cac08bd65bb2455068621f7a42d90d", - "zh:6dea688d78840a3f678e06ee602d37c766ce2ee625dcdce0c6658116ebcbde8e", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7f57a1436a464bc2e1698457b402ff0fd98ef9e7dcf6707d6bd0debc67fad164", - "zh:829d89d82e6fc3c89714950dc8afa51d622bb8e4f4bd5c73037505fb55a67834", - "zh:e453202d09b62531ed3278926307d315276e05784e7c6448a2c21c6a2da6e48f", - "zh:e76edc035240b4ad9334b4a0282b44a086e001df3007a2fc51f6262c4db032d1", - "zh:eeb0379da9093e155a193f666079de6baf8ed02855bf2a443448903f7cfef378", - "zh:fcb00eeb665ccae383645173d8e10c3071946396629a7797db39c798997f21b0", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.2" - constraints = ">= 3.0.0, >= 3.2.1" - hashes = [ - "h1:zT1ZbegaAYHwQa+QwIFugArWikRJI9dqohj8xb0GY88=", - "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", - "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", - "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", - "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", - "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", - "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", - "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", - "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", - "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", - "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.11.2" - constraints = ">= 0.9.0, >= 0.9.1" - hashes = [ - "h1:bC4b7n4g30ciIn5w6b66mXSTIo2CH6XQbp+gBdDvlYs=", - "zh:02588b5b8ba5d31e86d93edc93b306bcbf47c789f576769245968cc157a9e8c5", - "zh:088a30c23796133678d1d6614da5cf5544430570408a17062288b58c0bd67ac8", - "zh:0df5faa072d67616154d38021934d8a8a316533429a3f582df3b4b48c836cf89", - "zh:12edeeaef96c47f694bd1ba7ead6ccdb96028b25df352eea4bc5e40de7a59177", - "zh:1e859504a656a6e988f07b908e6ffe946b28bfb56889417c0a07ea9605a3b7b0", - "zh:64a6ae0320d4956c4fdb05629cfcebd03bcbd2206e2d733f2f18e4a97f4d5c7c", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:924d137959193bf7aee6ebf241fbb9aec46d6eef828c5cf8d3c588770acae7b2", - "zh:b3cc76281a4faa9c2293a2460fc6962f6539e900994053f85185304887dddab8", - "zh:cbb40c791d4a1cdba56cffa43a9c0ed8e69930d49aa6bd931546b18c36e3b720", - "zh:d227d43594f8cb3d24f1fdd71382f14502cbe2a6deaddbc74242656bb5b38daf", - "zh:d4840641c46176bb9d70ba3aff09de749282136c779996b546c81e5ff701bbf6", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.5" - constraints = ">= 3.0.0, >= 4.0.4" - hashes = [ - "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=", - "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", - "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", - "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", - "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", - "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", - "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", - "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", - "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", - "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", - "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", - "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/lab/us-gov-east-1/vpc/cluster/eks-slim/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks-slim/terragrunt.hcl deleted file mode 100644 index fc06705..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-slim/terragrunt.hcl +++ /dev/null @@ -1,85 +0,0 @@ -include "root" { - path = find_in_parent_folders() - expose = true -} - -locals { - # In which AWS region are operations being performed - vpc_name = "vpc3-lab-dev" - cluster_name = "eks-slim-cluster" - cluster_version = 1.29 - domain = "dev.lab.csp2.census.gov" - eks_instance_disk_size = 40 - eks_vpc_name = "vpc3-lab-dev" - eks_ng_desired_size = 1 - eks_ng_max_size = 4 - eks_ng_min_size = 1 - operators_ns = "operators" - enable_cluster_creator_admin_permissions = true - cluster_endpoint_public_access = true - profile = "224384469011-lab-dev-gov" - - # Tags applied to AWS objects created - tags = { - "Environment" = "dev" - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" - } - - aws_auth_roles = [ - { - rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t3_b200ae7af469cdc8" - aws_rolename : "" - username : "admin" - groups = ["system:masters"] - }, - { - rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" - aws_rolename : "" - username : "admin" - groups = ["system:masters"] - } - ] -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -remote_state { - backend = "s3" - generate = { - path = "backend.tf" - if_exists = "overwrite_terragrunt" - } - config = { - bucket = "tg-infrastructure-tf-state-lab-dev-ew-us-gov-east-1" - key = "eks-slim-cluster/terraform.tfstate" - region = "us-gov-east-1" - encrypt = true - #dynamodb_table = "my-lock-table" - } -} - -inputs = { - profile = local.profile - vpc_name = local.eks_vpc_name - cluster_name = local.cluster_name - cluster_version = local.cluster_version - eks_instance_disk_size = local.eks_instance_disk_size - eks_vpc_name = local.eks_vpc_name - #eks_instance_types = local.eks_instance_types - eks_ng_desired_size = local.eks_ng_desired_size - eks_ng_max_size = local.eks_ng_max_size - eks_ng_min_size = local.eks_ng_min_size - operators_ns = local.operators_ns - enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions - cluster_endpoint_public_access = local.cluster_endpoint_public_access - tags = local.tags - aws_auth_roles = local.aws_auth_roles - domain = local.domain -} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks-tempo/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks-tempo/terragrunt.hcl deleted file mode 100644 index 0d46e4a..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks-tempo/terragrunt.hcl +++ /dev/null @@ -1,31 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -locals { - tag_costallocation = "census:csvd:platformbaseline" -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" -} - -dependency "eks-prometheus" { - config_path = "../eks-prometheus" -} - -inputs = { - profile = dependency.eks.inputs.profile - region = dependency.eks.inputs.region - cluster_name = dependency.eks.inputs.cluster_name - prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number - prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace -} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/eks/.terraform.lock.hcl b/lab/us-gov-east-1/vpc/cluster/eks/.terraform.lock.hcl deleted file mode 100644 index 746d1a3..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks/.terraform.lock.hcl +++ /dev/null @@ -1,105 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.60.0" - constraints = ">= 4.0.0, >= 4.33.0, >= 5.14.0, >= 5.58.0" - hashes = [ - "h1:msnFtzhM9fQgi5ePG7Skt5DvnqOiWqMSxCNBred/hso=", - "zh:08f49c9eb865e136a55dda3eb2b790f6d55cdac49f6638391dbea4b865cf307b", - "zh:090dd8b40ebf0f8e9ea05b9a142add9caeb7988d3d96c5c112e8c67c0edf566f", - "zh:30f336af1b4f0824fce2cc6e81af0986b325b135436c9d892d081e435aeed67e", - "zh:338195ca3b41249874110253412d8913f770c22294af05799ea1e343050906f5", - "zh:3a8a45b17750b01192a0fbeeed0d05c2c04840344d78d5e3233b3ecbeec17a1c", - "zh:486efe72d39f0736d9b7e00e5b889288264458a57aa0cff2d75688d6db372ee5", - "zh:5fdccc448a085fea8ecfae43ae326840abfcdf1a0aa8b8c79dd466392aa5cc3a", - "zh:9521639755cd07ec7efde86a534770e436e16a93692d070a00f6419c1038d59c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:c2fb9240a069da9f51e7379e76c3dfaad15a97430c2e32708a7d18345434e310", - "zh:daba836b89537dfa72bb8c77e88850c20fda2a3d0f5b3803cd3d6da0ce283e3e", - "zh:db7e0755ed120ed8311f6663f49aa7157da5072b906727db3a6c47d64e0b82c6", - "zh:ea5e3fca5197639c4ad1415ca96de2924a351ecd1a885dd9184843d5eec18dbb", - "zh:f3f322951d311e45a47361f24790a90a0b8ba6d3829a00c4066a361960d2ecef", - "zh:f48b44f4887d4b51a1406057f15f1e2161cb02b271b2659349958904c678e91c", - ] -} - -provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.3.4" - constraints = ">= 2.0.0" - hashes = [ - "h1:cVIIhnXweOHavu1uV2bdKScTjLbM1WnKM/25wqYBJWo=", - "zh:09f1f1e1d232da96fbf9513b0fb5263bc2fe9bee85697aa15d40bb93835efbeb", - "zh:381e74b90d7a038c3a8dcdcc2ce8c72d6b86da9f208a27f4b98cabe1a1032773", - "zh:398eb321949e28c4c5f7c52e9b1f922a10d0b2b073b7db04cb69318d24ffc5a9", - "zh:4a425679614a8f0fe440845828794e609b35af17db59134c4f9e56d61e979813", - "zh:4d955d8608ece4984c9f1dacda2a59fdb4ea6b0243872f049b388181aab8c80a", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:a48fbee1d58d55a1f4c92c2f38c83a37c8b2f2701ed1a3c926cefb0801fa446a", - "zh:b748fe6631b16a1dafd35a09377c3bffa89552af584cf95f47568b6cd31fc241", - "zh:d4b931f7a54603fa4692a2ec6e498b95464babd2be072bed5c7c2e140a280d99", - "zh:f1c9337fcfe3a7be39d179eb7986c22a979cfb2c587c05f1b3b83064f41785c5", - "zh:f58fc57edd1ee3250a28943cd84de3e4b744cdb52df0356a53403fc240240636", - "zh:f5f50de0923ff530b03e1bca0ac697534d61bb3e5fc7f60e13becb62229097a9", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.2" - constraints = ">= 3.0.0, >= 3.2.1" - hashes = [ - "h1:zT1ZbegaAYHwQa+QwIFugArWikRJI9dqohj8xb0GY88=", - "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", - "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", - "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", - "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", - "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", - "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", - "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", - "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", - "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", - "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.12.0" - constraints = ">= 0.9.0" - hashes = [ - "h1:YV9bUZSUihGBKuwqNmRnm4wKQf11pr3hnYcarpoPoQQ=", - "zh:019a4c09af254ef80b72cf0d843dfe72d99483e227138cf5b514a1b9977ab4c3", - "zh:0ae310ec740ebc6f275529507d60bb747d0bf39e72fc5a2fa90d74486006132c", - "zh:13d6aec117f05237fbf8c7d91d6ebb19797b00aa87e7a812642d3ea4738a394e", - "zh:2e87abbc261f9317d0c2ef26e01d5fabf77679da7d2cac6f47df7d198f720989", - "zh:4a6d471176ce0264455aa7d5457b8702f78400010c201c1719708958a1b7b647", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8978d5474a6da30bc0ad21c17db188d6918cacf3df3f6506b72ef3a268d53e2e", - "zh:b109efe138dfcb45dc04a9cc6809d185ab8b0ebc12040847c2dac430fda5af68", - "zh:b58e039b9106ac0a8de3c07f53b5279d7f0215fb35f2d23df642dfce0875382f", - "zh:ba2cbb2e515922d13efe3a46647be84f5426fcfcaa0f1520b3efeab8db847ed3", - "zh:c6c1ef1f26f25bca3abb5e07fa33dca37ed39cc26d0ff877964f2ffe5edd618c", - "zh:f8e171f923b7d2e789abd034072465dec3e6133c3a7644b7a7a965a74d52224e", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.5" - constraints = ">= 3.0.0" - hashes = [ - "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=", - "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", - "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", - "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", - "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", - "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", - "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", - "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", - "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", - "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", - "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", - "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/lab/us-gov-east-1/vpc/cluster/eks/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/eks/terragrunt.hcl deleted file mode 100644 index fd5a660..0000000 --- a/lab/us-gov-east-1/vpc/cluster/eks/terragrunt.hcl +++ /dev/null @@ -1,81 +0,0 @@ -include "root" { - path = find_in_parent_folders() - expose = true -} - -locals { - account_id = local.account_vars.locals.aws_account_id - account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) - region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) - # In which AWS region are operations being performed - vpc_name = "vpc3-lab-dev" - cluster_name = "platform-eng-eks-test" - cluster_version = "1.30" - vpc_domain_name = "dev.lab.csp2.census.gov" - eks_instance_disk_size = 100 - eks_vpc_name = "vpc3-lab-dev" - eks_ng_desired_size = 2 - eks_ng_max_size = 10 - eks_ng_min_size = 2 - operators_ns = "operators" - enable_cluster_creator_admin_permissions = true - cluster_endpoint_public_access = true - profile = "224384469011-lab-dev-gov" - region = local.region_vars.locals.aws_region - cluster_mailing_list = "srinivasa.nangunuri@census.gov" - - # Tags applied to AWS objects created - tags = { - "Environment" = "dev" - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" - } - - aws_auth_roles = [ - { - rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t3_b200ae7af469cdc8" - aws_rolename : "" - username : "admin" - groups = ["system:masters"] - }, - { - rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" - aws_rolename : "" - username : "admin" - groups = ["system:masters"] - } - ] -} - -terraform { - #source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=1.0.1" - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -inputs = { - aws_account_id = local.account_id - profile = local.profile - vpc_name = local.eks_vpc_name - cluster_name = local.cluster_name - cluster_version = local.cluster_version - eks_instance_disk_size = local.eks_instance_disk_size - eks_vpc_name = local.eks_vpc_name - #eks_instance_types = local.eks_instance_types - eks_ng_desired_size = local.eks_ng_desired_size - eks_ng_max_size = local.eks_ng_max_size - eks_ng_min_size = local.eks_ng_min_size - operators_ns = local.operators_ns - enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions - cluster_endpoint_public_access = local.cluster_endpoint_public_access - tags = local.tags - aws_auth_roles = local.aws_auth_roles - vcp_domain_name = local.vpc_domain_name - region = local.region - creator = local.cluster_mailing_list - os_username = local.cluster_mailing_list - shared_vpc_label = "dev" -} diff --git a/lab/us-gov-east-1/vpc/cluster/terragrunt-hcl.bak b/lab/us-gov-east-1/vpc/cluster/terragrunt-hcl.bak deleted file mode 100644 index 5950285..0000000 --- a/lab/us-gov-east-1/vpc/cluster/terragrunt-hcl.bak +++ /dev/null @@ -1,67 +0,0 @@ -locals { - # In which AWS region are operations being performed - # vpc_id = "vpc-0280f77b373744eaa" - # profile = "224384469011-lab-dev-gov.inf-admin-t3" - # cluster_name = "platform-eng-eks-test" - # subnets = [ - # "subnet-078b228071c609a50", - # "subnet-02c2250b9ec2dd6a2", - # "subnet-07a6339be3670fb41", - # ] - # security_group_all_worker_mgmt_id = "sg-02b62e91afdbeba6b" - # eks_managed_node_groups_autoscaling_group_names = ["eks-eks-platform-eng-eks-test-nodegroup-20240501173536404400000016-3ec79a9c-f002-40c6-8358-29fbacfbb3e8"] - - # region = "us-gov-east-1" - # oidc_provider_arn = "arn:aws-us-gov:iam::224384469011:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/7DE08671C3526A48AD5537E814DC2828" - - tag_costallocation = "census:csvd:platformbaseline" - region = "us-gov-east-1" - tags = { - - "eks-cluster-name" = "platform-eng-eks-test" - "CostAllocation" = "census:csvd:platformbaseline" - "boc:tf_module_version" = "1.0.0" - "boc:created_by" = "terraform" - } -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -remote_state { - backend = "s3" - generate = { - path = "backend.tf" - if_exists = "overwrite_terragrunt" - } - config = { - bucket = "tg-infrastructure-tf-state-lab-dev-ew-us-gov-east-1" - key = "platform-eks-test-config/terraform.tfstate" - region = "us-gov-east-1" - encrypt = true - #dynamodb_table = "my-lock-table" - } -} - -dependency "eks" { - config_path = "../eks" -} - -inputs = { - profile = dependency.eks.inputs.profile - vpc_id = dependency.eks.outputs.vpc_id - cluster_name = dependency.eks.inputs.cluster_name - cluster_autoscaler_role_name = dependency.eks.outputs.cluster_autoscaler_role_name - subnets = dependency.eks.outputs.subnets - security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id - eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - tags = local.tags - tag_costallocation = local.tag_costallocation - region = local.region -} \ No newline at end of file diff --git a/lab/us-gov-east-1/vpc/cluster/terragrunt.hcl b/lab/us-gov-east-1/vpc/cluster/terragrunt.hcl deleted file mode 100644 index 39bbd6f..0000000 --- a/lab/us-gov-east-1/vpc/cluster/terragrunt.hcl +++ /dev/null @@ -1,79 +0,0 @@ -locals { - # Automatically load _envcommon, cross account and environment common variables - # common_vars = read_terragrunt_config("${dirname(find_in_parent_folders())}/_envcommon/common-variables.hcl", "skip-account-if-does-not-exist") - // "${get_tfvars_dir()}/${find_in_parent_folders("account.tfvars", "skip-account-if-does-not-exist")}", - - # Automatically load account-level variables (NOTE: In our environment account = environment so there is not separate environment layer) - account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) - - # Automatically load region-level variables - region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) - - # Automatically load vpc-level variables - # Not applicable in this demo, but including for reference, would be next level of variables and configurations - # vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl", "skip-account-if-does-not-exist")) - - # Extract the variables we need for easy access - account_name = local.account_vars.locals.account_name - account_id = local.account_vars.locals.aws_account_id - creator = "srinivasa.nangunuri@census.gov" - profile = "224384469011-lab-dev-gov" - organization = "census:ocio:csvd" - project_number = "fs0000000078" - project_name = "csvd_platformbaseline" - project_role = "csvd_platformbaseline_snang" - region = local.region_vars.locals.aws_region -} - -generate "provider" { - path = "provider.tf" - if_exists = "overwrite_terragrunt" - contents = < Date: Tue, 17 Sep 2024 15:37:39 -0400 Subject: [PATCH 2/9] Format and fix state variables --- .../eks-tempo/terragrunt.hcl | 2 +- .../platform-eng-eks-mcm/eks/terragrunt.hcl | 6 ++--- .../eks-tempo/terragrunt.hcl | 2 +- .../platform-eng-eks-test/eks/terragrunt.hcl | 6 ++--- .../eks-tempo/terragrunt.hcl | 2 +- .../eks-kiali.disable/terragrunt.hcl | 10 ++++----- .../platform-test-x/eks-tempo/terragrunt.hcl | 2 +- .../vpc/platform-test-x/eks/terragrunt.hcl | 6 ++--- lab/terragrunt.hcl | 22 ++++++++++--------- 9 files changed, 30 insertions(+), 28 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 02fad53..7f3d706 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -14,7 +14,7 @@ terraform { dependency "eks" { config_path = "../eks" mock_outputs = { - cluster_name = "a-cluster-name" + cluster_name = "a-cluster-name" oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 0f4fb64..3bf52f9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -26,9 +26,9 @@ locals { # Tags applied to AWS objects created tags = { "eks-cluster-name" = local.cluster_name - "Environment" = local.environment_abbr - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + "Environment" = local.environment_abbr + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl index 02fad53..7f3d706 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-tempo/terragrunt.hcl @@ -14,7 +14,7 @@ terraform { dependency "eks" { config_path = "../eks" mock_outputs = { - cluster_name = "a-cluster-name" + cluster_name = "a-cluster-name" oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl index 570c0ea..f2b65d1 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl @@ -26,9 +26,9 @@ locals { # Tags applied to AWS objects created tags = { "eks-cluster-name" = local.cluster_name - "Environment" = local.environment_abbr - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + "Environment" = local.environment_abbr + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl index 02fad53..7f3d706 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl @@ -14,7 +14,7 @@ terraform { dependency "eks" { config_path = "../eks" mock_outputs = { - cluster_name = "a-cluster-name" + cluster_name = "a-cluster-name" oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl index c395110..ac0a548 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl @@ -1,5 +1,5 @@ include "root" { - path = find_in_parent_folders() + path = find_in_parent_folders() expose = true } @@ -42,13 +42,13 @@ dependency "eks-grafana" { port_number = "80" url = "https://grafana.grafana.svc.cluster.local:80/" } - namespace = "grafana" - public_endpoint = { + namespace = "grafana" + public_endpoint = { hostname = "grafana.dev.lab.csp2.census.gov" port_number = "80" url = "https://grafana.dev.lab.csp2.census.gov:80/" } - secret_name = "grafana" + secret_name = "grafana" } } @@ -64,7 +64,7 @@ inputs = { grafana_public_url = dependency.eks-grafana.outputs.public_endpoint.url grafana_secret_name = "grafana" # grafana_secret_name = dependency.eks-grafana.outputs.secret_name - jaeger_internal_url = "" + jaeger_internal_url = "" # client_id = var.sso_client_id diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl index 02fad53..7f3d706 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl @@ -14,7 +14,7 @@ terraform { dependency "eks" { config_path = "../eks" mock_outputs = { - cluster_name = "a-cluster-name" + cluster_name = "a-cluster-name" oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl index aa98f69..c899802 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl @@ -26,9 +26,9 @@ locals { # Tags applied to AWS objects created tags = { "eks-cluster-name" = local.cluster_name - "Environment" = local.environment_abbr - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + "Environment" = local.environment_abbr + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } } diff --git a/lab/terragrunt.hcl b/lab/terragrunt.hcl index 504e9d4..4d16cc3 100644 --- a/lab/terragrunt.hcl +++ b/lab/terragrunt.hcl @@ -17,17 +17,19 @@ locals { # Automatically load vpc-level variables vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl", "skip-account-if-does-not-exist")) -# vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl", "skip-account-if-does-not-exist")) + # vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl", "skip-account-if-does-not-exist")) # Extract the variables we need for easy access - account_name = local.account_vars.locals.account_name - account_id = local.account_vars.locals.aws_account_id - aws_profile = local.account_vars.locals.aws_profile - aws_region = local.region_vars.locals.aws_region - organization = local.common_vars.locals.organization - project_number = local.common_vars.locals.project_number - project_name = local.common_vars.locals.project_name - project_role = local.common_vars.locals.project_role + account_name = local.account_vars.locals.account_name + account_id = local.account_vars.locals.aws_account_id + aws_profile = local.account_vars.locals.aws_profile + aws_region = local.region_vars.locals.aws_region + organization = local.common_vars.locals.organization + project_number = local.common_vars.locals.project_number + project_name = local.common_vars.locals.project_name + project_role = local.common_vars.locals.project_role + state_bucket_prefix = "inf-tfstate" + state_table_name = "tf_remote_state" } # Generate an AWS provider block @@ -91,7 +93,7 @@ remote_state { skip_bucket_enforced_tls = true # use only if you need to access the S3 bucket without TLS being enforced skip_bucket_public_access_blocking = true skip_bucket_root_access = true # use only if the AWS account root user should not have access to the remote state bucket for some reason - skip_bucket_ssencryption = true # use only if non-encrypted OpenTofu/Terraform State is required and/or the object store does not support server-side encryption + skip_bucket_ssencryption = true # use only if non-encrypted OpenTofu/Terraform State is required and/or the object store does not support server-side encryption skip_bucket_versioning = false # use only if the object store does not support versioning enable_lock_table_ssencryption = false # use only if non-encrypted DynamoDB Lock Table for the OpenTofu/Terraform State is required and/or the NoSQL database service does not support server-side encryption } From cc9ce060398065a13a44aaca779c91e64e00b577 Mon Sep 17 00:00:00 2001 From: mcgin314 Date: Tue, 17 Sep 2024 15:42:17 -0400 Subject: [PATCH 3/9] Fix profile and region vars in state config --- lab/terragrunt.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lab/terragrunt.hcl b/lab/terragrunt.hcl index 4d16cc3..27d0a04 100644 --- a/lab/terragrunt.hcl +++ b/lab/terragrunt.hcl @@ -88,8 +88,8 @@ remote_state { bucket = "${local.state_bucket_prefix}-${local.account_id}" dynamodb_table = "${local.state_table_name}" key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" - profile = "${local.profile}" - region = "${local.region}" + profile = "${local.aws_profile}" + region = "${local.aws_region}" skip_bucket_enforced_tls = true # use only if you need to access the S3 bucket without TLS being enforced skip_bucket_public_access_blocking = true skip_bucket_root_access = true # use only if the AWS account root user should not have access to the remote state bucket for some reason From 9720802e12af42ede53821bddef8ea1f3e85aa71 Mon Sep 17 00:00:00 2001 From: mcgin314 Date: Fri, 20 Sep 2024 15:56:09 -0400 Subject: [PATCH 4/9] Merge all latest module updates to terragrunt repo structure --- .gitignore | 1 + .../platform-eng-eks-mcm/eks/terragrunt.hcl | 6 +- .../platform-test-x/eks-dns/terragrunt.hcl | 31 ++++++++ .../eks-grafana/terragrunt.hcl,disable | 38 +++++++++ .../platform-test-x/eks-istio/terragrunt.hcl | 1 + .../eks-k8s-dashboard/terragrunt.hcl.disable | 31 ++++++++ .../eks-kiali.disable/terragrunt.hcl.disable | 77 +++++++++++++++++++ .../eks-loki/terragrunt.hcl.disable | 31 ++++++++ .../eks-prometheus/terragrunt.hcl.disable | 30 ++++++++ .../eks-tempo/terragrunt.hcl.disable | 41 ++++++++++ 10 files changed, 286 insertions(+), 1 deletion(-) create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl,disable create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl.disable create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl.disable create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl.disable diff --git a/.gitignore b/.gitignore index 4b51fc4..4b072ca 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,4 @@ terraform.rc .terragrunt-cache/ backend.tf provider*.tf +remote_state.backend.tf diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 3bf52f9..324ab9f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -10,8 +10,10 @@ locals { cluster_name = "platform-eng-eks-mcm" cluster_version = "1.30" vpc_domain_name = include.root.inputs.vpc_domain_name + vpc_domain_name = include.root.inputs.vpc_domain_name eks_instance_disk_size = 100 eks_vpc_name = include.root.inputs.vpc_name + eks_vpc_name = include.root.inputs.vpc_name eks_ng_desired_size = 2 eks_ng_max_size = 10 eks_ng_min_size = 2 @@ -20,12 +22,14 @@ locals { cluster_endpoint_public_access = true profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region cluster_mailing_list = "matthew.c.morgan@census.gov" environment_abbr = include.root.inputs.environment_abbr + environment_abbr = include.root.inputs.environment_abbr # Tags applied to AWS objects created tags = { - "eks-cluster-name" = local.cluster_name "Environment" = local.environment_abbr "slim:schedule" = "8:00-17:00" "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl new file mode 100644 index 0000000..02eb7fc --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl @@ -0,0 +1,31 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git" + source = "../../../../../../../tfmod-eks-dns" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + zone_ids = ["Z12345678CA5FV1LIFBC5"] + } +} + +inputs = { + cluster_name = dependency.eks.inputs.cluster_name + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + subnets = dependency.eks.outputs.subnets + tags = dependency.eks.inputs.tags + vpc_domain_name = dependency.eks.inputs.vpc_domain_name + vpc_id = dependency.eks.outputs.vpc_id + vpc_name = dependency.eks.inputs.vpc_name +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl,disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl,disable new file mode 100644 index 0000000..c2172e8 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-grafana/terragrunt.hcl,disable @@ -0,0 +1,38 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} +dependency "eks-loki" { + config_path = "../eks-loki" + mock_outputs = { + rwo_storage_class = "gp3-encrypted" + } +} +# dependency "eks-tempo" { +# config_path = "../eks-tempo" +# skip_outputs = true +# } + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks.inputs.vpc_domain_name + rwo_storage_class = dependency.eks-loki.outputs.rwo_storage_class + # datasources = dependency.eks-loki.outputs.gateway_internal_endpoint +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl index 5a30c0e..7ec5357 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl @@ -17,6 +17,7 @@ dependency "eks" { cluster_name = "a-cluster-name" } } + dependency "eks-karpenter" { config_path = "../eks-karpenter" skip_outputs = true diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable new file mode 100644 index 0000000..6434120 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable @@ -0,0 +1,31 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=main" + source = "../../../../../../../tfmod-k8s-dashboard" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} +dependency "eks-karpenter" { + config_path = "../eks-karpenter" + skip_outputs = true +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name + # k8s_dashboard_version = "v2.0.0" # NEW IDEA TO START PINNING VERSIONING OF COMPONENT TO TF MODULE VERSION +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl.disable new file mode 100644 index 0000000..ac0a548 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl.disable @@ -0,0 +1,77 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" + source = "../../../../../../../tfmod-kiali" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} +dependency "eks-cert-manager" { + config_path = "../eks-cert-manager" + mock_outputs = { + cluster_issuer_name = "acmpca-clusterissuer" + } +} +dependency "eks-prometheus" { + config_path = "../eks-prometheus" + mock_outputs = { + prometheus_server_internal_endpoint = { + hostname = "prometheus-server.prometheus.svc.cluster.local" + port_number = 9090 + url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" + } + } +} +dependency "eks-grafana" { + config_path = "../eks-grafana" + mock_outputs = { + internal_endpoint = { + hostname = "grafana.grafana.svc.cluster.local" + port_number = "80" + url = "https://grafana.grafana.svc.cluster.local:80/" + } + namespace = "grafana" + public_endpoint = { + hostname = "grafana.dev.lab.csp2.census.gov" + port_number = "80" + url = "https://grafana.dev.lab.csp2.census.gov:80/" + } + secret_name = "grafana" + } +} + +inputs = { + profile = include.root.inputs.aws_profile + cluster_domain = dependency.eks.inputs.vpc_domain_name + operators_namespace = dependency.eks.inputs.operators_ns + cluster_name = dependency.eks.outputs.cluster_name + certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name + prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url + grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url + grafana_namespace = dependency.eks-grafana.outputs.namespace + grafana_public_url = dependency.eks-grafana.outputs.public_endpoint.url + grafana_secret_name = "grafana" + # grafana_secret_name = dependency.eks-grafana.outputs.secret_name + jaeger_internal_url = "" + + + # client_id = var.sso_client_id + # client_secret = var.sso_client_secret + # keycloak_public_url = var.keycloak_public_url + # gogatekeeper_chart_version = var.gogatekeeper_chart_version + # gogatekeeper_registry = var.gogatekeeper_registry + # gogatekeeper_repository = var.gogatekeeper_repository + # gogatekeeper_tag = var.gogatekeeper_tag +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl.disable new file mode 100644 index 0000000..cc94f7f --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl.disable @@ -0,0 +1,31 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" + } +} +dependency "eks-istio" { + config_path = "../eks-istio" + skip_outputs = true +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable new file mode 100644 index 0000000..62611b1 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable @@ -0,0 +1,30 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} + +dependency "eks-istio" { + config_path = "../eks-istio" + skip_outputs = true +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl.disable new file mode 100644 index 0000000..7f3d706 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl.disable @@ -0,0 +1,41 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" + } +} + +dependency "eks-prometheus" { + config_path = "../eks-prometheus" + mock_outputs = { + prometheus_server_internal_endpoint = { + hostname = "prometheus-server.prometheus.svc.cluster.local" + port_number = 9090 + url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" + } + prometheus_namespace = "prometheus" + } +} + +inputs = { + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number + prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace +} From 0b0ca0ceaf8db75d528c1b481b8e436c8e8c7dd3 Mon Sep 17 00:00:00 2001 From: mcgin314 Date: Fri, 20 Sep 2024 16:47:26 -0400 Subject: [PATCH 5/9] Merge all latest into live TG repository structure --- .../eks-dns/terragrunt.hcl | 30 ++++++++ .../platform-eng-eks-mcm/eks/terragrunt.hcl | 26 +++---- .../eks-dns/terragrunt.hcl | 30 ++++++++ .../platform-eng-eks-test/eks/terragrunt.hcl | 22 +++--- .../platform-test-cicd/eks-dns/terragrunt.hcl | 30 ++++++++ .../vpc/platform-test-cicd/eks/terragrunt.hcl | 15 ++-- .../eks-kiali.disable/terragrunt.hcl | 77 ------------------- .../platform-test-x/eks-tempo/terragrunt.hcl | 1 + .../eks-tempo/terragrunt.hcl.disable | 41 ---------- 9 files changed, 118 insertions(+), 154 deletions(-) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-dns/terragrunt.hcl create mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-dns/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl.disable diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl new file mode 100644 index 0000000..46d26d8 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl @@ -0,0 +1,30 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + zone_ids = ["Z12345678CA5FV1LIFBC5"] + } +} + +inputs = { + cluster_name = dependency.eks.inputs.cluster_name + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + subnets = dependency.eks.outputs.subnets + tags = dependency.eks.inputs.tags + vpc_domain_name = dependency.eks.inputs.vpc_domain_name + vpc_id = dependency.eks.outputs.vpc_id + vpc_name = dependency.eks.inputs.vpc_name +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 324ab9f..c136bd9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -10,10 +10,8 @@ locals { cluster_name = "platform-eng-eks-mcm" cluster_version = "1.30" vpc_domain_name = include.root.inputs.vpc_domain_name - vpc_domain_name = include.root.inputs.vpc_domain_name eks_instance_disk_size = 100 eks_vpc_name = include.root.inputs.vpc_name - eks_vpc_name = include.root.inputs.vpc_name eks_ng_desired_size = 2 eks_ng_max_size = 10 eks_ng_min_size = 2 @@ -22,17 +20,14 @@ locals { cluster_endpoint_public_access = true profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region cluster_mailing_list = "matthew.c.morgan@census.gov" environment_abbr = include.root.inputs.environment_abbr - environment_abbr = include.root.inputs.environment_abbr # Tags applied to AWS objects created tags = { - "Environment" = local.environment_abbr - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + "Environment" = local.environment_abbr + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } } @@ -46,14 +41,13 @@ terraform { } inputs = { - aws_account_id = local.account_id - profile = local.profile - vpc_name = local.eks_vpc_name - cluster_name = local.cluster_name - cluster_version = local.cluster_version - eks_instance_disk_size = local.eks_instance_disk_size - eks_vpc_name = local.eks_vpc_name - # eks_instance_types = local.eks_instance_types + aws_account_id = local.account_id + profile = local.profile + vpc_name = local.eks_vpc_name + cluster_name = local.cluster_name + cluster_version = local.cluster_version + eks_instance_disk_size = local.eks_instance_disk_size + eks_vpc_name = local.eks_vpc_name eks_ng_desired_size = local.eks_ng_desired_size eks_ng_max_size = local.eks_ng_max_size eks_ng_min_size = local.eks_ng_min_size diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-dns/terragrunt.hcl new file mode 100644 index 0000000..46d26d8 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks-dns/terragrunt.hcl @@ -0,0 +1,30 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + zone_ids = ["Z12345678CA5FV1LIFBC5"] + } +} + +inputs = { + cluster_name = dependency.eks.inputs.cluster_name + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + subnets = dependency.eks.outputs.subnets + tags = dependency.eks.inputs.tags + vpc_domain_name = dependency.eks.inputs.vpc_domain_name + vpc_id = dependency.eks.outputs.vpc_id + vpc_name = dependency.eks.inputs.vpc_name +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl index f2b65d1..90f7104 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-test/eks/terragrunt.hcl @@ -25,10 +25,9 @@ locals { # Tags applied to AWS objects created tags = { - "eks-cluster-name" = local.cluster_name - "Environment" = local.environment_abbr - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + "Environment" = local.environment_abbr + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } } @@ -42,14 +41,13 @@ terraform { } inputs = { - aws_account_id = local.account_id - profile = local.profile - vpc_name = local.eks_vpc_name - cluster_name = local.cluster_name - cluster_version = local.cluster_version - eks_instance_disk_size = local.eks_instance_disk_size - eks_vpc_name = local.eks_vpc_name - # eks_instance_types = local.eks_instance_types + aws_account_id = local.account_id + profile = local.profile + vpc_name = local.eks_vpc_name + cluster_name = local.cluster_name + cluster_version = local.cluster_version + eks_instance_disk_size = local.eks_instance_disk_size + eks_vpc_name = local.eks_vpc_name eks_ng_desired_size = local.eks_ng_desired_size eks_ng_max_size = local.eks_ng_max_size eks_ng_min_size = local.eks_ng_min_size diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-dns/terragrunt.hcl new file mode 100644 index 0000000..46d26d8 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-dns/terragrunt.hcl @@ -0,0 +1,30 @@ +include "root" { + path = find_in_parent_folders() + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + zone_ids = ["Z12345678CA5FV1LIFBC5"] + } +} + +inputs = { + cluster_name = dependency.eks.inputs.cluster_name + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + subnets = dependency.eks.outputs.subnets + tags = dependency.eks.inputs.tags + vpc_domain_name = dependency.eks.inputs.vpc_domain_name + vpc_id = dependency.eks.outputs.vpc_id + vpc_name = dependency.eks.inputs.vpc_name +} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl index 13a37b8..f180390 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl @@ -41,14 +41,13 @@ terraform { } inputs = { - aws_account_id = local.account_id - profile = local.profile - vpc_name = local.eks_vpc_name - cluster_name = local.cluster_name - cluster_version = local.cluster_version - eks_instance_disk_size = local.eks_instance_disk_size - eks_vpc_name = local.eks_vpc_name - # eks_instance_types = local.eks_instance_types + aws_account_id = local.account_id + profile = local.profile + vpc_name = local.eks_vpc_name + cluster_name = local.cluster_name + cluster_version = local.cluster_version + eks_instance_disk_size = local.eks_instance_disk_size + eks_vpc_name = local.eks_vpc_name eks_ng_desired_size = local.eks_ng_desired_size eks_ng_max_size = local.eks_ng_max_size eks_ng_min_size = local.eks_ng_min_size diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl deleted file mode 100644 index ac0a548..0000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl +++ /dev/null @@ -1,77 +0,0 @@ -include "root" { - path = find_in_parent_folders() - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" - source = "../../../../../../../tfmod-kiali" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} -dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" - mock_outputs = { - cluster_issuer_name = "acmpca-clusterissuer" - } -} -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - } -} -dependency "eks-grafana" { - config_path = "../eks-grafana" - mock_outputs = { - internal_endpoint = { - hostname = "grafana.grafana.svc.cluster.local" - port_number = "80" - url = "https://grafana.grafana.svc.cluster.local:80/" - } - namespace = "grafana" - public_endpoint = { - hostname = "grafana.dev.lab.csp2.census.gov" - port_number = "80" - url = "https://grafana.dev.lab.csp2.census.gov:80/" - } - secret_name = "grafana" - } -} - -inputs = { - profile = include.root.inputs.aws_profile - cluster_domain = dependency.eks.inputs.vpc_domain_name - operators_namespace = dependency.eks.inputs.operators_ns - cluster_name = dependency.eks.outputs.cluster_name - certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name - prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url - grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url - grafana_namespace = dependency.eks-grafana.outputs.namespace - grafana_public_url = dependency.eks-grafana.outputs.public_endpoint.url - grafana_secret_name = "grafana" - # grafana_secret_name = dependency.eks-grafana.outputs.secret_name - jaeger_internal_url = "" - - - # client_id = var.sso_client_id - # client_secret = var.sso_client_secret - # keycloak_public_url = var.keycloak_public_url - # gogatekeeper_chart_version = var.gogatekeeper_chart_version - # gogatekeeper_registry = var.gogatekeeper_registry - # gogatekeeper_repository = var.gogatekeeper_repository - # gogatekeeper_tag = var.gogatekeeper_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl index 7f3d706..c52ffc3 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl @@ -32,6 +32,7 @@ dependency "eks-prometheus" { } inputs = { + aws_account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl.disable deleted file mode 100644 index 7f3d706..0000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-tempo/terragrunt.hcl.disable +++ /dev/null @@ -1,41 +0,0 @@ -include "root" { - path = find_in_parent_folders() - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=main" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} - -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - prometheus_namespace = "prometheus" - } -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number - prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace -} From f20d9fdd998f73525ceb0490de67b03211c97a1d Mon Sep 17 00:00:00 2001 From: mcgin314 Date: Fri, 20 Sep 2024 16:53:10 -0400 Subject: [PATCH 6/9] Remove cluster-name tag from platform-test-x --- .../us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl | 1 - 1 file changed, 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl index c899802..c72e12c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks/terragrunt.hcl @@ -25,7 +25,6 @@ locals { # Tags applied to AWS objects created tags = { - "eks-cluster-name" = local.cluster_name "Environment" = local.environment_abbr "slim:schedule" = "8:00-17:00" "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" From b98a02688fdbc972a9c16473c0bae5a3df41de85 Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Wed, 9 Oct 2024 17:07:06 -0700 Subject: [PATCH 7/9] Apply suggestions from code review --- .../vpc/platform-test-x/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/platform-test-x/eks-config/terragrunt.hcl | 2 +- .../us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl | 3 +-- .../us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl | 2 +- .../vpc/platform-test-x/eks-karpenter/terragrunt.hcl | 2 +- .../platform-test-x/eks-kiali.disable/terragrunt.hcl.disable | 3 +-- .../us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl | 2 +- .../vpc/platform-test-x/eks-loki/terragrunt.hcl.disable | 2 +- .../vpc/platform-test-x/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/platform-test-x/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable | 2 +- 11 files changed, 11 insertions(+), 13 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl index 1448ac8..f72b39f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-cert-manager/terragrunt.hcl @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl index 84bb1ff..7c6a172 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-config/terragrunt.hcl @@ -8,7 +8,7 @@ include "root" { # } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl index 02eb7fc..46d26d8 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-dns/terragrunt.hcl @@ -4,8 +4,7 @@ include "root" { } terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git" - source = "../../../../../../../tfmod-eks-dns" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl index fc9d515..c1190ab 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-istio/terragrunt.hcl @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl index 982e1d7..a6e5264 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-karpenter/terragrunt.hcl @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl.disable index ac0a548..3dabd56 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl.disable +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-kiali.disable/terragrunt.hcl.disable @@ -4,8 +4,7 @@ include "root" { } terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" - source = "../../../../../../../tfmod-kiali" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl index cc94f7f..069f967 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl.disable index cc94f7f..069f967 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl.disable +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-loki/terragrunt.hcl.disable @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl index 5414a72..010e61a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-metrics-server/terragrunt.hcl @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl index 62611b1..308ade0 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable index 62611b1..308ade0 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-prometheus/terragrunt.hcl.disable @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] From 62dbdf3b9db6d03e51710ff330e4197c5d10dda8 Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Wed, 9 Oct 2024 17:07:48 -0700 Subject: [PATCH 8/9] Update lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index d98c239..a90d330 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -32,7 +32,7 @@ locals { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] From 95312a4bd770573c8b4c0b72e37225429fd8ca1c Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Wed, 9 Oct 2024 17:10:15 -0700 Subject: [PATCH 9/9] Apply suggestions from code review --- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- .../platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 7f3d706..eaf268b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -4,7 +4,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=main" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable index 6434120..7004f22 100644 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable +++ b/lab/development/us-gov-east-1/vpc/platform-test-x/eks-k8s-dashboard/terragrunt.hcl.disable @@ -4,8 +4,8 @@ include "root" { } terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=main" - source = "../../../../../../../tfmod-k8s-dashboard" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git" + # source = "../../../../../../../tfmod-k8s-dashboard" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"]